Last amended: 11 November, 2023
GENERAL PROVISIONS
A.1. COLLECTION AND PROCESSING OF PERSONAL DATA
Within the scope of the website hosted in www.superloyal.com and the services and communications made available therein, One Superloyal Sweden AB, with a registered office in Artillerigatan 6, 11451 Stockholm, Sweden, with the Tax ID Number SE559398580601, (hereinafter referred to as "Data Controller" or “Controller”) may request and process certain personal data from the users.
Personal Data should be understood as means any information relating to an identified or identifiable natural person (“Data Subject” or “User”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A.2. PERSONAL DATA COLLECTED
Through this Privacy Policy, the Data Controller aims to provide detailed information to the User regarding the nature and data collected, the purposes and the processing operations regarding the personal data.
The Personal Data collected and processed may include information regarding name, gender, date of birth, telephone, mobile phone, email, address, tax identification number, credit card data (collected for billing purposes only), although we may have to collect other Personal Data that is eventually necessary or appropriate for the provision or charging of services by the Data Controller.
As a rule, Personal Data is required when the User registers on the Site, requests a contact and/or subscribes a newsletter, requests a certain service, provides or requests information, acquires a product or establishes a contractual relationship with Superloyal.
The Data Controller also collects and processes information about the characteristics of the user’s hardware device and browser/software features, as well as information about the pages visited by the User within the Site. This information may include browser type, domain name, access times and links by which the User has accessed the Site.
The Data Controller may collect your personal data through cookies and other tracking technologies. The use of cookies by the Data Controller is regulated in our cookie policy.
A.3. DATA PROCESSORS AND DATA SHARING WITH THIRD PARTIES
As part of its data processing activities the Data Controller may engage with third parties, subcontracted by the former, to process Personal Data on its behalf, in accordance with its instructions, and in compliance with the General Data Protection Regulation (hereinafter, “GDPR”), the GDPR Execution Law (Law no. 58/2019, of 8 of august) and this Privacy Policy.
These processors may not disclose the Personal Data to other entities without the Data Controller having given prior written authorization to do so. Additionally, they are also prevented from contracting other processors without the Controller’s prior authorization.
The Data Controller will only enter into agreements with processors that have implemented the appropriate technical and organizational measures, in order to guarantee the defense of the User’s rights. The Data Controller shall bind all the processors contracted by a written agreement that covers the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
At the moment of collection of personal data, the Data Controller provides the User with information on the categories of processors that, in this case, may process data on its behalf.
The Controller may also transfer your data to third parties when it believes that such a transfer is necessary and adequate: (i) to achieve a lawful purpose under the applicable law; (ii) to comply with its legal obligations/orders from administrative, law enforcement or other judicial entities; or (iii) to provide information or comply with orders from public or governmental entities. The situations above may include sharing data with companies within the Data Controller’s corporate group, when doing so is lawful.
A.4. DATA COLLECTION CHANNELS
The Data Controller may collect data directly (i.e., directly from the User) or indirectly (i.e. commercial partners or third parties). Such collection may operate through the following channels:
Direct collection: through the Site and via e-mail;
Indirect collection: through business partners, affiliates and official entities.
B. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles regarding the processing of personal data, the Data Controller undertakes to ensure that the User’s Personal Data processed is:
• Processed in accordance with the law, as well as being fair and transparent in relation to the User;
• Collected for specific purposes that are objective and legitimate, not being processed subsequently in any way that runs contrary to these purposes;
• Appropriate, justified and limited to what is necessary in relation to the purposes for which the data is processed;
• Accurate and updated whenever necessary, ensuring that inaccurate data, taking into account the purposes for which they are processed, is erased or corrected without delay;
• Only retained for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements;
• Handled in a manner that ensures security, including protection against their unauthorized or illegal processing and against their loss, destruction or unforeseen damage, with appropriate technical or organizational measures being taken on this matter.
Data processing carried out by the Data Controller is permitted and legal when at least one of the legal bases under Article 6 of the GDPR (jointly, when applicable with one of the exceptions of article 9 and article 10 of the GDPR)
The Data Controller undertakes to ensure that the processing of User Data takes place under the conditions and respecting the principles above mentioned.
