Personvernerklæring
RAFALSKAYA COLLECTION
Privacy Notice
Effective date:20.11.2024
Welcome to the Rafalskaya Collection!
This Privacy Notice (hereinafter "Privacy Notice") constitutes an agreement between RAFALSKAYA AS, a company duly registered and existing under the laws of Norway, organization number 934364511, having its registered address at Hengslevein 30, 3515 Hønefoss, Norway (hereinafter "Rafalskaya Collection", "We", "Us", "Our") and a capable natural person (hereinafter "Buyer", "You", "Your"), who uses Our Website and purchases the Goods/Made-to-order Goods according to the Terms and Conditions, in regard to Your Personal Data Processing.
You agree that by accessing the Website, using Services, and purchasing the Goods/Made-to-order Goods, You have read, understood, and agreed to be bound by this Privacy Notice. If You do not agree with this Privacy Notice, You are expressly PROHIBITED from accessing the Website, using Services, and purchasing the Goods/Made-to-order Goods.
Supplemental terms and conditions or documents that may be posted on the Website are hereby expressly incorporated herein by reference.
Our store is hosted on Shopify Inc. They provide us with an online e-commerce platform that allows us to sell Our Goods/Made-to-order Goods and provide Services to You.
Contents
I. What terminology do We use?
III. Data Subject's Rights Enforcement
VII. Personal Data Transmission and Storage
XIII. Personal Data Protection
XV. Governing Law and Dispute Resolution
I. What terminology do We use?
- Consent. Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes, signifies agreement to the Processing of Personal Data relating to the Data Subject.
- Cookies. Small text files that websites store on Your device (computer, phone, or tablet) during Your visit. They help remember Your preferences, settings, and enhance website functionality by providing a more personalized experience. Some Cookies are essential for the Website to operate, while others are used for analytics, advertising, and improving Your interactions.
- Controller. Rafalskaya Collection as a company which determines the purposes and means of Processing Your Personal Data.
- Co-Controller. The natural or legal person (and others) who determines the purposes and means of Processing with another controller.
- Data Protection Authority (DPA). The public organization or governmental body that protects the Data Subjects from unlawful Processing and supervises the application of the data protection laws.
- Data Subject. The natural person whose Personal Data is processed. In the context of this Privacy Notice, this refers to You, the Buyer of Rafalskaya Collection's Goods/Made-to-order Goods.
- Legal Ground for Processing. One of the legally defined grounds for which the Processing of Personal Data is permitted. There are the following grounds:
- Consent;
- Legitimate interest (e.g., for analytics and improvement of the Website);
- Obligation (e.g., compliance with tax laws).
- Personal Data. Any information relating to an identified or identifiable Data Subject.
- Personal Data Breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Processing. Any action or set of actions with Personal Data.
- Processor. The natural or legal person, who processes Personal Data on behalf of the Controller.
- Profiling. Any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a Data Subject to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Third Party. Any person or entity, except the subject of Personal Data, the Controller or Processor and the Data Protection Authority, to whom the Controller or Processor transfers Personal Data.
Any other terminology used in this Privacy Notice but not defined herein has the meaning provided for in the Terms of Conditions.
II. Data Subject's Rights
You have the following rights regarding the Personal Data:
Right to Access Personal Data. You can receive information regarding specific Personal Data Rafalskaya Collection has collected about You, as follows:
- Purpose of the Processing;
- Categories of Personal Data concerned;
- Recipients of categories of recipients to whom the Personal Data has been, or will be, disclosed;
- The envisaged period for which the Personal Data will be stored, or the criteria used to determine that period;
- The existence of the right to rectification, erasure, or restriction of Processing Personal Data concerning You or to object to such Processing;
- The right to lodge a complaint with a DPA;
- Where Personal Data is not collected from You, any available information as to the source;
- The existence of any automated decision-making, including profiling, as well as the significance and envisaged consequences of such Processing for You;
- Where Personal Data is transferred outside of the EEA (which consists of EU member states and Iceland, Lichtenstein, and Norway), You have the right to request information about the appropriate safeguards in place, including transfers to US. companies under the EU-US Data Privacy Framework.
Right to Rectification of Personal Data. You can request that We correct Your Personal Data if it has been changed or incorrectly collected.
