This policy is drafted in English. If there is a conflict between a translated version and the English version of these terms then, to the extent permitted under applicable law, the English version shall prevail.
This policy, sets out how we may collect personal data from you, when we may collect person data from you, the type of personal data and/or sensitive personal data we may collect from you or that you provide to us, and how such data may be controlled and/or processed once you have registered to use the www.elvie.com website and/or the Elvie app (together the “Platforms”).
This policy also sets out your rights and our obligations in relation to collecting, controlling and processing such personal data.
Our main objective is for you to have absolute trust and confidence in us when we collect, control and process your personal data.
Any third party data processors are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy by that third party may result in disciplinary action being taken against them.
1. Who we are
We are Chiaro Technology Limited (“we/our/us”). We are a company registered in England and Wales with company number 08502405. Our registered office address is Second Floor, 63-66 Hatton Garden, London, England, EC1N 8LE. Our registered VAT number is 172 6300 28.
For the purpose of the Data Protection Act 1998 (“the Act”) and General Data Protection Regulation (Regulation (EU) 2016/679) (“the Regulation”) we are a data controller and data processor of personal data and sensitive personal data provided by you to us through our Platforms.
We are registered as a data controller with the UK Information Commissioner’s Office with registration number ZA210121.
2. Our Mission
At Chiaro Technology we are as committed to protecting your personal data as we are to creating cutting edge, smart technology for women. It is a top priority for us to build a relationship of trust with you as a user of our products and services. Actions speak louder than words so we take tangible steps to keep your data private and confidential. These steps include:
i) being completely transparent about how, when and why your personal data is controlled and processed by us.
ii) allowing you control over the personal data we collect from you and how we process that personal data
iii) if you do choose to allow us to process your personal data, we will make as clear as possible the specific reasons why and how that data may be collected, used and transferred.
3. What is personal data?
Personal data is information relating to an “identified” person or an “identifiable natural person”. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Sensitive personal data includes, but is not limited to, personal data which reveals racial or ethnic origin, and data concerning health or sex life and sexual orientation.
Further detail as to the specific types of personal data and sensitive personal data we may control and process is set out at paragraph 5, below.
4. Personal data we may control and process
We may collect and process various types of personal data, sensitive personal data and other information from you when you use our Platforms, and when you correspond with us by phone, email or otherwise. The type of data collected, and the manner in which such data is collected, will vary depending on how you use our Platforms and whether or not you have consented for us to collect certain types of data from you. Further details of the type of data we collect and the manner in which such data may be collected is set out below in paragraph 5 under the heading “How Personal Data is collected”.
By using our Platforms, and/or using our products or services in conjunction with our Platforms, you are agreeing for us to collect and process the personal data provided as part of that process, for the purposes made clear to you at that time.
The personal data we collect from you may be held on paper or on a computer or other media, and is subject to certain legal safeguards specified in the Act and the Regulation and under certain applicable United States federal and state laws and regulations (collectively the "Legislation")
5. How we collect personal data
Personal data and sensitive personal data may be collected by us actively and passively. The specific types of personal data we may collect from you, and the manner in which such data may be collected, includes:
i) Necessary Data. This is data we must collect in order to activate, and provide you with access to, your Platform account, as well as to enable you to access and use your account across multiple devices, to enable you to delete personal data when you wish, and/or for us to fulfil any order for products or services you place through the Platforms. We may also use Necessary Data for the purpose of providing you with information about similar products and services we provide.
Necessary Data includes, but is not limited to, your name, email address, your login information, billing address and delivery address.
Necessary data will be collected by us when you fill in and submit the relevant form through the Platforms which contains that data.
ii) Optional Data. This data includes information which is not necessary for us to collect but which you actively choose to provide to us (“Optional Data”).
Optional Data includes, but is not limited to, your age, your reasons for using the Platforms or product and the number of children you have. We may also use Optional Data for the purpose of analysing your requirements as a consumer and providing you with information about other products and services we provide which may be of interest to you.
Optional Data will be collected by us when you submit an account registration form through the Platforms which contains that data.
