- Global overview of our data processing activities (section 1)
- In more details - which data, for what purpose(s) do we process your data and on which legal ground(s)? (section 2)
- Our retention policy (section 3)
- Where we store your personal information (section 5)
- When we may disclose your personal information (section 6)
- Your data subject’s rights (section 7)
- How to contact us (section 8)
Section 1 – Global overview on our processing activities
First of all, the terms “data”, “personal information” and “personal data” are all referring to the definition of “personal data” in Article 4(1) GDPR; which is basically any information that would allow us to directly or indirectly identify you. It can be your name, your phone number, your order numbers and email address. Most of the time the data that we process is submitted by you directly, when you use our Services. For example, when you order something, you may provide your name, email address and transaction and billing information (e.g., credit card / debit card or other bank information, and delivery information). Sometimes, we also collect your data when you visit our Website (e.g. technical devices and access data which are automatically collected when you interact with our Services), and - depending on your cookie preferences and consent - we may use tracking technologies to check which pages you have viewed, or if you have opened our newsletter emails.
We always rely on legal ground to collect and process your personal data. The purposes that may require your prior consent are the following:
- participation in surveys, online competitions or ads campaigns,
- transmission of your data to third parties or third countries (i.e., located outside the EEA) if there is no sufficient safeguards in place (if applicable), and
- cookies and tracking technologies (e.g., to know which pages you have viewed on our Website and if you have opened our newsletter emails).
Children’s privacy protection: please note that our Website is not intended for, and should not be used by, children under the age of 18. We therefore do not intentionally collect personal information about anyone under the age of 18, unless we received the legal guardian’s prior consent.
Section 2 - Which data do we process, for what purpose(s), and on which legal ground(s)?
Use of our Website
We use your data to provide you with access to our Website. Depending on your settings, we may collect the following data during each of your visits:
- Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, language settings, and system authorizations; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time);
- Analytics data: your IP address, operating system and browser type; visits to pages, length of visits and page interactions (such as scrolling, finger gestures, clicks, and mouse-overs);
- Advertising data: Information about the origin of you visiting us from a social media or search engine can be shared with our partners, together with a random id allocated to your browser session at each visit.
Purposes: to give you access to our Website, improve your user experience, and/or to ensure a proper use of our Services. In any case we never use this data to identify you specifically.
Legal grounds: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).
Place and pay your order
When buying our Products online, you can use common payment methods such as your credit/debit card, PayPal and Direct Debit options like Ideal, Bancontact, Klarna and MobilePay. We process your payment details in order to execute the payment, and may receive additional information from the external payment service providers we work with. This may include your transaction and billing information; e.g., credit/debit card details and delivery information. Please note, however, that we do not store your credit card information - these are located on a specifically encrypted server of our so-called payment gateway, which is PPC certified.
Purpose: to capture the payment and place the order.
Legal grounds: Contract performance (Article 6(1)(b) GDPR) / Legitimate interest (Article 6 (1)(f) GDPR).
Abandoned Cart Emails or SMS
When navigating on our Website, you may add Products in your cart. Sometimes, it happens that customers think they finalized their shopping, but a piece of information was missing and, therefore, the order cannot be processed correctly. To avoid such an unpleasant situation, we may process the Products you put in your cart together with your name, email address and/or phone number.
Purpose: to contact you to remind you that you have an outstanding Product in your cart, and ensure that the non-completion is not due to a bug. We may contact you if you were close to have a fulfilled transaction but did not complete it (e.g. if you selected a Product but did not complete the transaction, or if you entered some information details during the check out that makes us think that you were interested in purchasing such product despite the non-completion of the transaction).
Legal grounds: Legitimate interest (Article 6(1)(f) GDPR). You may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email (as explained in section 7 below).
Information collected on online media platforms
Purposes: to better understand how customers view our Products and identify beauty trends; to increase our visibility on the market and continuously develop our brand.
Legal ground: Legitimate interest (Article 6(1)(f) GDPR.
