Boring legal stuff
1. Categories of personal data and processing purposes
We generally collect personal data directly from you. Not providing your personal data may result in disadvantages for you, e.g. you may not be able to receive our products or information about us. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you. We may also collect personal data from third party sources.
If you order a product, Hempur processes the following personal data to fulfil the order: contact data such as name, address and phone number, type and amount of product, purchase price, order date, order status, transaction data. Our legal bases for processing personal data are contractual necessity for consumer purchases and legitimate interests for our business customers.
In order to provide customer support, we process personal data regarding organizational belonging (if applicable), name, email address, phone number and information about the enquiry. Our legal bases for processing personal data are contractual necessity for consumer purchases and legitimate interests for our business customers.
Marketing and product information
We process your name, contact information and email address in order to provide you with marketing and product information. Our legal basis for doing so is consent, which can be withdrawn at any time.
If you participate in a competition, Hempur processes the following personal data: name, postal address, email address, date of entry, selection as winner, prize, and social media post data (where applicable). Hempur processes such personal data for purposes of carrying out the competition, informing the winner, publishing the winner on our website and on social media networks, delivering the price to the winner, and marketing. Our legal basis for processing personal data is our legitimate interests to market our business.
Handle our business contacts
If you represent an organization that we do business with (or consider to do business with), we process personal data in order to facilitate our business relationship with the organization which you represent (including purchases), i.e. name and contact details such as e-mail address, telephone number as well as correspondence. Our legal basis for processing of the personal data is our legitimate interests to conduct our business.
We analyze purchasing data in order to better understand our customers and to improve the customer experience. We use pseudonymized data generated in our web-shop such as transaction amount, order date, transaction-ID, VAT amount, country of the buyer, type and amount of product. We also use data from our offline purchasing system. We may retain data for seven (7) years following the end of the financial year to which the data pertains.
We process personal data (name, email, phone number, application data, interview notes, publicly available social media data and search results from search engines) about persons applying for positions at Hempur The data is retained during the application process. With the candidate’s consent, the data may also be processed for six (6) months for future recruitments.
We use Facebook, LinkedIn and Instagram to market and inform about our company. The legal basis is our legitimate interests to use such channels for marketing and information.
2. Who do we share your personal data with?
Hempur may engage external service providers, who act as data processors of Hempur, to provide certain services to Hempur, such as website service providers, marketing service providers or IT support service providers. When providing such services, the external service providers may have access to and/or may process your personal data.
We request those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal data.
Hempur may transfer – in compliance with applicable data protection law – personal data to law enforcement agencies, governmental authorities, legal counsels, external consultants, or business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition.
3. International transfers of Personal Data
Personal Data may be transferred to and processed by recipients which are located inside or outside the European Economic Area (“EEA”). The countries include those listed at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm which provide an adequate level of data protection from a European data protection law perspective. Recipients in the US may be certified under the EU-U.S. Privacy Shield and thereby recognized as providing an adequate level of data protection from a European data protection law perspective. Other recipients might be located in other countries which do not adduce an adequate level of protection from a European data protection law perspective. Hempur will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority, approved code of conducts together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can ask for a copy of the such appropriate safeguards by contacting us as set out below.
4. How long do we keep your Personal Data?
Your personal data will be retained as long as necessary to provide you with products, services or communication. In addition to retention for the foregoing purposes, we may also retain your personal data in order to comply with applicable laws, such as bookkeeping laws, or if we need your personal data to establish, exercise or defend legal claims.
5. Data subjects’ rights
You have a number of rights in connection with the processing of your personal data, subject to certain conditions set out in the GDPR and local data protection laws, including the right to:
(i) Request access to your personal data ( “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
(ii) Request the rectification of the personal data that we process about you. This enables you to have incomplete or inaccurate data we hold about you corrected.
(iii) Request the deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no overriding reason for us to retain it.
(iv) Ask us to stop processing personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
(v) Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
(vi) Request the transfer of your personal data to another party.
If you have given your consent for processing of your personal data and that consent has served as a legal basis for processing, you can withdraw this consent at any time with future effect.
To exercise your rights please contact us as stated below.
In case of complaints you also have the right to lodge a complaint with the competent data protection supervisory authority.
6. Cookies and other tracking technologies
7. Contact us