You may be able to actively provide us, at any time in the future, with additional Optional Data if you choose to do so. We will collect and use that data in accordance with these terms.
iii) Product Data. This data is passively collected by us in the course of you using our products in conjunction with the Platforms (“Product Data”). On collection, all Product Data is anonymised. We are unable to identify you as a user from viewing Product Data. We do, however, have the ability to re-identify Product Data where permitted by applicable law, and may do so in exceptional circumstances, for example, if there is a need for us to identify you for the purpose of product recall.
Product Data includes, but is not limited to, data relating to your performance and workouts with the Elvie Trainer. We may also use Product Data for the purpose of analysing your requirements as a consumer and providing you with information about other products and services we provide which may be of interest to you.
Your use of our products in conjunction with the Platforms will produce data about your use of that product. Such data may include, for example, data concerning your individual workout performance, and data about your workout performance over time. Such data is collected by us at the time that it is transmitted to the Platforms.
iv) Platform Data. This data is passively collected by us in the course of you using and browsing the Platforms (“Platform Data”).
Platform Data includes, but is not limited to, your device’s Internet Protocol (IP) address, web cookies, browser type and version, the pages of our Platforms you visit, the amount of time spent on each page of our Platforms, time zone settings, the time and date of your visit and the operating system or platform you use, information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our Platforms (including date and time), any products you have viewed or searched for, page response times, download errors, length of visits to certain pages within the Platforms, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page. Platform Data is collected by us when it is transmitted to us during or after your use of the Platforms. Such data may or may not be anonymised and will be used as further described in paragraph 6 below.
6. How we use your personal data
We may use Necessary Data for the purpose of fulfilling an order or contract placed through our Platforms, or for the purpose of creating your personal user account in order for you to gain full accessibility to the Platforms. For instance, when purchasing on our website you provide us with your phone number which will help our courier fulfil your order.
Part of our mission is to contribute towards medical, scientific and statistical research to improve understanding of how smart technology can improve women’s lives. To this end, we may use Optional Data for the purpose of understanding how and why customers use our Platforms and products with the aim of improving them or tailoring them more effectively.
We may also use your Product Data for this purpose. We use Product Data in order for you to use the products and platforms to their full potential by tracking your usage and to analyse our customers’ likely wants and needs in respect of the products and services we provide.
Only you may see that your Product Data is linked with your account; all Product Data will be anonymised when viewed by us and any other third parties. No individual users’ Product Data is shared with third parties, rather only amalgamated product data and the results of our research and analysis using this amalgamated data is disclosed. The only exception will require you to provide us with explicit permission to access and assess your Product Data in order to resolve a problem you are having with the product. We will not be able to do this without your permission.
We may use Platform Data for the purpose of understanding how our customers’ behave in order for us to develop or optimise:
- how the Platform works for you;
- the information and services provided to you through our Platforms; and
- the effectiveness of our online advertising and branding.
All personal data we collect and process is stored on our secure servers in accordance with reasonable security practices.
Where you have chosen (or where we have given you) a password which enables you to access certain parts of our Platforms, or use our Platforms in a particular way, you are responsible for keeping this password confidential. We ask you not to share this password with anyone and to change it if you suspect someone has gained access to it.
7. Your rights and our obligations
We may also process your personal data without your express written consent if we have a legitimate interest in doing so, for example, for some internal administrative purposes, or for the purpose of ensuring electronic information security.
If we are controlling and processing your personal data on the sole basis of having your consent to do so, we must gain separate consents from you in respect of each distinct type of processing operation.
Where we are processing your personal data on the basis of you having given us your consent to do so, you do have the right to withdraw that consent at any time, but this will not affect the lawfulness of processing prior to the withdrawal of such consent. You can exercise your right to withdraw consent to processing at any time by contacting us via firstname.lastname@example.org.
Data Retention, Erasure and Rectification
The personal data we collect from you will be stored and retained by us for the length of time that you maintain a user account with us in respect of the Platforms. We may also retain such data for a reasonable period of time following deactivation of your user account for the purpose of enabling you to reactive your user account more easily, or for any period of time as required by applicable law.