We sometimes organize and initiate online competitions through our online media platforms, where the participants are encouraged to, as an example but not limited to, vote, share, like or comment or otherwise interact with a post, or invite a friend to follow us in order to maybe win prizes or awards. We may therefore process personal information such as participants’ usernames, and ask the winner of such online competition for further information such as their name, email address and delivery information in order to send the prize/award. Sometimes we take care of the delivery ourselves, but sometimes the brand partner that cooperates with us on the competition delivers the gift directly. If this is the case, we inform the winner in advance about the fact that their information will be shared with such a brand, only for the purpose of delivering the prize/award. We have data processing agreements in place with all the brands we cooperate with, and the shared personal information is only used for the aforementioned purpose.
Purpose: to increase our mutual customer engagement or make our mutual followers discover our services. The processing of the above data is necessary to perform the online competition and deliver the prize/award to the winner.
Legal grounds: Legitimate interest (Article 6(1) f GDPR) / Contract performance (Article 6(1)(b)GDPR).
Subscribing to our newsletter, receiving promotional emails or any other marketing materials
We may use your personal information to send you marketing content by email, phone (calls/SMS) or post. These messages may sometimes be customized, based on your previous browser or purchasing activity, or any other information we may have collected about you. If you no longer wish to receive marketing communications from us or any individual product recommendation, or if on the contrary you would like to subscribe again to it, you can modify your settings at any time by contacting us, or by clicking on the "Unsubscribe" link in an email. If you opted-out of our marketing, please note that we may still contact you from time to time with service messages (e.g., order and delivery confirmations, payment methods and information about your legal rights).
Purpose: to receive direct marketing (products and services). You can modify your marketing settings at any time by using the link at the bottom of each marketing email, or by sending your un- subscription request by email.
Legal ground: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).
Co-creation of products, feedback, products reviews and surveys
You may decide to join us in the process of co-creation of products, or simply wish to provide us with feedback, product reviews or participate in interviews. If it is the case, we may collect, in addition to your feedback, the following personal information: your name and email address, product preferences and any comment you may have added.
Purposes: to send you relevant information on Comme Deux developments; ensure you have the possibility to participate in customer research (e.g. surveys); continue co-creating products with our customers, or improve existing products and provide the best customer experience possible, and adjust our actions to your needs.
Legal grounds: Legitimate interest (Article 6(1)(f)GDPR) - under no circumstances will we use the collected data to determine your identity and you may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email / Consent when the other legal grounds do not apply (Article 6(1)(a) GDPR or (Article 9(2)(a) GDPR) in case of processing of special categories of data.
Use of product reviews for statistical purposes
You may have the possibility to add product reviews and, when assessing them, we may process some personal information; e.g. any personal information you may have included in the content of your review (if applicable), your geographic location (if applicable), and the time and date of the review. We never use the reviews in order to identify you.
Purpose: We may process pseudonymized data to carry out aggregate statistics (such as ratings or preferences of certain Products), and may present such summarized statistics to our third-parties partners, always on an irreversibly anonymized basis.
Legal ground: The processing is necessary for statistical purposes, and we may only provide our third-parties partners with anonymized and summarized statistics from which the identification of a specific natural person is impossible (Article 9(2)(j) GDPR). Our legitimate interest in processing data for these purposes is to provide our third-party partners with an overview of the trends and preferences and thus improve your experience. You may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email (as explained in section 7 below
Monitor usage to improve and maintain our Websites, ensure proper use, and successful reception of our transactional emails
While using our Services or receiving service messages (transactional emails), we may collect and process the following data: device ID, IP address, operating system and browser type, length of visits to certain pages, and your page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date and products checked.
Purposes: to ensure proper reception and assess the service in order to improve it; to ensure proper use and successful reception of transactional emails.
Legal ground: Legitimate interest (Article 6(1)(f) GDPR). Under no circumstances will we use the collected data to determine your identity. You may, for reasons arising from your particular situation, object to such a legitimate process at any time by writing us an email (further details in Section 7 below)
While navigating on our Website(s), we may also collect and process the following data: errors, crash reports, IP address, URL, geographic location, time and date of navigation.
Purpose: to ensure the functionality of our Services; our Websites cannot function properly without this processing.
Legal ground: Legitimate interest (Article 6(1)(f)GDPR). Under no circumstances will we use the collected data to determine your identity.
