Furthermore, if you order our products through a third-party website (e.g., Amazon) such third parties may process your personal data for their own purposes and act as the data controller. For further information regarding their data processing operations please see their applicable privacy policies.
If you are based in the United Kingdom (“UK”) all references to the General Data Protection Regulation (“GDPR”) refer to corresponding clauses of the UK General Data Protection Regulation (“UK GDPR”).
What personal data do we process, for what purposes and based on which lawful bases?
Provision of services
It is necessary for Tinyyo to process your contact information including name, phone number, email address and delivery address data, as well as your payment and order information (e.g., payment method, product information, order date and shipping method) in order to:
- Execute the purchase agreements including dispatch, delivery and payment processing;
- Respond inquiries, manage your account and provide other customer service;
- Manage claims and process returns, complaints and warranty claims;
- Provide non-promotional service communications to you relating to e.g., technical, security-related topics and contractual matters (e.g., fraud warnings, account blocking or contractual changes);
- Provide further services requested by you.
Furthermore, we may process your social security number or birth date for credit check purposes, if required. The lawful basis for this credit check is Art. 6(1)(f) GDPR. Our legitimate interest is the avoidance of the risk of non-payment. The lawful basis for further processing this data for the listed purposes is our contract as per Art. 6(1)(b) GDPR in the form of our Terms of Service.
- sending newsletters, reminders, product updates, recommendations, promotional offers and other promotional communications to your email address;
- communicating promotional messages to you via text messages and WhatsApp or Facebook Messenger applications;
- targeting promotional content to you and to third parties on social media platforms including Facebook, Instagram and TikTok;
- Sending push notifications, including marketing communications, to you.
The applicable lawful basis for marketing communications and social media targeting is either consent (Art. 6(1)(a) GDPR) or legitimate interests of Tinyyo to provide direct marketing (Art. 6(1)(f) GDPR). Kindly observe that push notifications require your consent which is also the lawful basis for processing any personal data collected to provide such notifications.
When you first sign up for the services, Tinyyo wishes to process your data for marketing communications and social media targeting operations in order to provide you information relating to similar products or services in which you have shown interest. Tinyyo gives you the option to object to our use of your personal data for marketing operations, through the unsubscribe links or by changing the marketing settings in your profile, if applicable. In the event we instead ask for you to opt-in to our marketing operations or you do so later in your profile or through functions of our website (e.g., to receive a notification once an out-of-stock product is back), the lawful basis for processing is your consent.
In order to enhance your experience, provide you with tailored communications and promotions as well as to enable you to collect loyalty points and receive personalized discounts, we collect certain information to assign you to a customer segment and create you a client profile. In addition to the personal data defined above, including your name and address information, the assigned segment and created profile are based on:
- your purchase history;
- your device and network information;
- your actions on our website and on third-party websites, provided you have accepted cookies;
- your interaction with our communications, including social media pages via pixels and personalized URLs;
- your birthday if you have provided it.
The lawful basis for creating these segments and profiles as well as using them to personalize the services and marketing communications is our legitimate interests to carry out personalized marketing and your legitimate interests to receive personalized discounts and recommendations based on your interests in accordance with Art. 6(1)(f) GDPR.
We may operate a blog on our website. This enables you to interact with our blog and other readers by submitting your comments as well as by subscribing to notifications when new comments or blog articles are posted. If you choose to leave a comment the personal data processed is your name or your chosen username (pseudonym) that is publicly available on the website as well as your email address and IP address which are processed in a non-public manner. The lawful basis for processing such data is our legitimate interests in accordance with Art. 6(1)(f) GDPR to enable you to interact with our bloggers and other commentators and your legitimate interests to do so. Where you decide to subscribe to comment notifications the lawful basis is consent as per Art. 6(1)(a) GDPR.
We hope you are happy with our products and welcome your feedback and suggestions for improvements or new products. For this purpose, we may operate a client community on Facebook. We process group insights metrics about the group, including member activity and engagement within the group in order to e.g., understand how you engage within the group, see who the most active group members are and to learn which posts have the most engagement. The lawful basis for processing such group information is our legitimate interests in accordance with Art. 6(1)(f) GDPR to interact with our clients in order to create better products and your legitimate interests to engage with us and provide feedback.
We have created a referral program where you recommend us and our products to your friends. To do so you can either share your personal code with your friends or submit your friends’ contact details, and they will be notified through the given channel (e.g., via email). The lawful basis for such processing is our legitimate interests to get in touch with potential new clients, your legitimate interests to send your friend recommendations and your friends’ legitimate interests to receive recommendations that might interest them. We will inform your friend of your referral and provide adequate information about our privacy practices in the first communication. In the event your friend does not become a client, we will not store their contact details. If you choose to share your code and your friend uses it or if you are the friend using the code, we will maintain this information in your customer profile to provide you with the discounts or other benefits related to the use of the code.
We may also use the categories of personal data mentioned above as well as further data, that can be defined as personal data, collected by our essential cookies or otherwise for the following purposes:
- maintenance of security of our website and services, including preventing data breaches;
- fraud prevention;
- research and development of our website and services, provided that the data is in a summarized, pseudonymized or anonymized form;
- compliance with laws or court orders (e.g., to carry out applicable anti-money laundering or know your customer checks);
- establishment, exercise or defense of legal claims.
