Introduction

Obayaty recognizes the importance of protecting the privacy of your personal data. We have implemented policies and security measures to protect the information you provide us.

Processing of your personal data

The Swedish company Obayaty AB, reg. no. 559294-8433 (“Obayaty”), is the controller of your personal data. Obayaty’s affiliated companies (including other companies within the Obayaty group, joint ventures, franchisees and licensees) and selected suppliers may process your personal data on Obayaty’s behalf and in accordance with Obayaty’s instructions as stated below and are thereby processors of your personal data. You may contact Obayaty at any time, please find our contact details below.

Post address: Mäster Samuelsgatan 10, 111 44 Stockholm, Sweden
E-mail: [email protected]

You may contact our Data Protection Officer at [email protected]

Categories of data processed, purpose, and legal basis for processing

Overview

Below is a summary of the categories of data that we process, the purposes of processing the data and on what legal basis we are processing your data.

Customers

Below is a summary of the categories of data that we process, the purposes of processing the data and on what legal basis we are processing your data.

Contact details: If you make a purchase online we will collect your name, address, e-mail address, telephone number, country of residence, date of birth, title (Ms./Mr. or other title), and social media account contact details (if provided on a voluntary basis). Not all information is mandatory for making a purchase. We have marked mandatory information with the symbol (*) on our website.

We will use your contact information to (i) process your purchase/orders and any returns, exchanges and complaints you may have relating to your purchase; and to (ii) communicate with you regarding your purchase and to answer and administer any questions or comments you may have regarding our products or services. The legal basis is that it is necessary to process your data in order for us to be able to fulfill our contractual obligations to you under the purchase agreement or based on your consent if the information is provided on a voluntary basis. We will retain your data for as long as necessary for these purposes.

We may also process your contact details to keep you informed, via email, SMS, letters, telephone, WeChat, Whatsapp and other social media, of our special events or promotions. For marketing performed via email or SMS, the legal basis is our legitimate interest of being able to market our products to our existing customers. For other forms of marketing (e.g. by phone or messages to your social media account), our legal basis is your consent. We may use your contact details for direct marketing purposes for up to 12 months after your latest purchase subject to your ongoing right to opt-out. You are entitled to reject our marketing messages at any time by clicking on the unsubscribe link included in each message or by contacting customer service at [email protected].

Credit card details: If you make a purchase online and choose to pay by credit card, you will provide your credit card information on our website to finalize your purchase. The legal basis is that the processing is necessary in order for us to be able to fulfill our contractual obligations to you under the purchase agreement. As a member, you may also choose to save your credit card details for future purchases, for the purpose of speeding up the checkout the next time you shop. In such case you consent to us saving your credit details for this purpose. We will retain your data for as long as necessary for the above processing operations.

Previous purchases and returns: If you have signed up for an account, we will store information regarding (i) your purchases and returns online, and (ii) your purchases and returns in physical stores, if you have provided your e-mail address to our personnel. Such information encompasses product, size, price and date of purchase. We will also store information regarding your recently viewed items. This will allow you to keep track of your purchases and returns, and recently viewed items, by logging into your personal account. The legal basis is our legitimate interest to provide you with the service of a personal account as requested by you when you signed up for the account. You may choose to deregister your account at any time. We will also save information on your contact details and previous purchases and returns during 36 months after the purchase to be able to administer returns and/or complaints. The legal basis is our legitimate interest to provide our customers with speedy and efficient service after the purchase.

ID number: If you chose to make your payment by invoice, you may be required to provide your personal ID number on our website. Your ID number will be directly transferred and available only to our payment service provider, which will process your ID number to be able to obtain a credit report and to facilitate your payment. The legal basis is that the processing is necessary for us to ensure accurate identification of our customers for invoice purposes and to fulfill our contractual obligations to you under the purchase agreement. We will retain your data for as long as necessary for this purpose.