Security, fraud prevention and choice of payment methods
Your security is our top priority, and in order to avoid or to detect any data security breaches, our Services are encrypted in transmission with the coding system SSL (“Secure Socket Layer”). This means that the data is encrypted when you leave our Website(s), and that during this process, information or data is converted into a code to prevent unauthorized access. We have technical and organizational measures in place to secure our systems against loss, destruction, unauthorized access. This implies the processing of your data, including your name, device and access data (IP address), your shopping information (delivery and billing address) and payment details. While we do everything we can to ensure that personal information is always protected from our Websites, we cannot guarantee the security and integrity of the information sent to our Websites.
Purpose: to identify fraud patterns and prevent fraud.
Legal ground: Legitimate interest (Article 6 (1)(f)GDPR).
Candidates may apply to join us, when there are open positions, via our “Career” link, as available from time to time at the bottom page of our Website. When applying for a position, candidates may be requested to provide information such as their name, email address, phone number, geographic location (city), resume, LinkedIn profile (optional), that we may collect together with the time and date of the application.
Purpose: to check the candidate suitability for the position (or any other vacancies within Goodiebox group).
Legal ground: to take steps at the candidate request prior to entering into a contract (Article 6(1)(b) GDPR).
Section 3 – Storage policy
We retain your personal information for the period necessary to fulfill the purposes described in above section 2, always in compliance with the data minimization principle. If your personal information is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principles.
Storage duration: 3 years after your last activity, e.g., purchases, communication activities or visits to our Website.
Storage duration: 7 years from your order, or as long as we have to meet the legal requirements.
Storage duration: 3 years or as long as we have to meet the legal requirements.
Storage duration: 3 years from your last activity, e.g., purchases, communication activities or visits to our Website, or as long as we have to meet the legal requirements.
Storage duration: as long as we are obliged to comply with the statutory provisions, according to each country-specificity.
Storage duration: 30 days unless a security-relevant event occurs (for example, a Distributed Denial of Service attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.
Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected, or you revoke your consent. The data we process for the purpose of tracking is removed latest within 180 days.
Storage duration: as long as we are obliged to comply with the statutory provisions, according to each country-specificities, up to ten years.
Storage duration: in the event of a rejection, candidate data will be deleted after 6 months. If you have agreed to further storage of your personal data, we will add your data to our applicant pool. The data will be deleted after two years from that moment. If you are offered a job in the context of the application process, the data from the data system will be transferred to our Human Resources information system.
Section 5 – Where do we store personal information?
The personal data that we collect from you is stored in the European Union on Google Cloud Services (Google EMEA HQ - 4 Barrow St Ringsend, Dublin 4, D04 V3A0, Ireland). However, we use suppliers all over the world and, therefore, your personal data may be processed by processors and/or sub-processors operating outside of the European Economic Area (“EEA”). Those processing activities are always based on a data processing agreement, and only if the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR, such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments. Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.
Section 6 – Disclosure of your personal information
We may share your personal data within the Goodiebox group, as long as this is necessary for the operation of our Website and direct Products, and/or to provide our Services. Access is always controlled on a need-to-know basis, and it is intended that our subsidiaries are not considered as “third parties”, and are all compliant to GDPR. Your personal data may be transferred to our trusted third parties suppliers under the following circumstances:
- it is necessary to operate our Website, e.g., technical service providers;
- it is necessary to provide you with our Services, e.g., payment processors, logistics/shipping companies;
- it is necessary for our business, e.g., professional and legal advisors,
- we have obtained your consent to do so.
Technical service providers: we work with technical service providers in order to operate our Website and provide you with our Services. These technical service providers act as our processors based on a data processing agreement and therefore may process your data under special conditions, always according to above section 3. It concerns, for example, our CRM, IT services such as our platform providers, hosting services, maintenance and support on our databases.
Logistics / Shipping companies: we work with external shipping companies (e.g. DAO) to deliver our products. These shipping companies receive the following data to execute the relevant order: your full name, delivery address, post number if applicable (if you wish to have the order delivered to a DHL packing station), email address if applicable (if the shipping company wishes to inform you of the provisional delivery date by email), phone number if applicable (you may receive SMS notifications of delivery, either to your home address or to a parcel pick up point) or any other necessary information. We also work with warehouses that receive the brand products delivered in your boxes, but they do not receive any of your personal information.
