Last update: February 1, 2022
- GENERAL INFORMATION
1.2. Owner of the Website. The website https://www.cbd-dona.com is owned and operated by DONA BELLADONA S.L. with tax registration number B06809768 and address at Parlament Street 22, 1-1, 08015 Barcelona, Spain (“the Company” “we,” “us,” or “our“)
1.3. Our role as data controller and data processor. We act as data controller and data processor with respect to personal data processed through the Website in terms of applicable data protection laws, including the EU General Data Protection Regulation (GDPR). Our role depends on the specific situation in which we handle personal data, as explained in detail below:
- Responsible for the treatment. We are responsible for the collection of your personal data through the Website and its subsequent use. We make decisions about the types of personal data that should be collected about you and the purposes for which such personal data should be used. Therefore, we act as a data controllerwith respect to personal data collected directly through the Website (for example, when you register or submit an order to us). We comply with the obligations of the person responsible for the file established in the applicable laws.
- Data processor. We act as a data processor in situations where you use the Website to collect or manage certain personal data belonging to your customers (the “Customers Data”).
1.5. Minors. The Website is not intended for use by persons under the age of eighteen (18) or younger in their country of origin. Therefore, we do not collect data from minors intentionally. If you become aware that a minor, in your home country, has submitted their personal data to us, please contact us immediately. We will remove the minor’s personal data from our systems without undue delay.
2 . PERSONAL DATA WE COLLECT AND ITS PURPOSE
2.2. Personal data sources. We obtain your personal data from the following categories of sources:
- Directly from you. For example, if you submit certain personal data to us directly when registering your user account or when you contact us;
- Directly or indirectly through your activity on the Website. When you use the Website, we automatically collect technical information about your use of the Website; and
- From third parties. We may receive information about you from third parties to whom you have previously provided your personal data, if those third parties have a legal basis for disclosing your personal data to us.
2.3. The personal data we collect. We collect the following types of your personal data:
- Account registration. When registering your account, we collect your first name, last name, date of birth, gender, address, email, telephone, intolerances/interests/preferences. We use such information to register, verify and maintain your user account, enable your access to the Application, provide you with requested services, contact you, if necessary, and maintain our business records. We store such data until you change it or delete your user account.
- Contact. When you contact us, we collect your name, email address, username, and any information you include in your message. We use such data to respond to your inquiries, complaints, requests or any communication.
- IP address. When you use the Website, we may collect your IP address (primarily anonymously). We use such information to identify the country where you are located, make location-specific content available to you, analyze the technical aspects of your use of the Website, direct you to the correct domain name, and ensure the security of the Website. The legal bases we rely on are ‘pursuing our legitimate business interests’ (ie operating, analyzing and protecting the Website) and ‘performing a contract with you’. We store such data until it is necessary to analyze and protect the Website or until you stop using the Website.
- Payments. When you make a payment for your use of the Website or request a payment, you will be required to provide your payment details (for example, your name, credit card number, security codes, and billing address). We do not process your payment details; this is done by our third-party payment processor, BBVA bank.
2.4. Sensitive data. We do not collect or have access to any special categories of personal data about you, unless you choose, at your discretion, to provide us with such data. Sensitive data is information related to your health, genetics, biometrics, religious and political beliefs, racial origins, membership in a professional or trade association, sexual life or sexual orientation. If you decide, at your sole discretion, to send us such data, it will be deleted immediately.
2.5. Refusal to provide personal data. If you refuse to provide us with your personal data when requested, we may not be able to perform the requested operation and you may not be able to use the full functionality of the Website or obtain a response from us. Please contact us immediately if you believe that the personal data we collect is excessive or is not necessary for its intended purpose.
2.7. Confidentiality of communication. When you communicate with us through the Website, we use reasonable efforts to ensure that any communication information transmitted through the Website remains confidential and properly protected. In addition, we do not intentionally and directly access, manage, correct, delete, share or disclose any information that you exchange with the Website.
3 . SERVICE COMMUNICATIONS AND MARKETING
3.1. Service Related Notices. If necessary, we will send you important informational messages, such as confirmation receipts, payment information, technical emails, and other administrative updates. Please note that these types of messages are sent only “if necessary” so they are not within the scope of commercial communication that may require your prior consent. You may not opt out of receiving service-related notices.
3.2. Newsletters. We may, from time to time, send you a newsletter informing you of the latest developments relating to the Website and our special offers. You will receive our newsletters by email in the following cases:
- If we receive your express consent (“opt-in”) to receive marketing messages; or
- If you voluntarily subscribe to our newsletter; or
- If we decide to send you information closely related to services you already use.
3.2. Opt out. You can choose not to receive our commercial communication at any time free of charge by clicking on the ‘unsubscribe’ link that you can find in each newsletter or by contacting us directly.
3.3. Pixel tracking. The newsletters sent by us may contain tracking pixels that allow us to carry out analysis of our marketing campaigns. Tracking pixels allow us to see whether you have opened the newsletter and which links you have clicked on. We use such information for analytics and to pursue our legitimate business interests.
