Privacy
This Privacy Policy (“the Policy”) is intended to notify the visitors and users (together hereinafter “User/s”, “You” or “Your”) of the website www.hayabrand.com (“the Site”) of the types of personal data collected and processed when operating with the Site, the legal basis, purposes and means of processing, the disclosure of the processed personal data to third parties, the measures taken for personal data protection, as well as the rights that the Users have as data subjects.
If the Site contains links to third-party sites, the User accesses these sites on User’s own will and desire. The operator of the Site is not responsible for the collection and processing of personal data by operators of other sites. For privacy and data protection policies, the Users shall inform themselves by the applicable privacy policies of the sites they visit.
I. Definitions
For the purposes of this Policy:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning preferences, economic situation etc., e.g. for the purposes of more precise targeting of users, for sending of commercial communications etc.;
“controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
II. Data Controller
Data controller for the purposes of this Policy is:
parallel Concept LTD
Registered address: Dimitar hadjikotsev 78 str. fl1
Internet: www.hayabrand.com
Managing director: tonya manolova georgieva
VAT registration number: 205553341
Identification Number (UIC): 205553341
email: studio@hayabrand.com
phone: +359889102880 (on working days between 09:00 and 17:00 CET)
(hereinafter “Controller”, “We”, “Us”, “Our”)
The Controller is not obliged to and has not appointed a Data Protection Officer.
III. Categories of Processed Data:
Beside the personal data you enter when placing an order through the Site and/ or creating a profile on the Site, including your name, telephone, email, billing and delivery address, payment details according to the chosen payment method, we get the following data from your internet browser:
the type of browser used and its version;
the operating system used;
the webpage your system has accessed the Site through;
the sub-pages available on the Site through your system;
the date and time of access to Site;
internet protocol address (IP address);
the internet services provider of your system;
other similar data and information serving to block attacks on our information technology systems.
IV. Purposes and Legal Basis of the Personal Data Processing
Your personal data are being processed in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter “GDPR”) and the applicable national legal provisions in connection with personal data protection.
Data provided when placing an order through the Site
The personal data you provide when making orders without registering on the Site (from an User as a Guest) are required for the use of the Site’s functionality and for conclusion and execution of a contract with the Controller, which is the basis for processing these data.
2. Data provided when registering a profile on the Site
If you voluntarily choose to create a profile on the Site, you enter the data required for such registration. Along with this data, we also receive data about your IP address, date and time of registration. These data are not passed on to third parties and are used primarily for the activities of the Controller to conclude and execute a contract. Additionally, the Controller has a legitimate interest in using these data to maintain its client database and to care for its clients. Subject to explicit consent, and until such consent has been withdrawn, the data provided in a user profile may be used for marketing purposes and sending a non-commercial newsletter as described below in this Policy.
3.Commercial Communications
When placing an order through the Site with or without a user profile, We will request Your consent to send You (unsolicited) commercial communications. The purpose of these messages is to familiarize Users with new content and offers on the Site, ongoing promotions and other time-limited campaigns organized by the Controller via the Site. When sending commercial communications in order to properly target Users, all User-provided data received by the Controller when ordering through the Site or registering on the Site by creating a user profile may be processed. In any case, such personal data will not be used for the purpose of sending commercial communications without the User’s consent for this particular purpose, considering that such consent may be withdrawn at any time through an express statement to the Controller, including through the form provided in this Policy, or via the link contained in each commercial communication.
4.Newsletter
When placing an order through the Site with or without a user profile, We will request Your consent to send You a non-commercial periodical newsletter. The purpose of this newsletter is to familiarize Users with news and interesting and up-to-date topics from the industry that includes the Controller’s activity. The User’s personal data processed for sending newsletters are the email address and optionally name and/ or address of the User. Legal basis for using personal data for sending a periodic newsletter is the legitimate interest of the Controller to inform the public about the Controller’s activity and to communicate unique content on topics of interest to the public. However, any User may at any time request to be removed from the Controller’s subscribers list by express statement to the Controller, including through the form provided in this Policy or following the link contained in each newsletter.
5. Profiling
The Controller uses the technologies described in this Policy, including cookies and services such as Google Analytics, to study and analyze user behavior for identifying consumer preferences, develop new products, and more accurately target the products offered by the Controller to certain user groups. If a User does not wish to be subject to such automated decision making, the User needs to change the system settings as described in this Policy, and by doing so the User is deemed to withdraw the User’s consent to the profiling performed.