Professional and legal advisors: in case of a conflict or dispute resolution, we may work with external agencies and legal advisors that may receive your personal information. If this becomes the case, we will ensure to have a data protection agreement with such professional and legal advisors beforehand.
In addition, we will not transfer your personal data to any third party, except, when applicable, for the following purposes:
- If Goodiebox sells or buys any business or assets: we may disclose your personal data to the prospective seller or buyer of such business or assets. Same if we or, substantially, all of our assets are acquired by a third party, personal data about our customers will be one of the transferred assets. In those cases, the disclosure of your personal information would rely on our legitimate interest (Article 6(1)(f) GDPR), except for the processing of special categories of data (if any) where consent could be required by law (Article 9(2)(a) GDPR));
- If we are required to disclose or share your personal information with the police, any public authority or any other competent authority in order to comply with our legal obligations such as ensuring information security at all times, or to defend ourselves against any fraudulent attempt;
- If we are required to disclose or share your personal information with law enforcement or other government agencies, or on the basis of EU law of the law of a Member State. We would rely on our legal obligation to do so (Article 6(1)(c) GDPR)).
Service providers who process personal data on our behalf outside the EEA (or “third countries”) will only be used if such recipients have received a European Commission decision on appropriateness, or if there are suitable or appropriate guarantees for the third country, or if we have received your prior consent. We commit to ensure that your data will not be transmitted to a country with a lower data protection standard than the European Union.
Section 7 – Your data subject’s rights
Under GDPR and as a “data subject”, you have various rights in relation to your personal information, e.g., the right to be informed, to deletion, to correction, to restriction of the processing, to data portability, to lodge a complaint with a supervisory authority, to withdraw your consent, and to object to particular data processing activities. If you have any questions about it, or if you want to exercise one/several of them, please send an email at email@example.com.
Right to withdraw your consent at any time: where the processing of your personal information relies on your prior consent, you have the right to withdraw such a consent at any time, under the condition of Article 7 (3) GDPR. Please note that this will not affect the lawfulness of the processing based on consent up until the point of withdrawal.
Right to object to the processing: you may object to the processing of your personal information under the conditions of Article 21 GDPR as follows:
- when you want to object to the processing of your data for advertising purposes, including direct marketing, at any time and without any reasons;
- when we are processing your information under our legitimate interest, or when we make anonymous statistics based on your pseudonymised information - as a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. Same applies if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfillment of statistical purposes;
- when we are processing your information under our legitimate interest to optimize our marketing initiatives, at any time and without any reasons.
Right to be informed: you have a right to obtain access and information under the conditions provided in Article 15 GDPR. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
Right to erasure: you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 GDPR. This means that you generally have the right to obtain from us the erasure of your personal data, and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. The right to erasure does not by exception apply if the processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e) GDPR). Thus, the relevant data will not be deleted, but will be blocked for further processing (i.e., the data will be securely stored with different access rights and technical and organizational measures to ensure that only a few employees can access such relevant data when needed). Before deleting your information, we may anonymize it for statistical purposes.
Right to restriction of processing: you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts until we are able to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4(3) GDPR).
Right to data portability: you have a right to data portability under the conditions provided in Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract (pursuant to Article 6(1)(b) GDPR), and where the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible (Article 20(2) GDPR).
Right to rectification: you have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.
Right to complain: you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR. The supervisory authority responsible for us is the Danish Data Protection Agency (Datatilsynet). You can contact any data protection authority, in any Member State (in particular at your place of residence); your complaint will then be forwarded to the competent authority.
Section 8 – Contact
Again, we want what’s best for you. Please always feel free to reach out to our customer service team at any time and we will do our best to answer any and all questions you may have. You can email us at firstname.lastname@example.org; our DPO is also available at email@example.com or by post at the following address:
To the attention of the Data Protection Officer
Artillerivej 86, 5th floor,
2300 Copenhagen S, Denmark
DOES COMME DEUX SHIP TO MY COUNTRY?
️We ship to Denmark, Sweden, Norway, Finland, The Netherlands, Belgium, Austria, Germany, Italy, France and Poland.