4 . PRESERVATION OF YOUR PERSONAL DATA
4.2. Retention as required by law. In certain cases, we are required by law to store your personal data for a certain period of time. Therefore, we keep your personal data for the period of time stipulated by applicable law and securely delete it as soon as the required storage period expires.
5 . DISCLOSURE OF YOUR DATA
5.1. Disclosure to Data Processors. From time to time, your personal data is disclosed to our service providers with whom we cooperate (our data processors). For example, we share your personal and non-personal data with entities that provide us with certain technical support services, such as email hosting and distribution services. We do not sell your personal data to third parties. Disclosure is limited to situations where your personal data is required for the following purposes:
- Ensure the proper functioning of the Website;
- Ensure the delivery of the services requested by you;
- Provide you with the requested information;
- Pursue our legitimate business interests;
- Enforce our rights, prevent fraud for security purposes;
- Comply with our contractual obligations; or,
- If you previously consented to the disclosure.
- Our cloud hosting and storage service provides web services located on DINAHOSTING.COM servers in Galicia, Spain;
- Our payment service provider located in Spain (BBVA bank);
5.3. Legal requests. If we are contacted by a public authority, we may need to disclose information about you to the extent necessary to pursue a public interest objective, such as national security or law enforcement.
5.5. Sale of personal data. We do not give your personal data to third parties.
6 . PROTECTION OF YOUR PERSONAL DATA
6.1. Our security measures. We implement technical and organizational information security measures to protect your personal data from loss, misuse, unauthorized access and disclosure. The security measures we take include:
- Access control;
- Secure networks;
- SSL protocol;
- End-to-end encryption;
- Strong passwords;
- Anonymization of personal data (when possible); and
- Carefully selected data processors.
6.2. Security breach. Although we use our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be held responsible for any unlawful destruction, loss, use, copying, modification, leakage and falsification of your personal data, caused by circumstances beyond our reasonable control. In the event of a serious breach, we will take reasonable steps to mitigate the breach, as required by applicable law. Our liability for any breach of security will be limited to the maximum extent permitted by applicable law.
- YOUR RIGHTS REGARDING YOUR PERSONAL DATA
7.1. The list of your rights. You have the right to control how we process your personal data by exercising the rights listed below (unless, in very limited cases, applicable law provides otherwise):
- Right to access: you can obtain a copy of your personal data stored in our systems and a list of the purposes for which your personal data is processed;
- Right of rectification: you can rectify inaccurate personal data that we hold about you;
- Right of cancellation (‘right to be forgotten’): you can ask us to erase your personal data from our systems;
- Right of restriction: you can ask us to restrict the processing of your personal data;
- Right to data portability: you can ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and transfer that personal data to another processor;
- Right to object: you can ask us to stop processing your personal data;
- Right to withdraw consent: you have the right to withdraw your consent, if you have provided it; or
- Right to claim: you can present your claim about our treatment of your personal data.
7.2. How to exercise your rights? If you wish to exercise any of your rights, please contact us by email at GDPR@cbd-dona.com and explain your request in detail. To verify the legitimacy of your request, we may ask you to provide us with identifying information that allows us to identify you in our system. We will respond to your request within a reasonable period of time and no later than 30 days. If we deny your request, we will provide you with an explanation of the legal basis that allows us to do so.
7.3. Complaints. If you wish to make a complaint about the way we process your personal data, please contact us first and express your concerns. If we receive your complaint, we will investigate it and provide you with our response as soon as possible. If you are not satisfied with the result of your complaint, you have the right to lodge a complaint with your local data protection authority.
7.4. Nondiscrimination. We do not discriminate against you if you choose to exercise your rights. That means that we will not (i) refuse to provide you with goods and services, (ii) charge you different prices, (iii) exclude you from discounts or benefits, (iv) impose you penalties, or (v) provide you with lower quality services.
- TECHNICAL (NON-PERSONAL) DATA THAT WE COLLECT
8.1. Log files and analytical data. To analyze your use of the Website, our analytics service provider collects non-personal technical data about your device and your use of the Website, such as:
- Your device type;
- Your operating system
- URL addresses clicked to and from the Website;
- Information about your use of the Website; and
- Time spent on the Website.
8.2. Your comments. If you contact us, we may keep records of any questions, complaints, recommendations or compliments you have made and any subsequent responses. When reasonably possible, we delete all personal data that is not necessary to maintain such records.
8.3. Purposes of technical (non-personal) data. We use your technical (non-personal) data for the following purposes:
- Examine the relevance, popularity and engagement rate of the Website;
- To investigate and help prevent bugs, security issues, and abuse; and
- To develop and provide additional features to the Website.
8.4. Added and anonymized data. If we combine your non-personal data with certain elements of your personal data and that combination allows us to identify you as a natural person, we will use that added data as personal data and ensure that we have a legal basis for the processing of the same. If your personal data is no longer identifiable in a way that it can no longer be associated with a natural person, it will not be considered personal data and we may use it for any business purpose.