1.2 Who is the data controller? Xlash is owned and operated by Beauty Generation AB having a registered business address at Birger Jarlsgatan 18, 114 34 Stockholm, Sweden, and the organisation number SE5591503270 (“we,” “us,” and “our”).
1.3 Children. Xlash is not intended for use by persons under the age of 18. Therefore, we do not knowingly collect children’s personal data. If you become aware that a child has provided us with his or her personal data and you are a parent or a legal guardian of the child, please contact us immediately and we will remove the child’s personal data from our systems.
2.1 From what sources do we get your personal data?
We obtain your personal data from the following sources:
• Directly from you: for example, if you submit your personal data when you purchase something from us or contact us;
• Directly or indirectly through your activity on Xlash: when you use Xlash, we automatically collect technical information about your use of Xlash; and
• From third parties: we may receive information about you from third parties to whom you have previously provided your personal data, if those third parties have a legal basis for disclosing your personal data to us (for example, for payment processing purposes).
2.2 What personal data do we collect?
• Orders. When you place an order, we collect your first name, last name, city, region, address, email address, and telephone number. We use this information to send you transactional receipts, deliver you your orders, contact you, if necessary, and maintain our business records. The legal bases on which we rely are ‘performing a contract with you’ and ’pursuing our legitimate interests’ (i.e., to administer Xlash). We will store this data for as long as required by the applicable law (at least 7 years) or until you delete your user account, whichever later.
• Payments. When you make a payment, our payment processors Klarna and PayPal collect your personal data, such as first name, last name, billing and delivery addresses, and payment details (e.g., credit card or PayPal details). Please note that the types of personal data that you need to submit depend on the payment processor chosen by you. We do not have access to your full payment data; only a part of your personal data is made available to us by the payment processors. Your payment data is used to process payments and maintain our accounting records. The legal bases on which we rely are ‘performing our contractual obligations’ and ‘pur-suing our legitimate interests’ (i.e., to administer our business). We store such data for the time period prescribed by law (at least 7 years).
• Enquiries. When you contact us by email, we collect your name, email address, and any infor-mation that you decide to disclose in your message. When you contact us by using the ‘Contact Us’ functionality, we collect your first name, last name, email address, phone number, and any information that you decide to include in your message. When you contact us as a business through the ‘Contact Us’ functionality, we collect your email address, business type, business name, website (optional), VAT registration number, mobile phone number, invoicing email, buyers name, shipping address, country, and any other information that you decide to provide us in your message. We use such data to respond to your enquiries and provide you with the requested information. The legal bases on which we rely are ‘pursuing our legitimate interests’ (i.e., to maintain and grow Xlash) and ‘your consent’ (for optional personal data). We will store this data until you stop communicating with us.
• Reviews. When you leave a review about the products purchased by you, we collect your name and any information that you decide to provide in your review. We use the said data to feature your review on Xlash. The legal basis on which we rely is ‘your consent’. We will store this data until you ask us to delete your review.
2.2 Do we collect sensitive data?
We do not collect or use any special categories of personal data (“sensitive data”) from you, unless you decide, at your own discretion, to provide such data to us. Sensitive data refers to your health, religious and political beliefs, racial origins, membership of a professional or trade association, or sexual orientation.
2.3 What happens if you refuse to provide your personal data?
If you decide not to provide us with your personal data when we ask for it, we may not be able to perform the requested opera-tion (for example, process your order) and you may not be able to use the full functionality of Xlash, receive the requested information, or get our response. Please notify us immediately if you think that any personal data that we collect is excessive or not necessary for its intended purpose.
2.4 Do we collect analytics data?
Yes. When you browse Xlash, we collect or have access to certain technical analytics data collected from you. Such data includes the following information:
• Your activity on Xlash (time of visit, pages visited, products viewed, time spent on each page, clicks, scroll depth, interaction with widgets);
• URL addresses from which you access Xlash;
• Your browser type and version;
• Your operating system;
• Your device details;
• Information about your orders;
• Your other online behaviour; and
2.5 For what purposes do we use analytics data?
We use your analytics data to analyse what kind of users access and use Xlash, measure your engagement with Xlash, see which products are interesting to you, improve our content, develop new products and services, and investigate and prevent security issues and abuse. In most cases, such analytics data is non-personal and it does not allow us to identify you as a natural person. However, some of such data like your IP address may be considered personal data and we will make sure that we have the necessary legal basis for pro-cessing such data. When we process your analytics data that is personal data, we rely on the ‘legiti-mate interest’ (i.e., to analyse and improve Xlash) and ‘your consent’ bases.
2.6 Do we keep your feedback?
If you contact us, we may keep records of any questions, com-plaints, recommendations, or compliments made by you and the response. Where possible, we will de-identify your personal data (i.e., we will remove all personal data that is not necessary for keep-ing such records).
2.7 What happens if we aggregate or de-identify your data?
In case your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you as an individual, we will handle such aggregated data as personal data. If your personal data is de-identified in a way that it can no longer be associated with an identified or identifiable natural per-son, it will not be considered personal data and we may use it for any legitimate purpose.