You also benefit from the right to erasure (also known as the ‘right to be forgotten’). This means that you have the right to request us to erase personal data we hold about you, and that we should erase such data without undue delay, provided that you are able to demonstrate one of the following to us:
(a) that our processing of the personal data is no longer necessary in relation to the purpose for which it was collected;
(b) that you withdraw your consent to the processing and there is no other legal ground for us to continue to process the data;
(c) that you object to the processing under regulation 21 of the Regulation and there are no overriding legitimate grounds for processing;
(d) that the personal data must be erased in order to comply with a national legal obligation; or
(e) the personal data in question belongs to a child under the age of 16 and no consent is given or authorised by the holder of parental responsibility over the child.
You also benefit from the right to rectify inaccurate personal data we hold which relates to you (also known as the “right to rectification”). This means that, taking into account the subject of the processing, you shall have the right to have incomplete personal data completed. You can exercise your right to rectification by contacting us via email@example.com.
You also have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You have the right to transmit such data to other data controllers without hindrance from us where we are processing that data on the basis of having your consent to do so, or where it is necessary for the performance of a contract, and the processing is carried out by automated means.
Subject Access Requests
You as a data subject are entitled to make a formal request for information we hold about you. We must provide you with a copy of this information, the reasons it is being processed and whether it will be given to any other organisations or people provided that you make this request in writing.
8. Children’s privacy
The goods and services provided through our Platforms are not marketed to, and should not be used by, anybody under the age of 16.
We do not knowingly collect personal data from children under the age of 16. In the event that we discover that a child under the age of 16 has provided us with personal data, we will delete such data from our servers unless consent is given or authorised by the holder of parental responsibility over the child.
9. Sharing and transferring personal data
We use industry standard encryption for transmission of data to our systems. Although we cannot guarantee the absolute safety of transmission of data via the internet, we adhere to industry standards to give your data the most appropriate protection possible.
Sharing of Personal Data:
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may also disclose personal data we hold to third parties, with your consent, or on the basis of us an otherwise lawful reason for doing so under the Legislation. For example:
(a) in order to facilitate, provide and improve the products and services we provide to you through our Platforms;
(b) in order to analyse the manner in which our services are used by services and product users;
(c) in the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;
(d) if we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets; and
(e) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Use of Third Party Platforms:
Our Platforms use Google Analytics, a web analytics service offered by Google Inc. Google Analytics will make use of small pieces of data, known as cookies, which can be used to track and analyse the manner in which you use and operate our Platforms. Such data will be transferred to, and stored on, a server in the USA operated by Google, Inc. Google, Inc. may i) transfer this data to third parties where required by law, or other third party processors used by Google, Inc. You may prevent cookies from being stored in relation to your visit to, and use of, our Platforms but do please be aware that this may negatively impact upon the way in which the Platforms work.
We may also use Facebook’s advertising service known as “Facebook lookalike audiences” if you have informed Facebook of the fact that you use our Platforms. Facebook lookalike will allow us to identify new potential consumers and users of our Platforms and products on the basis that those new potential users share similar characteristics with you on Facebook – for example, on the basis that both users have “liked” the same Facebook pages. We may, therefore, share your email address and name with Facebook if you have logged into the Platforms via your Facebook account, or have downloaded our Platforms onto your device through a Facebook advertisement. More information about Facebook lookalike audiences is here.
Transfers outside the EEA:
We may also transfer any personal data we hold to a country outside the European Economic Area (EEA), provided that one of the following conditions applies:
(f) the country to which the personal data is transferred ensures an adequate level of protection for the data subjects' rights and freedoms;
(g) you have given your consent;
(h) the transfer is necessary for one of the reasons set out in the Act and/or Regulation, including the protection of your vital interests;
(i) the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; or
(j) the transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.
10. California Consumer Rights
Under California Civil Code Section 1798.83, California residents have the right to obtain: (a) a list of all third parties that we may have disclosed your personal information to within the past year for direct marketing purposes; and (b) a description of the categories of personal information disclosed. To obtain such information, please email your request to firstname.lastname@example.org.
11. Changes to this policy
We reserve the right to change this policy at any time. Where appropriate, we will notify you, as a data subject, of those changes by email.
12. Concerns or complaints
If you have any concerns or complaints relating to this policy, its subject matter, or the manner in which we collect, control and/or process your personal data, please do let us know by sending an email to email@example.com.
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data has infringed the Regulation. In the UK, the relevant supervisory authority is the Information Commissioner’s Office.