6. Other purposes
Beside the above stated purposes the Controller may from time to time process personal data of Users for other purposes not explicitly stated in this Policy. However, any such processing will be subject to prior notification by the Controller and, in the absence of any other legal basis, such processing will be made only with the express consent of the User.
V. Recipients of Personal Data, to whom Your Personal Data are being or may be disclosed
In the presence of a legal basis or other regulatory obligation, the Administrator may provide User’s personal data to public authorities within and for the purpose of performing their public (controlling, judicial, administrative, etc.) functions.
In addition, Your personal data may be provided to third parties on the basis of contracts concluded by the Controller with the third party, in particular:
to the payment services provider PayPal (Europe) S.à r.l. & Cie, S.C.A., 5th Floor, 22-24 Boulevard Royal, L-2449, Luxembourg, for the purpose of processing and receiving payments on a User order through the Site, and hence for execution of a contract between Controller and User;
to Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA for the purposes of using the Google Analytics service as described below, based on the Controller’s legitimate interest in analyzing, optimizing and implementing the Site’s performance on the Internet. As an EU-US Privacy Shield certified company, Google LLC provides sufficient safeguards to protect the personal data of Users being transmitted outside the EU and processed in the US;
to the newsletters platform MailChimp operated by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA, for the purposes of sending commercial communications and newsletters as described above based on the legitimate interest of the Controller and with the User’s consent up to its withdrawal. As an EU-US Privacy Shield certified company, Rocket Science Group LLC provides sufficient safeguards to protect the personal data of Users being transmitted outside the EU and processed in the US.
VI. Means of Personal Data Processing
Personal Data of Users of the Site are processed (including collected and stored) primarily by electronic devices (computer, mobile devices), however, when needed personal data are being processed (e.g. when executing an order, preparing a shipment to be sent, invoicing, etc.) on paper as well.
When using electronic devices, the Controller uses up-to-date and secure hardware and software products, including applications and other technologies. Most of these technologies are installed on the Controller’s devices.
Additionally, the Controller also uses technology that communicates with the devices, software, and applications used by the User to access and use the Site. Such technologies are:
1. Cookies
Cookies are small text files that are stored in the User’s system. Most cookies applied by the Controller are automatically deleted from the User’s system after closing the browser. Other cookies are stored in the User’s system so that the Site can recognize this User on its next visit without in any way damaging the User’s system, device, or other property.
The use of cookies is done with the User’s consent given with the automatic settings of the User’s browser allowing the application of the cookies. If the User wishes to withdraw this consent, User may at any time change the browser settings. Please note that certain features of the Site may become inaccessible if a User has set up the browser to disable cookies’ access.
For the disabling of cookies in different browsers, the Users may check the support website for their browser.
2. Google Analytics
The Site uses Google Analytics to analyze users’ behavior for improving the functionality of the Site and the services provided. On its part, Google Analytics collects data, including the browser used, IP address, behavior and the Site, and drafts reports on user behavior. Each User can review the Google Privacy Policy that includes all of its technologies and tools, as well as the ways to customize the collected data following this link: https://policies.google.com/privacy?hl=en&gl=ZZ.
3. Social networks
Plug-ins of the social networks Facebook and Instagram (“Social Networks”) are integrated on the Site. When visiting the Site, a direct link is made between the User’s browser and the Social Networks’ servers. Thus, Social Network operators receive information about visiting our Site. If you do not wish to exchange such information between the Site and the Social Networks, please do not follow the Social Networks’ links before logging out from Your Social Networks’ accounts.
VII. Periods of Processing and Storing Your Personal Data
User’s personal data are stored for the duration of the contracts concluded with the Controller and after their termination for the longer of the following periods:
until the expiry of the statutory limitation periods for the submission of claims on concluded contracts between the User and the Controller;
until the expiry of the statutory period for the storage of tax and accounting documentation.
When personal data are processed on the basis of a User’s consent, personal data are processed for such purposes until the User’s consent is withdrawn. Withdrawal of consent takes effect only for the future and does not affect the lawfulness of processing until the withdrawal of consent.
When personal data are collected and processed through cookies (as described above), the User is entitled to discontinue such processing by customizing the User’s browser settings. However, changing the browser settings does not automatically delete the files collected by the Cookies technology until the change of the browser settings. Therefore, the User may need to additionally object to processing User’s personal data as described below.