Right to Erasure (Deletion) of Personal Data. You can request that We delete Personal Data, such as when it is no longer needed for the purposes for which it was collected and there is no other legal ground for the Processing.
Right to Restrict Processing of Your Personal Data. You can request a restriction on Processing Your Personal Data under certain conditions, such as when the accuracy of the data is contested, or the Processing is unlawful.
Right to Personal Data Portability. You can receive Personal Data in a human and machine-readable format for transmission to another controller, where technically feasible.
Right to Object. You can object to Personal Data Processing, for example, if Personal Data is processed for marketing purposes, unless we need this Personal Data for Our legitimate interest.
Right to Reject Automated Individual Decision-Making (Profiling). You can have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects.
Right to Withdraw Consent. You can withdraw Your Consent for Personal Data Processing if Rafalskaya Collection uses Consent as the ground for Processing.
Right to Opt-Out from Marketing/Send Out. You can withdraw Your Consent on Personal Data Processing for marketing and send-out purposes.
Right to Ask a Question and/or Make a Claim on Data Processing. You are allowed to ask Rafalskaya Collection any question according to Personal Data Processing or privacy legislation.
Please bear in mind that if You exercise such rights this may affect Our ability to provide You with Website and to sell You the Goods/Made-to-order Goods.
III. Data Subject's Rights Enforcement
You can enforce Your rights regarding Your Personal Data by submitting a request through the following Data Subject Request Form.
Types of Requests. Using the Data Subject Request Form, You can make requests related to any rights provided for in Sections II and III of this Privacy Notice.
Response Time. Upon receipt of Your request, We will acknowledge it and respond within 30 calendar days. In some cases, mainly if Your request is complex, We may extend this period by up to an additional 60 calendar days. If an extension is necessary, We will notify You of the reason and the expected timeframe within the first 30 calendar days.
Costs. You can exercise Your rights free of charge. However, if Your request is manifestly unfounded or excessive, mainly due to its repetitive nature, or requires the payment of any fee, We may charge a reasonable fee or refuse to act on the request.
Identity Verification. To protect Your Personal Data, We may ask for additional information to verify Your identity before processing Your request. This is to ensure that Your Personal Data is not disclosed to unauthorized parties.
IV. Consent
Your Consent plays a key role in how We process Your Personal Data. By using Our Website and purchasing the Goods/Made-to-order Goods or by explicitly agreeing to certain types of Personal Data Processing, You give Us permission to handle Your Personal Data under the following conditions stated herein.
Obtaining Consent. We will always seek Your explicit Consent when Processing Your Personal Data for purposes that are not based on other legal grounds, such as the fulfillment of a contract or a legitimate interest. For example, You will be asked to provide Consent for receiving marketing e-mails.
Right to Withdraw Consent. You have the right to withdraw Your Consent at any time. Once Consent is withdrawn, We will cease Processing Your Personal Data for the specific purpose to which Your Consent is applied. Withdrawal of Consent does not affect the lawfulness of Processing carried out before the withdrawal. You can withdraw Your Consent by:
- Contacting Us directly through the methods listed in Section XVIII: Support.
- Submitting the Data Subject Request Form;
- Following the unsubscribe or opt-out instructions provided in Our communications (e.g., marketing e-mails).
Impact of Withdrawing Consent. Withdrawing Consent for certain types of Processing (such as marketing communications) will not affect Your ability to use the Website and purchase the Goods or Made-to-order Goods. However, some features, such as personalized advertisements or special offers, may no longer be available if Consent is withdrawn.
V. Personal Data
Rafalskaya Collection processes Your Personal Data when You interact with the Website. The following Section describes how and why We collect, use, and store Your Personal Data:
Buyer's Website Visit. When You visit the Website, You give Us the Personal Data under the following conditions:
- Personal Data. When You visit the Website, We collect Your IP address and Cookies.
- Purpose of Collection. To load the Website accurately and conduct analytics on how the Website is used.
- Source of Collection. Collected automatically when You access Our Website.
- Legal Ground. Legitimate interest and/or Consent.
- Retention Period. We retain Personal Data collected during Your visit to Our Website for as long as necessary to fulfil the purpose of optimizing the Website's performance, ensuring security, and conducting analytics. Once these purposes are fulfilled, the Personal Data will be deleted unless it is required for statutory retention obligations or for evidence purposes during statutory limitation periods.