2.8 When will you receive our commercial communication?
We send you our commercial communication only if (i) you opt-in for our newsletter, (ii) subscribe for a newsletter by giving us your email address, or (iii) purchase something from us and we want to inform you about our similar products. In such cases, you will receive information about our new products, features of Xlash, and special offers. The legal bases on which we rely are ‘your consent’ or ‘pursuing our legitimate interests’ (i.e., to grow Xlash). At any time, you can opt-out from receiving our commercial communication free of charge by clicking on the “unsubscribe” link included in our newsletters or by contacting us directly.
2.9 When will you receive our transactional notices?
If we have your email address and it is necessary to do so, we may send you important informational messages, such as order updates, payment receipts, invoices, shipping information, and other technical or administrative emails. Please note that such messages are sent on an “if-needed” basis and they do not fall within the scope of commercial communication that may require your prior consent. You cannot opt-out from service-related notices.
3.1 For how long do we store your personal data?
3.2 For how long do we store your non-personal data?
3.3 When are we obliged by law to store your personal data?
When we are obliged by law to store your personal data for a certain period of time (e.g., for keeping accounting and business rec-ords), we will store your personal data for the time period stipulated by the applicable law (in most cases, for 7 years) and securely delete the personal data as soon as the required retention period expires.
4.1 When do we disclose your personal data?
We keep your personal data in strict confidenti-ality. However, if necessary for the intended purpose of your personal data, we will disclose your personal data to entities that provide services on our behalf or support us in our business (our data processors). Your personal data may be shared with entities that provide technical support services to us, such as hosting, payment processing, shipping, and email distribution services. We do not sell your personal data to third parties and do not intend to do so in the future. The disclosure of your personal data is limited to the situations when it is required for the following purposes:
• Ensuring the proper operation of Xlash;
• Delivering your products;
• Processing your payments;
• Responding to your enquiries;
• Pursuing our legitimate interests;
• Enforcing our rights, preventing fraud, and security purposes;
• Carrying out our contractual obligations;
• Law enforcement purposes; or
• If you provide your prior consent to such a disclosure.
4.2 Who has access to your personal data?
• Our hosting and database service provider GleSys located in Sweden;
• Our newsletter service providers Klaviyo located in the United States and Jojka located in Sweden;
• Our developing service provider WooCommerce (Automattic) located in the United States;
• Our support service provider ZenDesk located in the United States;
• Our shipping service provider
• Our marketing service providers Facebook, Google, Pinterest, SnapChat, and TikTOk located in the United States;
• Our analytics service providers Google Analytics and SEM Rush located in the United States;
• Our payment service providers Klarna located in Sweden and PayPal located in the United States; and
• Our logistics service provider E-logistik located in Sweden; and
• Our independent contractors and consultants.
4.3 Do we transfer your personal data outside the EEA?
Although we are based in Sweden that belongs to the European Economic Area (EEA), some of our data processors are based outside the EEA or the country where you reside. Therefore, we may need to transfer your personal data out-side your country. In case it is necessary to make such a transfer, we will make sure that the country in which our data processor is located guarantees an adequate level of protection for your personal data or we conclude an agreement with it that ensures such protection (e.g., a data processing agreement based pre-approved standard contractual clauses).
4.4 Do we disclose your non-personal data?
Your non-personal data may be disclosed to third parties for any purpose as it does not identify you as a natural person. For example, we may share it with prospects or partners for business or research purposes, for improving Xlash, responding to lawful requests from public authorities or developing new products and services.
4.5 What happens if we receive a legal request?
If requested by a public authority, we will dis-close information about the users of Xlash to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
5.1 What security measures do we use?
We implement technical and organizational information security measures that protect your personal data from loss, misuse, unauthorized access and disclosure. The security measures taken by us include secured networks, strong passwords, obfuscated URLs, limited access to your personal data by our staff, anonymization of personal data (when possible), regular updates, security patching, and carefully selected data processors.
5.2 What happens if a security breach occurs?
Although we put our best efforts to protect your personal data, given the nature of communication and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, and falsification of your personal data caused by circumstances that are beyond our reasonable control. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the applicable law. Our liability for any security breach will be limited to the highest extent permitted by the applicable law.
6.1 What rights do you have?
You have the right to control how we process your personal data. Subject to any exemptions provided by law, you have the following rights:
• Right of access: you can get a copy of your personal data that we store in our systems and a list of purposes for which your personal data is processed;
• Right to rectification: you can rectify inaccurate personal data that we hold about you;
• Right to erasure (‘right to be forgotten’): you can ask us to erase your personal data from our systems;
• Right to restriction: you can ask us to restrict the processing of your personal data;
• Right to data portability: you can ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and move that personal data to another processor;
• Right to object: you can ask us to stop processing your personal data;
• Right to withdraw consent: you have the right to withdraw your consent, if you have pro-vided one; or
• Right to complaint: you can submit your complaint regarding our processing of your per-sonal data.
6.2 How to exercise your rights?
6.3 Launching an official complaint?
If you would like to launch a complaint about the way in which we handle your personal data, we kindly ask you to contact us first and express your con-cerns. After you contact us, we will investigate your complaint and provide you with our response as soon as possible (no later than 30 days). If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority. In Sweden, the data protection authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten). More information about it is available at https://www.imy.se.
Postal address: Beauty Generation AB, Birger Jarlsgatan 18, 114 34 Stockholm, Sweden