Privacy policy
Ananimal Ab Customer Register Privacy Policy
Effective date 1.5.2023
1 Data controller
The controller is Ananimal Ab (business ID 2698287-4)
The contact person for register matters is: Antti Latvala
Ananimal Ab
Address: P.O. Box 100, 60101 Seinäjoki, Finland
E-mail: info@ananimal.eu
2 Name of the register
The name of the register is Ananimal Ab's e-commerce customer, order, billing and marketing data register.
3 Purpose and retention period of personal data
Personal data is processed for purposes related to the management, administration and development of the customer relationship, the provision and delivery of services, and the development and billing of services. Personal data are also processed for the purposes of dealing with possible complaints and other claims.
In addition, personal data are processed for customer communications, such as information and news purposes and marketing, including for direct marketing and electronic direct marketing purposes.
The customer has the right to object to direct marketing directed at him/her.
The controller processes the data itself and uses subcontractors acting for and on behalf of the controller to process personal data.
4 Legal grounds for processing
The legal grounds for the processing of personal data are the following criteria in accordance with the EU General Data Protection Regulation (hereinafter also referred to as "GDPR"):
1. the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (Art. 6 Art. 1.a GDPR);
2. processing is necessary for the performance of a contract to which the data subject is party or in order to carry out pre-contractual measures at the request of the data subject (GDPR Art. 6.1.b);
3. processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party (GDPR Art. 6.1.f).
The aforementioned legitimate interest of the controller is based on a relevant and proper relationship between the data subject and the controller, resulting from the fact that the data subject is a customer of the controller and where the processing is carried out for purposes which the data subject could reasonably have expected at the time of collection of the personal data and in the context of the relevant relationship.
5 Data content of the register (categories of personal data processed)
In principle, the register contains the following personal data of all data subjects:
1. basic personal data and contact information: [first name, surname, address, telephone number, email address];
2. the person's direct marketing authorisations and prohibitions.
6 Regular sources of information
Personal data are collected from the data subject himself/herself.
Personal data are also collected and updated, within the limits of applicable law, from publicly available sources related to the performance of the customer relationship between the controller and the data subject and through which the controller carries out its obligations in relation to the maintenance of the customer relationship.
7 Retention period of personal data
Data collected in the register will be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.
The personal data of the customer will be kept for as long as the customer can be considered a customer of the company. In addition, there are legal obligations which oblige the retention of certain information about the customer, for example, accounting records must be kept for six years after the end of the financial year to which the information relates. Information on potential customers is kept for as long as it is necessary for the establishment of future potential cooperation. Obsolete personal data will be deleted from the company's customer register.
The controller will regularly assess the necessity of data retention in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data which are inaccurate, incorrect or out of date, having regard to the purposes of the processing, are erased or rectified without undue delay.
8 Recipients (categories of recipients) and regular transfers of personal data
Personal data will not be disclosed to third parties.
9 Transfer of data outside the EU or EEA
Personal data contained in the register will not be transferred outside the EU or EEA.
10 Principles of register protection
Personal data files are kept in locked premises, accessible only to designated persons authorized by their functions.
The database containing personal data is stored on a server in a locked room accessible only to designated and duly authorized persons. The server is protected by an appropriate firewall and technical protection.
Access to databases and systems is only possible with a personal username and password, which must be issued separately. The controller has limited access rights and authorisations to information systems and other storage platforms so that only persons necessary for their lawful processing have access to and can process the data. In addition, access events to the databases and systems are recorded in the log files of the controller's IT system.
The employees and other persons of the controller are bound by the obligation of confidentiality and to respect the secrecy of the information obtained in connection with the processing of personal data.
11 Rights of the data subject
The data subject has the following rights under the EU General Data Protection Regulation:
1. The right to obtain confirmation from the controller that personal data concerning him or her are being processed or not being processed and, if such personal data are being processed, the right of access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or are to be disclosed; (iv) where possible, the envisaged period of retention of the personal data or, if that is not possible, the criteria for determining that period; (v) the data subject's right to obtain from the controller the rectification or erasure of personal data concerning him or her or the restriction of the processing of personal data or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information on the origin of the data (Art. ).
2. the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (Art. 7 GDPR);
3. the right to obtain the rectification, without undue delay, of inaccurate or incomplete personal data concerning the data subject and the right to have incomplete personal data completed, inter alia, by providing further explanations, taking into account the purposes for which the data were processed (Art. 16 GDPR);
4. the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other lawful basis for the processing; (iii) the data subject objects on grounds relating to his or her particular personal situation and there is no legitimate ground for the processing or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased in order to comply with a legal obligation under Union or national law to which the controller is subject (Art. 17 GDPR). );
4. the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other lawful basis for the processing; (iii) the data subject objects on grounds relating to his or her particular personal situation and there is no legitimate ground for the processing or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased in order to comply with a legal obligation under Union or national law to which the controller is subject (Art. 17 GDPR). );
5. the right to have processing limited by the controller if (i) the data subject contests the accuracy of the personal data, in which case the processing is limited for a period of time within which the controller can verify its accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use; (iii) the controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation, pending verification whether the legitimate grounds of the controller override those of the data subject (Art. );
6. the right to receive personal data concerning him or her which the data subject has provided to the controller in a structured, commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent within the meaning of the Regulation and the processing is carried out automatically (Art. 20 GDPR);
7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the EU General Data Protection Regulation (Article 77 GDPR).
Requests concerning the exercise of the rights of the data subject shall be addressed to the contact person of the controller mentioned in point 1.
12 Network analytics
Google Analytics
Google Analytics collects anonymised data on website visits without any personal data.
Shopping cart
The shopping cart collects the products selected by the customer in the online shop so that they can all be found in the same place at the end of the selection process.
Checkout
Kassa uses cookies to fill in customer information through the browser to improve and facilitate the customer's shopping experience. The user's personal data is stored but never disclosed to a third party. All user data is secured in an environment protected by firewalls and strong passwords.
My account
My Account stores the information provided by the customer and the products purchased, to facilitate future purchases by the customer.
Product reviews
When a customer comments and reviews a product, cookies are involved.
Contact form
The various contact forms on the site collect cookies. In these contacts, the user's personal data is stored, but is never disclosed to a third party. All user data is secured in an environment protected by firewalls and strong passwords.
Summary
The personal data collected through Ananimalab's data, as well as the personal data provided by the user of the website, will in principle only be processed by Ananimalab's employees and will be kept for as long as deemed necessary, taking into account the purpose for which the data is used. The data of newsletter subscribers will be kept for as long as the customer wishes to receive the newsletter. Users of the website may choose to refuse the use of cookies in their browser settings, which may cause the website not to function optimally.