Buyer's Registration an Account. When the You create an Account on the Website, the You give Us the Personal Data under the following conditions:
- Personal Data. When You create the Account on the Website, We collect Personal Data such as Your name, e-mail address, phone number, Account credentials (e.g., password), address, payment conditions, purchase history.
- Purpose of Collection. To create and maintain Your Account, verify Your identity, and provide You access to ordering and purchasing the Goods and Made-to-order Goods and marketing (sending updates, promotions, and offers).
- Source of Collection. This Personal Data is collected directly from You when You create and use the Account on the Website.
- Legal Ground. Consent and legitimate interest.
- Retention Period. We store Your Personal Data for as long as necessary to maintain Your Account and fulfill Our contractual obligations, such as providing You access to Our Services and to the purchase of Goods and Made-to-order Goods. After Your Account is closed, deleted or You no longer use the Services, We delete the Personal Data unless it is required to comply with statutory retention obligations (e.g., for tax or legal purposes) or for evidence purposes during statutory limitation periods.
Buyer's Purchase. When You purchase the Goods and Made-to-order Goods, You give Us the Personal Data under the following conditions:
- Personal Data. When You purchase the Goods and Made-to-order Goods, We collect Personal Data such as Your name, e-mail address, phone number, address, payment conditions.
- Purpose of Collection. To process Payments, deliver the purchased Goods and Made-to-order Goods, and maintain transaction records for tax purposes, as well as for marketing (sending updates, promotions, and offers).
- Source of Collection. Collected automatically when You purchase the Goods on the Website or manually when you submit an Order to purchase Made-to-order Goods.
- Legal Ground. Fulfilling a contract (for providing the purchased Goods) and legitimate interest.
- Retention Period. We retain Your Personal Data for as long as necessary to process Your purchase, fulfil contractual obligations and comply with legal obligations, such as tax and financial regulations. After these obligations are met, the data will be deleted unless it is needed for statutory limitation periods (e.g., for evidence purposes in case of claims).
Buyer's Contact the Support. When You contact Us, You give Us Your Personal Data under the following conditions:
- Personal Data collected. It depends on a case-by-case basis but can include name, e-mail, Payment information (including credit and debit card numbers, e-mail address, phone number, etc.), photos and videos and any other Personal Data You provide in Your request.
- Purpose of collection. To respond to Your inquiries, provide support, information and improve Our Services.
- Source of collection. This Personal Data is collected directly from You when You reach out to customer support.
- Legal ground. Consent.
- Retention Period. We retain Your Personal Data for as long as necessary to address Your inquiries and provide support in accordance with Our contractual obligations. Once the inquiry is resolved and there is no further need for the Personal Data, We delete it unless We are required to retain it for legal purposes, such as statutory limitation periods or to comply with retention obligations related to consumer protection laws.
Other Processing Conditions. These are other conditions apply to Your Personal Data Processing:
- Data source. We process Personal Data that You provide to Us directly or that We collect automatically during Your use of Our Website. If We process Personal Data from Third Parties in the future, We will notify You accordingly.
VI. Cookies
To ensure the proper functioning of Our Website, We use Cookies to store information. Cookies serve various purposes, including:
- Web analytics;
- Tracking your shopping cart;
- Maintaining site settings and preferences.
By using Our Website and Services, You consent to Our use of Cookies for current and future sessions. You may choose to disable Cookies in your web browser; however, please note that certain functionalities of the website may become limited or non-functional without Cookies enabled.
VII. Personal Data Transmission and Storage
Transmission in General. We may transmit Your Personal Data to Processors, Co-Controllers, and Third Parties in accordance with this Privacy Notice and applicable data protection laws. These transmissions are conducted for the purposes of operating the Website, providing Services and organizing purchases of Goods and Made-to-order Goods or if based on Our legitimate interest.
Transmission in Specific Situations. We may transfer Your Personal Data based on the following legal grounds:
- Adequacy Decision: Transfers under the EU-US Data Privacy Framework, which is recognized by the European Commission as providing an adequate level of protection.
- Standard Contractual Clauses: In cases where the EU-US Data Privacy Framework does not apply, We use EU-approved Standard Contractual Clauses to ensure that Your Personal Data is protected.