The time on which the data is filed and stored varies according to the purpose for which the information is being processed.
However, there are legal requirements that require the data to be preserved for a minimum period. In particular, data that is required for billing or that should be considered as commercial documentation and letters should be stored for 10 years. Information necessary to allow you to access to restricted area of the Site shall be stored until you request deletion of your account. In addition, data used for direct marketing shall be kept until you request that we stop sending you direct marketing messages. Where there is no specific legal obligation, data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, being eliminated when that processing ends.
The Data Controller undertakes to ensure that the processing of User Data takes place under the conditions and respecting the principles above mentioned.
The time on which the data is filed and stored varies according to the purpose for which the information is being processed.
However, there are legal requirements that require the data to be preserved for a minimum period. In particular, data that is required for billing or that should be considered as commercial documentation and letters should be stored for 10 years. Information necessary to allow you to access to restricted area of the Site shall be stored until you request deletion of your account. In addition, data used for direct marketing shall be kept until you request that we stop sending you direct marketing messages. Where there is no specific legal obligation, data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, being eliminated when that processing ends.
B.1. USE AND PURPOSES OF USER DATA PROCESSING
The Data Controller processes Personal Data for the following purposes:
• Provision and management of the loyalty point services;
• Contact management;
• Registration on the Site;
• Providing information to the User upon requests, about new products and services that have been made available on the Site, special offers and campaigns, updated information on the Data Controllers’s business operations and, generally, for the purpose of marketing, using any means of communication;
• Allowing access to restricted areas of the Site;
• Ensuring that the Site meets the User’s needs by developing and publishing content that is best adapted to the requests made and the type of User, improving the search capabilities and functionalities of the Site and obtaining associated or statistical information regarding to the user’s profile (analysis of consumption profiles);
• Providing other services such as newsletter, opinion studies, or other information or products requested or bought by the User;
• The Data Controller may also combine user information with anonymous demographic information for research purposes and may use the result of that research to provide you with relevant content on the website. In certain restricted areas of the Site, the Controller may also combine Personal Data with usability information to provide the User with more personalized content.
B.2. IMPLEMENTED TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES
In order to guarantee the security and maximum confidentiality of the Personal Data, the Controller treats the information you provided to us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically as required, as well as the terms and conditions legally set out.
Depending on the nature, scope, context and purpose of data processing, as well as the risks arising from the processing to the rights and freedoms of the User, the Controller undertakes to apply, both when defining the method and timing of handling the data, the necessary and appropriate technical and organizational measures for the protection of personal data in compliance with legal requirements.
The Controller also undertakes to ensure that, as a principle, only data that are necessary for each specific purpose are processed and that such data are not disclosed without human intervention to an indeterminate number of people.
Nevertheless, in terms of general measures, the Controller adopts the following:
• Regular audits to identify the effectiveness of the implemented technical and organizational measures;
• Sensitization and training of personnel involved in data processing operations;
• Pseudonymisation and coding of personal data;
• Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
• Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
B.3. DATA TRANSFERS TO THIRD COUNTRIES
The data processing operations associated with the interaction of the Data Subject with the Site shall not entail the transfer of data, or the processing thereof, outside the European Economic Area.
However, should it become necessary to transfer your data outside the European Economic Area, for example, in the context of using certain providers of computer systems support services, the Data Controller will implement the necessary measures to ensure that these transfers comply with the law, in particular with Chapter V of the GDPR, and that an essentially equivalent level of protection is guaranteed to the Data Subjects' personal data. This may be achieved, for example, by ensuring the existence of a European Commission Adequacy Decision relating to the country of destination or by concluding Standard Contractual Clauses and, if necessary, implementing additional measures.
C. USER RIGHTS (DATA SUBJECTS)
Under the GDPR, the Data Subject is entitled to exercise the following rights:
Right of access: The Data Subject has the right obtain confirmation as to whether his/her personal data are being processed and, where that is the case, access. A copy of the data being processed will be made available to the Data Subject on request, as long as no legal restrictions are applicable.
