Welcome to the Joolca Privacy Notice!
Choosing to shop with Joolca means you’ve placed a great deal of trust in us. In sharing your personal information, we hope you, in return, benefit from a tailored and convenient shopping experience. With confidence comes responsibility, and we take this responsibility very seriously.
Joolca respects this notice and is committed to protecting your personal data. This privacy notice will inform you of how we look after your personal data when you visit our websitewww.joolca.co.uk (regardless of where you visit it from), engage with us in any other way, how we process our clients’ personal data when we provide our services and tell you about your privacy rights.
This website and our services are not intended for children under 16 years old, and we do not knowingly collect data relating to children.
This Privacy Notice applies if you shop on any Joolca website or if you otherwise share your personal information with us, for example, if you contact us with a query or we send you marketing.
We keep our privacy notice under regular review and may make updates and changes from time to time.
You should check this page occasionally to ensure you are happy with any changes to this notice.
We may also notify you of changes to this notice by email or through the private messaging system on our website.
The personal data we hold about you must be accurate and current. Please keep us informed if your personal data changes during your relationship with us.
WHO WE ARE
We are Joolca (company name Joolca UK Limited and referred to as “Joolca”, “we”, “us” or “our” in this privacy notice). Joolca is the controller of your data and responsible for this website, our office is located at 85 Great Portland Street, London, W1W 7LT, and we are registered with the ICO under number ZB120531.
We are the data “controller”, which means we are responsible for deciding how and why your personal information is used. We’re also responsible for making sure it is kept safe, secure and handled legally.
We operate to the highest standards when protecting your personal information and respecting your privacy. Our Data Protection Officer is Zach Kendall. If you have any questions about your personal information or how we use it, you can contact him and our Data Protection Team via email at email@example.com or write to us at 85 Great Portland Street, London W1W 7LT.
Personal data is any information that relates to a living individual who can be identified from that information either by the information alone or together with any other information likely to come into (or already in) our possession. It does not include anonymous information. The obtaining, storing and use of personal data of UK residents is governed by the Data Protection Act 2018.
If your place of residence is other than the UK, please contact us for further information.
DATA WE COLLECT ABOUT YOU
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
Identity Data includes first name and last name.
Contact Data includes delivery address, email address and mobile number.
Financial Data includes bank account details. *Please note, We don’t have access to any financial detailed information regarding you. This is all managed by a government/banking approved company, Braintree. All we have access to viewing is the last 4 card details for security checks.
Transaction Data includes details about any purchase and payments to and from you and other details of services or any other transactions you enter through our website, which may consist of what you have purchased, payments and card details.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and country you are accessing our website from, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data includes passwords, purchases or orders made by you, your interests, preferences, survey responses and feedback. *All passwords are encrypted and hashed, no staff members have access to this encryption key.
Social Media Data includes social media handles and other social media profile information that you make available to us or the public.
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from our third parties and us and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your data to directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).
IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, you may not be able to use our services, and we will notify you if this is the case at the time.
CHANGE OF PURPOSE
We will only use your data for the purposes we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for the new purpose is consistent with the original purpose, please contact us.
If we need to use your data for an unrelated purpose, we will notify you, and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, complying with the rules above, where this is required or permitted by law.
We use technologies that are considered automated decision making or profiling. We will not make any automated decisions about you that would significantly affect you unless such a decision is necessary for entering into, or the performance of, a contract with you, we have obtained your consent, or we are required by the applicable law to use such technology. You will find information on your right to object to this processing of your data below under Rights as a data subject.
SECURITY OF PERSONAL INFORMATION
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and notify you and any applicable regulator of a breach where we are legally required to do so.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
And we have implemented physical access restrictions for our data centres and authorisation controls for data access as part of our information security management system.
All electronic financial transactions entered into through our website will be protected by encryption technology.
You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website).
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please read the list attentively below to find out more about these rights:
Request access to your personal data (commonly known as a “data subject access request”). The access request enables you to receive a copy of the personal data we hold about you.
Request correction of the personal data that we hold about you. This right enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
Request erasure of your personal data. This right enables you to ask us to delete or remove personal data where there is no good reason to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
Object to processing your personal data where we rely on a legitimate interest (or those of a third party), and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object whenever we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This right enables you to ask us to suspend the processing of your personal data in the following scenarios:
● If you want us to establish the data’s accuracy.
● Where our use of the data is unlawful, but you do not want us to erase it.
● You need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
● You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or a third party. We will provide you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information that you initially provided consent for us to use or in the circumstances when we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
Right to make a complaint. You have the right to make a complaint at any time to the Information Commissioner Officer, the supervisory authority for data protection issues in the United Kingdom (www.ico.co.uk).
We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner Officer.