Upon the expiration of the periods of storage of personal data as defined above, the Controller shall remove from its system all personal data stored on electronic media and destroy any personal data stored as hard copy.
VIII. Your Rights as Data Subjects
In connection with the data processing described in this Policy every User has the following rights:
1. Right of access
Each User has the right to receive from the Controller a confirmation that personal data relating to him/ her are being processed and, if so, to have access to the data and processing information. The Controller provides a copy of the personal data that is being processed. For additional copies requested by a User, the Controller may charge a reasonable fee based on administrative costs.
2. Right to rectification
Each User has the right to request from the Controller rectification of inaccurate personal data concerning him/her or completion of incomplete personal without undue delay.
3. Right to erasure
Each User has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where personal data are no longer needed for the purposes for which they have been collected or otherwise processed, or when there is no other (legal or other) basis for the processing.
4. Right to restriction of processing
Each User has the right to obtain from the Controller restriction of processing under the conditions stipulated by the GDPR. Where processing has been restricted such personal data shall no longer be processed with the exception of storage.
5. Right to data portability
When personal data are being processed based on consent or on a contract and processing is carried out by automated means the User has the right to receive the personal data concerning him or her, which the User has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided. Users have the right to have the personal data transmitted directly from the Controller to another controller, where technically feasible.
6. Right to object
When personal data are processed for direct marketing purposes, each User is entitled at any time to object to the processing of personal data relating to that marketing, including profiling, insofar as it relates to direct marketing. When a User objects to processing for direct marketing purposes, the processing of personal data for these purposes shall be terminated.
7. Right to withdraw a given consent
Each User has the right at any time to withdraw the consent on which processing is based, considering, however, that this does not affect the lawfulness of the processing until the withdrawal.
8. Right to file a complaint
In case a User considers its rights in relation to personal data processing are being violated or that the Controller otherwise fails to comply with the provisions regarding lawful processing and protection of personal data, the User has the right to file a complaint to the competent supervisory authority.
9.Procedure for Exercise User’s Rights in connection with Processing of their Personal Data
The User’s rights listed above in this Policy may be exercised in any way convenient for the User by sending a request to the Controller to Controller’s listed contact details, in particular by completing and mailing the following form via email to: studio@hayabrand.com
Personal Details of the Data Subject:
Name:
Telephone Number:
Email address:
Please indicate the Right your request relates to:
Right under GDPRY/N1. Right to be informed 2. Right of access 3. Right to rectification 4. Right to erasure (right to be forgotten) 5. Right to restrict processing 6. Right to object 7. Right to data portability 8. Right not to be subject to automatic decision making, including profiling
Your request:
Please describe here the reason for your request, if applicable, and insert any information which will help us to locate your personal data.
Your signature:
With your signature in the next box you confirm, that you understand the necessity for the Controller to verify your identity and that it may be necessary for them to obtain more detailed information in order to comply with your request.Signature: Place: Date:
Attachments:
ID: If you are a registered User of the Site, please provide Your username or attach another appropriate means for Your identification
Authority:If you are acting on behalf of the data subject, please provide with their written authority.
Other:Please describe here other attachment, if any.
The Controller will respond to the request by email unless the User explicitly indicates any other means of communication. When making a request for exercise of rights, the User shall identify himself / herself.
10. Controller’s Actions at Receiving a Request from a User
Upon receiving a request from a User for exercise his/her rights as data subject the Controller will aim to provide information on the actions taken for complying with the request within 1 (one) month as of receipt thereof. In case of excessive complexity of the request or multiple requests, the Controller reserves the right to extend the processing period of the request for further 2 (two) months, for which Controller shall inform the requesting User within 1 (one) month of receipt of the request.
IX. Personal Data Protection Measures
According to the requirements of the GDPR and considering the resources needed, the available technical possibilities, the scope, the purposes and the ways of processing the personal data, but also in consideration of the risks to the security of personal data, the Controller implements and applies the necessary technical and organizational measures for protection of the personal data of the Users.
Providing information on the data protection measures taken by the Controller would however lead to a risk of their effectiveness and possible security breaches. Therefore, at this point in the Policy, the Controller confines itself only to a general listing of the measures for protection of personal data security.
X. Effective Date. Amendments
This Policy enters into force on November 16th, 2018 and may be updated by the Controller at any time, and in such event the Users will be notified via email.