For these operations we rely on our legitimate interests to detect and prevent fraud, maintain the security of our services and improve the same as well as to pursue or defend legal claims in accordance with Art. 6(1)(f) GDPR). Where we need to process your personal data in order to comply with legal obligations e.g., applicable laws and regulations or court orders the applicable lawful basis for processing is legal obligation as per Art. 6(1)(c) GDPR.
From where do we get your personal data and with whom do we share it?
In general, we process personal data that is directly provided by you to us or that is derived from your use of our services. Our business operations, also require us to engage service providers who assist us in providing our services and products to you, and who may, subject to appropriate agreements and security measures, disclose your personal data to us or with whom we may share your personal data. Such service providers may include:
- e-commerce platforms;
- payment service providers;
- credit check agencies;
- customer service and relationship management platforms;
- customer support services (e.g., chat providers);
- marketing platforms and services, including social media platforms and conversion tracking services;
- delivery companies;
- collection service providers;
- loyalty, reward and referral program providers;
- companies belonging to the same group as us;
- advisors, auditors or insurance companies;
- third parties upon a business transaction (e.g., a merger or an acquisition or a liquidation).
Furthermore, in the event we are obliged by law or by court decision to disclose your personal data or where we need to do so to establish, exercise or defense legal claims, we may forward your data to prosecution authorities or other relevant third parties.
Are you obliged to provide the personal data and which are the possible consequences of failure to provide such data?
Unless stated otherwise in the explanations above regarding the applicable legal bases, you are not obliged to provide or disclose personal data to us. However, in the cases referred to in Art. 6 (1)(b) GDPR, the personal data is necessary for entering into or performing a contract. If you do not provide us with the relevant personal data, it will be impossible for us to enter into, or perform, the contract. If you do not provide us with the data in the cases referred to in Art. 6 (1)(a) and (f) GDPR, you will not be able to use the respective parts of our services.
Do third parties act as joint controllers?
Where is your personal data processed?
Tinyyo is a company located in the United Kingdom. However, we transfer your personal data to other countries within the EU/EEA as well as to third countries. Where personal data is transferred to third countries that are not covered by a relevant adequacy decision, we ensure that a relevant transfer mechanism (e.g., Standard Contractual Clauses) and any required additional technical and organizational security measures are in place. Where the data controller is a UK entity, we have also put in place the international data transfer addendum.
How is your personal data protected?
Tinyyo has in place comprehensive technical and organizational security measures to ensure your personal data is secured. These are reviewed and updated on a regular basis to ensure they comply with the state of the art.
We also review our vendors and sign appropriate agreements with them to ensure that they comply with our defined security measures.
When will we delete your data?
Your personal data is only stored for as long as it is necessary for the purposes defined in this policy including for the purposes of complying with our legal obligations e.g., to provide product warranty or to store financial documentation.
Do we carry out automated individual decision-making (including profiling)?
Automated individual decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you does not take place.
What are your rights in relation to our data processing operations and how to contact us?
- right to access your data;
- right to rectify your incorrect or incomplete data;
- right to be forgotten (data deletion/anonymization);
- right to restrict processing;
- right to data portability;
- right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; and
- right to lodge a complaint with a supervisory authority.
Right to object
Furthermore, in the event we process your personal data relying on legitimate interests, you have the right to object to this processing with effect for the future. If you exercise your right to object, we will stop the processing of the relevant data. However, further processing may occur provided that we can prove comprehensive reasons for processing that override your interests, fundamental rights and fundamental freedoms, or if the processing is for the certification, exercise or defense of legal claims. If we process your personal data for direct advertising purposes, you have the right to object at any time to such processing and we will stop processing your personal data for direct marketing purposes. The objection is not subject to formal requirements, but we recommend using the opt-out mechanisms provided or contacting us as instructed below.
Right to withdrawal of consent
Pursuant to Art. 7(3)(1) GDPR, you have the right to withdraw your consent, at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After you have withdrawn your consent, we will delete the personal data we have processed based on your consent unless there is another legal basis for the processing of these data. The withdrawal is not subject to formal requirements, but we recommend using the consent mechanisms provided or contacting us as instructed below.
Kindly observe that we do not sell your personal data. However, in the event of a business transaction your personal data may be transferred to a new controller entity.
How to contact us?
In order to exercise your rights, please send us an email to firstname.lastname@example.org. Please note that the group has appointed a Data Protection Office (DPO) who monitors our privacy compliance and can answer any further questions you may have regarding our data processing operations.
You can also reach us via post:
Attn: Data Protection Officer
1 Poultry C/O MXP Prime Platform Ltd
London EC2R 8EJ
Kindly note that as an e-commerce operator we process your data in electronic form and therefore, upon a request to access your personal data, we provide such data in a commonly used machine-readable format (e.g., PDF).
Who is our group data protection officer?
c/o KREMER RECHTSANWÄLTE