- Contractual Necessity: When the transfer of Personal Data is necessary for the performance of an agreement between You and Rafalskaya Collection, such as the Goods and Made-to-order Goods purchase, production or delivery.
- Legal Obligations: We may also share Your Personal Data with law enforcement agencies, courts, or other governmental authorities if We are legally required to do so. This includes cases where We believe it is necessary to comply with a legal obligation or to protect the rights, property, or safety of Rafalskaya Collection, Our buyers, or public order.
Data Storage. Your Personal Data is transferred to and stored by Shopify according to their Privacy Policy.
VIII. List of Processors
We may share Your Personal Data with Third Parties (Processors) for the purposes of providing Services, Goods and Made-to-order Goods to You.
Below is a list of the key Processors We work with:
|
Processor |
Software |
Purpose |
Privacy Notice |
|
PayPal |
PayPal |
Payment Processing |
|
|
|
Google Analytics |
Website analytics |
|
|
Shopify |
Shopify |
Provision of the Website and sale of the Goods and Made-to-order Goods |
|
|
Delivery Service |
Delivery Service |
Delivery of the Goods |
IX. List of Co-Controllers
In some instances, Rafalskaya Collection may share Your Personal Data with Co-Controllers. These are Third Parties with whom We jointly determine the purposes and means of Personal Data Processing.
Below is a list of the key Co-Controllers We work with:
|
Co-Controller |
Software |
Purpose |
Privacy Notice |
|
|
Google Ads |
Advertising and remarketing campaigns |
|
|
Meta |
Meta for Business |
Advertising and marketing on social media platforms |
These Co-Controllers collaborate with Us for specific Personal Data Processing. We may share Your Personal Data with other Co-Controllers when it is necessary to provide Services, Goods and Made-to-order Goods to You.
X. Advertising
We may use Your Personal Data for advertising and marketing purposes, both directly and through Third Party platforms. Below are the ways in which Your Personal Data may be used for advertising:
Direct Marketing. With Your Consent, We may send You e-mails for promotional purposes. You can unsubscribe from these communications at any time by following the instructions provided in the e-mails or by contacting Us directly.
Targeting Marketing. We may use targeted marketing campaigns through Third Party services, such as Google Ads and Meta for Business, to deliver personalized advertisements to You. This is done with Your Consent, and We may use the following types of Personal Data for targeting:
- Name and contact details (e.g., e-mail),
- Interests and behaviors (based on browsing activity),
- Information about Your interactions on the Website.
Basis of Targeting Marketing. When We collaborate with Third Party platforms (e.g., Google Ads, Meta for Business) for targeted marketing, they may process Your Personal Data in accordance with their own privacy policies. You can manage Your preferences and opt out of targeted ads via the settings on these platforms.
Right Exercise on Targeted Marketing. You have the right to opt out of receiving targeted advertisements and marketing communications. You can manage Your advertising preferences directly through the platform settings (e.g., Google, Facebook) or contact Us to exercise Your rights.
XI. Other Processing
Profiling. Rafalskaya Collection does not currently use any automated Processing that results in decisions based solely on automated means (including profiling) that produce legal effects or significantly affect You.
Selling Personal Data. We do not sell Your Personal Data to Third Parties. Any transfer of Personal Data to Third Parties is strictly for the purposes outlined in this Privacy Notice and with Your explicit Consent when required.
Data Processing in Corporate Changing. In the event of a merger, acquisition, or any other form of corporate restructuring, Your Personal Data may be transferred to a new entity. If such a transfer occurs, We will notify You of any changes to the Controller of Your Personal Data and provide You with any relevant information about Your rights.
XII. Minors
We do not knowingly collect Personal Data from minors under 18 years of age.
If You believe We have collected Personal Data from a minor, please contact Us and We will take immediate actions to delete the collected Personal Data.
XIII. Personal Data Protection
We take the security of Your Personal Data seriously and implement various technical and organizational measures to protect it from unauthorized access, loss, or misuse. These measures include:
- Training employees in cyber security and data privacy;
- Employees distribute access to Personal Data;
- Integration with Third Party's software through official APIs;
- Strong password requirements.
There are also other security measures applied by Shopify Inc. in accordance with their Privacy Policy.