You will not have to pay a fee to access your data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or exercise any other rights). The identity check is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may also contact you to ask you for further information concerning your request to speed up our response.
Time limit to respond.
We try to respond to all legitimate requests within one week. Occasionally it could take us longer than a week if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal information about another person, if you ask us to delete information which we are required to have by law, or if we have compelling legitimate interests to keep it. We will let you know if that is the case and will then only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal information.
If you have any general questions or want to exercise any of your rights, please contact email@example.com. Our security procedures mean that we may need to request proof of identity before disclosing personal information to you in response to any request.
THE LAWFUL BASES WE USE TO PROCESS DATA
We will only ever process your information if we have a lawful basis to do so. The lawful bases we rely on are;
Contract – This is where we process your information to fulfil a contractual arrangement we have made with you.
Consent – This is where we have asked you to provide explicit permission to process your data for a particular purpose.
Legitimate Interests - This is where we rely on our interests as a reason for processing. Generally, this is to provide you with the best products and services most securely and appropriately.
Legal Obligation – This is where we have a statutory or other legal obligation to process the information, such as investigating crime or meeting responsible lending criteria.
THE INFORMATION WE COLLECT AND HOW WE USE IT
We will only use your data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
● Where we need to use your data to provide you with our services;
● Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
● Where you give us express consent to use your data; or
● Where we need to comply with a legal obligation.
To process any orders that you place with us and to facilitate any returns (Performance of a Contract)
We take payment details to process payment for any credit or debit card orders you place with us. We share these details with our chosen payment processors (Braintree, Paypal and ClearPay).
We use your account information plus your chosen delivery address details to; deliver your purchases and keep you informed of their status and process any returns.
Our chosen payment processors store your payment card details at your request to speed up your checkout in the future (consent is the legal basis)
To provide you with access to an account (Contract)
To register an account with us, we capture information such as your name, date of birth, email, delivery address, address, mobile number, and a password to protect your account.
To provide customer service to you (Legitimate interest)
We may record calls and keep correspondence when contacting our customer service teams or interacting with us on social media. We use these customer service records to manage your queries or complaints effectively for quality monitoring and continually improve our services.
To personalise and improve your experience when you shop (Legitimate Interest)
We keep a record of how you interact with our website and any marketing you are exposed to. We use this data and purchase history, demographics, account information, and third-party information to show you products and offers from across our brands that we think you will be most interested in and tailor your experience.
We use your account information, information on the devices you use to access our sites and your interactions with us to operate personalised features across our websites, apps and communications.
To inform you about products and services that may interest you (Legitimate Interest)
We use technologies such as cookies (within digital marketing networks, ad exchanges and social media networks such as Facebook’s Custom Audience to get relevant marketing messages across to you and other customers. We share aggregated and anonymised information about the customer segments we are interested in reaching with advertising partners, so they can focus on showing adverts to those who are most likely to be interested in our products, services and offers, and preventing them from displaying you irrelevant or repetitive advertisements.
We share limited information with selected suppliers to enable them to identify new prospective customers on our behalf and to prevent us from repeatedly advertising products or services you have already bought.
We receive information on how you interact with our adverts and content on third-party websites and social media platforms, which we use to tailor the information displayed to you.
To keep in touch with you (Legitimate Interest)
When you register for an account and shop with us, we start to keep you up to date with news of products and services, including offers, promotions and sale information, unless you tell us you don’t want us to through your account or using the link in every email that we send to you.
When we send you communications, we use records of how you interact with our website and any other marketing we’ve sent to you, along with purchase history, to tailor the messages to include information you are most likely to be interested in.
We use your account information to notify you about important service messages, such as material changes to this notice, product recalls or information about your account.
To ensure the website and the services we offer you operate properly (Legitimate Interest)
We use other cookies and similar technologies to help us understand how you use the site, allowing us to optimise your shopping experience and continually improve our site.
We gather information about the devices you use to access our sites (desktop and mobile), for example, your IP address and device type, to ensure the site is secure and works across multiple platforms.
We use the information for logistics planning, demand forecasting, management information, dealing with errors on our site, and general research and development.
To develop and improvement of our products and customer service (Legitimate Interest)
We share insights about our customers (in an anonymised and aggregated format) with the companies whose products we sell. This helps them better understand the different profiles of our customers, focusing on those who buy their products or are interested in them.
We may contact you to take part in customer satisfaction surveys. If you respond, we collect your feedback and contributions (customer feedback). We use this information to develop the services we offer.
We work with information providers that specialise in consumer profiling, such as Experian and Merkle. These organisations provide demographic or other data to help better understand customers’ demographics, lifestyles or shopping behaviours, usually linked to the areas where people live.
We use information about how you browse and engage with our website to improve our websites.