Right to rectification: The User may request for inaccurate or incomplete personal data concerning him/her to be rectified or completed.
Right to erasure: Where one of the legal grounds for doing it so under the GDPR applies, the User may also, at any time, request the deletion of personal data concerning him/her. The Data Controller may refuse to grant such request in certain situations, in particular when the data is still necessary for the purpose for which it was collected or when the processing is required for compliance with a legal obligation.
Right to restriction of processing: The Data Subject may obtain the restriction of processing when: a) the accuracy of the personal data is contested and its being verified; b) the processing is unlawful and the data subject requests limitation as an alternative to erasure; c) the Data Controller no longer needs the data for its original purpose and the data is requested by the data subject for the purposes of declaring, exercising or defending a right in legal proceedings and; d) when the Data Subject has objected to the processing, until it is ascertained whether the legitimate interests of the controller override those of the data subject.
Right to data portability: When the legal basis for data processing is consent or the performance of the contract, and there is processing by automated means, the Data Subject shall have the right to request the portability of their data. This right may not, however, adversely affect the rights and freedoms of third parties.
Right to object: When data is processed on the basis of legitimate or public interest, or for the purposes of direct marketing, the data subject shall have the right to object to the processing.
Right to withdraw consent: When consent is the lawful basis for data processing, the User has a right to withdraw consent at any time. This does not, however, not affect the lawfulness of processing based on consent before its withdrawal.
C.1. PROCEDURES FOR THE EXERCISING OF RIGHTS BY THE USER
The User can exercise the right to access, rectification or erasure of personal data or restriction of processing concerning your data and to object to processing as well as the right to data portability by contacting us through the e-mail gdpr@superloyal.com.
The Controller will respond in writing (including by electronic means) to the User’s without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, namely particularly complex cases.
If the requests submitted by the User are manifestly unjustified or excessive, especially due to their repetitive nature, Superloyal reserves the right to charge administrative costs or refuse to comply with the request.
C.2. PERSONAL DATA BREACH
In the case of a personal data breach and insofar as such breach is likely to result in a high risk to the rights and freedoms of the User, the Data Controller undertakes to report the personal data breach to the Supervisory Authority within 72 hours from the knowledge of the incident.
In addition, the Data Controller may communicate the data breach to the User if such communication is required by law or if the Data Controller considers doing so to be relevant:
• If the Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
• If the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize; or
• If communication to the User would involve a disproportionate effort on behalf of the Data Controller. In this case, the Data Controller will release a public communication or take a similar action by which the User will be informed.
D. CONFIDENTIALITY OF EMAILS
The emails sent by the Controller and all its attachments are CONFIDENTIAL, being destined exclusively to the individual or entity indicated therein as recipients. If you read any email message and you are not the intended recipient, you are hereby notified that any use, distribution, redirection or other form of disclosure to another, print or copy of the message is expressly prohibited under applicable laws. If you have received an email message in error, we request that you immediately notify us by email at gdpr@superloyal.com and immediate delete it. The Controller declines all responsibility for the content of the e-mail messages that are altered or falsified.
E. FINAL PART
E.1. QUESTIONS
If you have any questions or concerns regarding the way the Data Controller handles your personal data, please contact us at gdpr@superloyal.com.
E.2. APPLICABLE LAW AND LEGAL JURISDICTION
The Privacy Policy as well as the collection, processing or transmission of Personal Data are all governed by the provisions of GDPR, and by the laws and regulations applicable in Sweden, in particular the GDPR Execution Law.
Any litigation arising from the validity, interpretation or implementation of the Privacy Policy, or related to the collection, processing or transmission of User Data, must be submitted exclusively to the jurisdiction of the courts of Stockholm, without prejudice to mandatory legal rules.
E.3. AMENDMENTS TO THE PRIVACY POLICY
The Data Controller reserves the right to make changes to this Privacy Policy at any time. In the case of modification to the Privacy Policy, the date of the most recent change shall also be updated. If the change is substantial, a notice will be placed on the Site.