Membership

You may sign up for membership by subscribing to the services provided by Obayaty in accordance with the Membership Policy. The membership is completely voluntary and subscribing for membership is not a requirement for purchasing Obayaty’ goods. When you subscribe to become a member, you agree to the terms and conditions stated in the Membership Policy.

When you sign up for membership (online), Obayaty collects your contact details as detailed above. Obayaty processes the data to create your personal account and to process the membership which includes certain features such as (i) sending digital receipts upon request when purchasing a product in a physical store, (ii) sending out invitations to special events/promotions, (iii) personalized services in store, and (iv) profiled marketing offers through e-mail or other messenger services. Our processing of this personal data is based on your consent which you give when you sign up for the membership provided by Obayaty or when you exercise certain membership features (e.g. request digital receipts). We will retain your data for as long as necessary for this purpose.

Website visitors

When you visit our website, we may process personal data generated by enabled cookies such as your IP-address or device settings (e.g. device and web browser type, operating system, time zone etc.). We have a legitimate interest to process information derived from strictly necessary cookies in order to operate our website. Personal data derived from other types of cookies will be based on your consent.

For detailed information on the purposes and applicable retention periods regarding our use of cookies, please refer to the cookie policy.

Smart Refill subscribers

If you have subscribed to a smart refill product (“Smart Refill”), Obayaty will process your name, email address, smart refill product, and shipping address in accordance with the following:

• If no extension of Smart Refill, and/or no other smart refill product is subscribed to, your Smart Refill data is not saved, or processed after 12 months To fulfill the smart refill process, Obayaty is, on your behalf, requesting third-party (payments processing) Adyen NV, to save your payment details. The smart refill payment information is saved by Adyen NV in accordance with the following:

• If no extension of Smart Refill, and/or no other Smart Refill product is subscribed to, your Smart Refill data is not saved, or processed after 12 months

The legal basis for this processing is our legitimate interest of being able to send you your Smart Refill subscription communication. You are at any time entitled to unsubscribe to Smart Refill by clicking on the unsubscribe link included in each email (not applicable to transactional communication) or by contacting customer service at [email protected].

Newsletter subscribers (not made any purchases on website)

If you have subscribed to one of our newsletters, we will process your name, email address, country and information on product preferences for the purpose of sending out such newsletter.

The legal basis for this processing is our legitimate interest of being able to send our newsletter to individuals who have subscribed to receiving such newsletters. You are entitled to unsubscribe to our newsletter at any time by clicking on the unsubscribe link included in each newsletter or by contacting customer service at [email protected]. We will send you the newsletter until you unsubscribe to the newsletter service, and this is independent on your potential purchases.

Newsletter subscribers (purchases made on website)

If you have subscribed to one of our newsletters and made a purchase on www.obayaty.com, we will process your name, email address, country, purchase information (product purchased, shipping address), and preference information such as skincare, makeup, etc. for the purpose of sending out relevant and personalized newsletters.

The legal basis for this processing is our legitimate interest of being able to send our newsletter to individuals who have subscribed to receiving such newsletters. You are entitled to unsubscribe to our newsletter at any time by clicking on the unsubscribe link included in each newsletter or by contacting customer service at [email protected]. We will send you the newsletter until you unsubscribe to the newsletter service.

If you have not made any purchases, logged in to your account, or used any of our services during a consecutive period of 12 months, we will terminate your membership and consequently, we will not use your data for any membership services and no longer process your purchase data, however, the Newsletter Subscription will remain. In such case we will delete your data unless we need to keep it for other purposes that are legally justifiable. We will retain your personal information as necessary to comply with applicable legal obligations, to resolve disputes, and to enforce our agreements. Statutory obligations to retain data further remain unaffected.