HOW MUCH DOES SHIPPING COST?
If your order is less DKK 299,00, EUR 40,00, SEK 440, 00, NOK 420, the cost of shipping will depend on your shipping location.
Shipping to Denmark: DKK 39,00 DKK
Shipping to Sweden: SEK 55,00
Shipping to Norway: NOK 50,00
Shipping to rest of Europe: EUR 7.50
HOW LONG WILL IT TAKE FOR ME TO GET MY ORDER?
️Your order should be with you in 5-7 business days. If you’re still waiting, send us an email with your order number at firstname.lastname@example.org and we’ll help you immediately.
HOW HAS COVID-19 CHANGED YOUR SHIPPING TIMES?
Right now, our warehouse team is still working on a normal schedule. If this changes, we’ll keep you updated.
HOW CAN I TRACK MY ORDER?
Once your order has been sent, you will receive a confirmation email with your tracking link. If you still haven’t received it, send us an email with your order number at email@example.com and we’ll make sure to help you.
CAN I SHOP IN MY LOCAL CURRENCY?
The currency depends on the location you shop from.
I PLACED AN ORDER, BUT I DID NOT GET AN ORDER CONFIRMATION.
️If you have already checked your spam folder, then send us an email at firstname.lastname@example.org and we’ll help you immediately.
WHAT IS YOUR RETURN POLICY?
️It’s simple. If you don’t like something, you can return it for free. We’ll give you a full refund as part of our Full Satisfaction Money Back Guarantee program. See more information about the program (Insert link to FSMBF). If you want to return something from your order, simply send us an email at email@example.com and we’ll be happy to help you.
MY ORDER ARRIVED BROKEN, INCOMPLETE OR DAMAGED.
If your new Comme Deux order arrives already broken or incomplete, simply snap a photo and send us an email at firstname.lastname@example.org. We’ll be happy to help you from here.
About Comme Deux Products
DOES COMME DEUX TEST ITS PRODUCTS ON ANIMALS?
Absolutely not. First, because we don’t believe in that. Second, because we follow a strict EU regulation which bans animal testing for cosmetic products.
ARE COMME DEUX PRODUCTS VEGAN?
️Yes - all Comme Deux products are vegan.
WHERE ARE COMME DEUX PRODUCTS MADE?
We make our products in the best factories in the EU, mostly in Italy.
DOES COMME DEUX USE PARABENS?
️No we don’t! There are so many great alternatives to keeping our products well preserved.
DO COMME DEUX PRODUCTS CONTAIN PERFUME?
️No. Our skincare and makeup products are all perfume-free.
DOES COMME DEUX USE NATURAL INGREDIENTS?
️Yes, we do! Mother Nature is actually our greatest inspiration and whenever possible or when it makes best sense we use natural ingredients.
I HAVE SENSITIVE SKIN, CAN I USE COMME DEUX?
It is not possible to give any guarantees for not reacting, and it’s always a good idea to patch test a cosmetic product before using it.
It has nothing to do with the quality of the product. It’s the same with food! An orange does not contain preservatives, dyes or any perfumes that can trigger an allergic reaction, but still some persons can get negative/allergic reactions. Nothing is wrong with the orange – it’s an intolerance of the person for a given element in the orange. That said, all of our products are all perfume-free, gently formulated with a focus on non-irritants. And remember: we trust in you like you trust in us. So if it doesn’t work out, we’ll give you a full refund under our Full Satisfaction Money Back Guarantee program. See more information here.
ARE COMME DEUX PRODUCTS ALLERGY-FRIENDLY?
️Perfume is one of the biggest triggers to allergy! All Comme Deux products are perfume-free and gently formulated and we go to great lengths to use non-irritating ingredients. But, with the human body and skin there are never any guarantees that a product will not cause a reaction. Before using a new product, we would recommend that you patch test it first, to test for skin reactions. And remember: we trust in you like you trust in us. So if it doesn’t work out, we’ll give you a full refund under our Full Satisfaction Money Back Guarantee program. See more information here.
Get in touch
HOW CAN I CONTACT YOU?
️For all inquiries, send us an email at email@example.com, or message us on Instagram or Facebook. We’ll get back to you as soon as possible.