We use all information, including third-party data, to develop new products, services and systems to ensure they work as expected and will be useful to our customers.
To prevent and detection of crime (Legitimate interest/Legal obligation)
We use your account information, order history and payment history to monitor fraudulent transactions or suspected money laundering.
When you register an account or contact the call centres, we use your account, application and purchase history information to confirm your identity.
We use device identifiers and IP addresses in fraud prevention and investigation and maintain network and data security.
To fulfil our legal obligations (Legal obligation)
We use your data to ensure we comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies and authorities or according to legal proceedings.
We will share data with regulatory and other official bodies if they make formal requests.
We will maintain records to meet regulatory and tax requirements.
We will use your account information to contact you in connection with product recalls or other similar product quality issues and comply with our legal obligations in connection with the sale of age-restricted products.
We keep your personal information as long as you are a customer of ours to comply with legal requirements. During that time, we take steps to remove any personal data as soon as we no longer need it.
We consider you a customer:
· for six months from the point you last purchased from our website
· during any time, we are managing a customer service request from you.
THIRD PARTIES WE SHARE DATA WITH AND RECEIVE DATA FROM
We work with some trusted third parties to provide you with high-quality goods. Anybody we work with is subject to stringent security and data privacy assessments before we begin to do business with them and on an ongoing basis.
We may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this notice.
We have contracts in place with all suppliers; this helps us ensure your personal information security and privacy. Contracts are reviewed and updated regularly and always in line with data protection laws.
We may disclose your personal information to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes set out in this notice.
Access to your personal data is limited to employees, agents and contractors who need access to it to provide you with our products and services, communicate with you (including, with your consent, send you marketing communications), and carry out legal or regulatory obligations.
We may also employ the services of third-party service providers to help us in certain areas, such as website hosting, physical security, marketing and online advertising, market research, delivery, consumer profiling, IT and payment processing.
Where third-party service providers receive your information, we will remain responsible for using your personal data. We take appropriate steps to ensure that such third parties treat your Personal Information with the same consideration that we do.
We may from time to time be required to disclose your data to law enforcement bodies, regulators, tax agencies or third parties under a legal requirement or court order. We act responsibly and take account of your interests when responding to any such requests.
We may also share your personal information with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other companies or merge with them. If a change happens to our business, then the new owners may use your data in the same way as set out in this website privacy notice.
We require all third parties to respect the security of your data and treat it according to the law. We do not allow our third-party service providers to use your data for their own purposes and only permit them to process your data for specified purposes and follow our instructions.
Joolca group of companies – Joolca offices in other jurisdictions, notably in Australia.
Delivery Partners – Helping us deliver the goods you order.
IT Companies – Supporting us in maintaining our website and other business systems, including; providing phone lines, data storage facilities and providing and supporting Cloud-based infrastructure used in delivering our products and services.
Marketing Companies and Online Advertising - Helping us to manage our electronic communications to you and to help us show you the advertising you are most likely to be interested in, Companies that provide marketing and advertising assistance as well as analysis of the effectiveness of our advertising and communications campaigns; for example Klaviyo.
We use technologies such as cookies, pixels, and device ID’s within digital marketing networks, ad exchanges and social media networks, for example, New Relic.
Consumer profiling organisations - These organisations provide demographic or other data to help better understand customers’ demographics, lifestyles or shopping patterns; for example, Facebook and HotJar.
Payment processors - Payment card processors that process credit and debit card payments and store payment information, for example, Braintree, Paypal, and ClearPay.
Inventory and Warehouse management – Helping us store products safely and securely, keep them organised, and ship and distribute them as quickly as possible; for example, I-fulfilment, Shopify and Odoo.
INTERNATIONAL DATA TRANSFER OUTSIDE THE UK
Our main operations are based in Australia, and your personal information is generally processed, stored and used outside the UK. In some instances, your personal information may be processed outside Australia. For example, Joolca operates a call centre in the Philippines. Operatives in this location will have access to your account information to assist you with your query. We also work with suppliers and partners who may make use of Cloud and hosted technologies across multiple geographies.
We take steps to ensure there is an appropriate level of security, so your personal information is protected in the same way as if it was being used within the UK.
To enable cross-border data transfers to be made to a third country or an international organisation, Joolca will implement appropriate safeguards such as:
• The use of approved standard contractual clauses in contracts for the transfer of personal data
• Transfers to countries with privacy laws that give the same protection as the UK.
• Data transfer to countries where a legally binding and enforceable instrument between public authorities has been implemented.
THIRD-PARTY APPS, WEBSITES AND SERVICES
This privacy notice applies only to Joolca products, services and information collected by our website; however, our website may contain links to third-party websites, plug-ins and applications.
Please be aware that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy notice of every website you visit.