Candidates

If you apply for a job at Obayaty, we may process the following personal data about you:

• Contact details (address, telephone number and e-mail);

• Identity verification and permits (first- and last name, personal identity number or social security ID, gender and if necessary: passport, ID card, personal photo, licenses, residence- and work permit);

• Merits (CV, employment history, language skills, personal letter(s), grades, diplomas, degree certificates, transcripts from university or other higher education and information furnished by provided references);

• Job details (to the extent applicable: salary requests, workplace or office location and work position preferences);

• Interview and tests (notes from job interviews or meetings, test results and personal assessments); and, if necessary;

• Background checks (information retrieved from public records, credit checks, criminal records and/or other security clearance checks).

Obayaty processes the personal data for the purpose of performing and managing the recruitment process. Personal data relating to contact details, merits, job details as well as interview and tests is processed on the basis of our legitimate interest to ensure an efficient and correct recruitment process. Personal data relating to identity verification and permits is processed to comply with our legal obligations. Personal data relating to background checks is processed on the basis of our legitimate interest when it is of crucial importance to determine the suitability of a person in relation to the applied position. With your consent, your personal data may also be processed for future recruitments.

The personal data will be stored for two (2) years after the recruitment process has ended. If you have given your consent for us to process your personal data for future recruitment, Obayaty will store the personal data until such time you have withdrawn your consent or earlier on our own initiative.

For successful candidates any personal data relevant to your employment will be included in your personnel file and stored by Obayaty during your employment period. Following the termination of your employment the personal data will be stored for a period of time based on applicable law and in accordance with our internal policies.

Customer service

If you have contacted Obayaty regarding a complaint, return or question, the e-mail or chat conversation will be stored for as long as it is necessary to administer your matter, including following up on the matter within 12 months. Depending on the nature of the matter for which you are contacting us, the legal basis may be that our processing is necessary for us to be able to fulfill our obligations under the purchase agreement or Membership Policy, or that we have a legitimate interest of being able to communicate with individuals who contact our customer service.

Anonymized data

It can be noted that we may also use anonymized data for our internal marketing and demographic studies to analyze, profile and monitor customer patterns in order for us to be able to improve our products and services.

Obayaty’s data processors and or suppliers

Obayaty does not sell or rent our customer’s personal data to any other entity.

We may share your data with affiliated companies including other companies within the Obayaty group, joint ventures, franchisees, and licensees. If you have subscribed for membership with Obayaty, we may combine your data provided to us with data that you have provided to such affiliated companies, for the purpose of improving our services to you, and enhancing your shopping experience when visiting an Obayaty store in another country than your residence. The legal basis is our legitimate interest to improve our products and services.

Obayaty may also share your data with selected suppliers who perform functions on our behalf such as fulfilling orders and delivery of orders, processing payments, carrying out promotional services or data management, maintaining our website, distributing e-mails, sending out our newsletter, providing client communications and to manage our customer database. As necessary, the personal data you provide to us may be processed by these third parties, solely on Obayaty’s behalf and in accordance with Obayaty’s instructions as data processors. We do not authorize any of our suppliers to make any other use of your personal data.

If Obayaty and/or its subsidiaries are subject to an actual or potential merger or acquisition or similar transaction, we may share your data with potential and actual buyer(s) and their financial and legal advisers, subject to such third parties undertaking appropriate confidentiality.

Transfer outside of the EU/EEA

We may share your data with our selected suppliers, who may process your data in countries both inside and outside of the EU/EEA when performing functions on our behalf as set out in the section above.

If you have subscribed to membership with Obayaty, we will share your contact details and information on previous purchases and shopping preferences with our affiliated companies both inside and outside of the EU/EEA (please see further below).

Obayaty has taken appropriate safeguards to ensure that the receiving parties of your data in countries outside of the EU/EEA will provide adequate protection of your data. Such safeguards may be that the receiving party has signed so-called standard data protection clauses adopted by the EU Commission. Please contact us at [email protected] if you want further information on what safeguards have been taken and if you want a copy of such safeguards.

Your data subject rights

In this section, we have summarized your data subject rights to request access, portability, rectification, erasure of your personal data, to restrict the processing of your personal data, to object to processing, to withdraw your consent and your right to lodge a complaint with the supervisory authority.