XIV. Data Breach Notification
We take Personal Data Breaches seriously and follow strict procedures in the event of a Personal Data Breach. If the Personal Data Breach occurs, We will take the following steps:
Response Team. If the Personal Data Breach is detected, a team consisting of specialists, including external specialists, and the management of Rafalskaya Collection must be established. The team should deal with eliminating Personal Data Breach and/or minimizing any consequences. One of the authorized members of the group shall alert the DPA about the Personal Data Breach, and, if necessary or required, also Data Subjects.
Notifying the DPA. The respective DPA must be informed through any designated by the DPA means of communication within 72 hours after the occurrence of the Personal Data Breach with the following information:
- The nature of the Personal Data Breach.
- Data Subjects impacted by the Personal Data Breach.
- The name and contact details of the responsible person from whom more can be obtained more information.
- The possible consequences of the Personal Data Breach.
- The measures taken or proposed to address the Personal Data Breach.
Notifying You. If the Personal Data Breach may lead to a violation of Your rights and freedoms or has a high risk of this, We shall immediately inform You in any possible means of communication, in particular the e-mail of the fact of the Personal Data Breach and report the following information:
- The nature of the Personal Data Breach.
- The name and contact details of the responsible person from whom more can be obtained more information.
- The possible consequences of the Personal Data Breach.
- The measures taken or proposed to address the Personal Data Breach.
- The measures on how to reduce the risks of the Personal Data Breach.
We will always aim to take immediate action to minimize the impact of any Personal Data Breach and ensure that Your Personal Data is protected.
XV. Governing Law and Dispute Resolution
Governing law. This Privacy Notice shall be governed by and construed in accordance with the laws of Norway, without giving effect to any principals of conflict of laws.
Dispute Resolution. All disputes or claims about this Privacy Notice shall be resolved within 30 (thirty) calendar days of negotiations. If negotiations do not work, the court of Norway under Norwegian law must resolve existing disputes or claims.
XVI. Miscellaneous
Effective date. This version of the Privacy Notice is valid from the Effective date specified above.
Changes. We may make changes from time to time without Your Consent. The new version will be valid from the time of the changes noted at the beginning of this Privacy Notice.
Assignment. You cannot transfer or give away Your rights and responsibilities under this Privacy Notice without Our permission. If You try to do so, it will be invalid. We can give Our rights and responsibilities under this Agreement to someone else without asking for Your permission.
Headings. The headings in this Privacy Notice are just to help You understand what each section is about, and they will not change the meaning of anything. When We use words like "including" or "such as," it does not mean that we have listed everything that could be included.
Severability. If any provision of this Privacy Notice is held to be invalid or unenforceable, that provision will be deemed severable, and the remaining provisions will continue in full force and effect. The invalid or unenforceable provision will be replaced by a valid and enforceable provision that accomplishes the same purpose as the original provision, to the extent possible.
Languages. This Agreement is available in Norwegian and English. If there are any differences between the Norwegian and any other versions and the translation to another language, the Norwegian version shall prevail.
XVII. Support
How You Can Contact Us. If You have any questions regarding this Privacy Notice, how Your Personal Data is Processed, or if You would like to exercise any of Your rights, You can contact Us via the following methods:
- Contact Form: You can use the contact form available at the bottom of the Website at https://rafalskaya.com/pages/contact;
- E-mail: Alternatively, You can reach Us via e-mail kundeservice@rafalskaya.no;
- Phone number: You can contact Us via the following phone number: +4791175209
Support Terms. We strive to deal with all inquiries or complaints as soon as possible. Our team will provide You with a response within 30 (thirty) calendar days of receiving Your enquiry or complaint.
Contact Our Processors and Co-Controllers. You can make inquiries or complaints to Our Processors and Co-Controllers via any available means of contact on their websites. The timing and procedure for responding depend on the internal policies of Our Processors and Co-Controllers.
Contact DPA. For further assistance, You may contact Norwegian Data Protection Authority or other DPA.
XVIII. Legal Information
|
Company Name: RAFALSKAYA AS |
|
|
Company Number: 934364511 |
Address: Hengslevein 30, 3515 Hønefoss, Norway |
|
E-mail: kundeservice@rafalskaya.no |
Phone number: +4791175209 |