If you want to exercise your rights, please send us an email at [email protected]. Please note however that if you want to lodge a complaint with the supervisory authority, you need to contact the authority directly. In Sweden, the applicable supervisory authority is the Swedish Authority for Privacy Protection (https://www.imy.se/).

If you have signed up for a membership with Obayaty you will also be able to access, rectify and erase some of your data by logging in to your private account.

Notwithstanding anything to the contrary herein, Obayaty reserves the right to keep and process your personal data in accordance with this policy to the extent necessary to perform our contractual obligations to you, and to the extent we are required to process your data by law or in order to defend ourselves in a dispute, to prevent fraud or abuse, or to enforce our Terms and Conditions.

• Right of access
  You have the right to obtain confirmation of whether personal data concerning yourself are being processed and, where that is the case, access to the personal data and information regarding, inter alia, the purpose of processing, the categories of personal data concerned, the categories of recipients to whom your data have been or will be disclosed, and the envisaged period of time for which personal data will be stored (or the criteria for determining this)

• Right of rectification
  You have the right to request rectification of inaccurate personal data concerning yourself, and to complete incomplete data.

• Right of erasure
  Under certain circumstances, you are entitled to request that we erase your personal data or restrict our processing of your data, namely in the following events:

• When it is no longer necessary for us to process your data taking into consideration the purposes for which it was collected.

• When our processing is based on your consent and you have withdrawn your consent, and there is no other legal basis for the processing of your data.

• When our processing of your data is based on a legitimate interest legal basis and you object to such processing, and there is no overriding legitimate ground for our processing.

• When you have objected to our processing of your data for direct marketing purposes.

• When your personal data has been unlawfully processed.

• When the personal data must be erased for compliance with a legal obligation that applies to us.

• When the personal data collected concerns a child (under 13 years of age) in relation to the offer of information society services.

• Right to objection - direct marketing and profiling
  You have the right to object at any time to our processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. If you object to our processing of your personal data for direct marketing purposes, including profiling, we will cease such processing of your data.

• Right to withdraw consent
  You have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing carried out before the consent was withdrawn.

• Data portability
  If our processing is based on your consent or if the processing is necessary for our performance of a contract with you, you have the right to request that the data which you have provided to us shall be provided to you in a structured, commonly used and machine-readable format and you also have the right to transmit such data to another controller.

• Right to lodge a complaint with supervisory authority
  Please note that if you consider the processing of your data to be in violation of applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or the place of the alleged infringement.

• Unsubscribe to our communication
  If you no longer wish to receive our newsletters or other emails, you can unsubscribe as indicated in the particular communication, i.e. by using the unsubscribe link which is included on all newsletters and other emails. You may also contact us at [email protected].

Data retention

We will retain your personal information for as long as necessary in relation to the purposes for which the data was collected or otherwise processed. In this Privacy Policy (above), we have specified the retention time, or the criteria for determining the retention time, for our processing of data in relation to the different purposes the data is being processed. In addition to the retention time stated in this Privacy Policy, please also note the following.

Members: If you have not made any purchases, logged in to your account or used any of our services during a consecutive period of 12 months, we will terminate your membership and consequently we will not use your data for any membership services or marketing purposes thereafter. In such case we will delete your data unless we need to keep it for other purposes that are legally justifiable.

We will retain your personal information as necessary to comply with applicable legal obligations, to resolve disputes, and to enforce our agreements. Statutory obligations to retain data further remain unaffected.

Children’s privacy and legal purchase age

Obayaty does not wish to collect personal information from anyone under the age of sixteen (16). If you are under eighteen (18), we require that you inform and get your parents’ or guardians’ consent before purchasing anything or providing any personal data to us at www.obayaty.com or any other website related to Obayaty.

Modifications

Obayaty reserves the right to occasionally make changes to our privacy policy or practices. We will post the updated policy on our website, and thus we encourage you to review this page from time to time.

Last Updated: 2023-10-13