When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information.”
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.
Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers, email address, and phone number. We refer to this information as “Order Information.”
We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
Communicate with you;
Screen our orders for potential risk or fraud; and
When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store--you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use the Site--you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.
Additionally, if you are a European resident we note that we are processing your information in order to fulfil contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.
When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.
Our Service does not address anyone under the age of 13 (“Children”). We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a child under 13 without verification of parental consent, we take steps to remove that information from our servers.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
In cooperation with Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, we offer you the following payment options. Payment is to be made to Klarna:
Pay in 3
Further information and Klarna’s user terms you can find here. General information on Klarna can be found here. Your personal data is handled in accordance with applicable data protection law and in accordance with the information in Klarnas privacy statement.
In order to be able to offer you Klarna’s payment options, we will pass to Klarna certain aspects of your personal information, such as contact and order details, in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you.
As a sophisticated marketer we trust that you are already aware of your company’s responsibilities, as a data controller, towards data subjects under:
● The Privacy and Electronic Communications (EC Directive) Regulations 2003 (and its seven updates) (“PECR”), which regulates the sending of marketing messages, cookies and other technologies
● The General Data Protection Regulation 2016 (“the GDPR”), which governs the personal data of the customer, including information derived from marketing messages, website visits etc.
● The Data Protection Act 2018, which implemented, amongst other laws, the GDPR into UK national law and which succeeded the Data Protection Act 1998, which in turn brought into UK law the EU Data Protection Directive 1996 (i.e. the predecessor to the GDPR)(“the Directive”)
A central plank of the GDPR is that individuals are told what information is collected, the lawful ground(s) for processing, the rights of individuals under the GDPR, the data protection authority that individuals can complain to, along with details of who the retailer shares data with and whether the data is processed outside of the EEA (i.e. outside of the EU, Iceland, Liechtenstein and Norway).
What is frequently overlooked though is that PECR also applies to similar technologies to cookies, which in the context of the sending of emails includes pixel tracking (see Regulation 6).
Each Ometria email includes an email tracking pixel which will track email opens (if the receiver has images enabled in their email client/mailbox). This is the standard approach for measuring open and click rates, and is used by all email platforms in the market.
All links in Ometria emails are proxied through a link redirection service that records data for each link clicked. This leads to a set of events which includes:
● Event type (delivery, bounce, open, click, spam complaint, unsubscribe)
● Email address of the recipient (already known to us as we sent it)
● IP address of the recipient (in the case of open and click)
● GEO location based on IP address (city level) (in the case of open and click)
● Device type (mobile/computer/tablet) and browser (ie/firefox/chrome/safari)
It is important that the retailer understands that consent is required for the collection and storage of all information since PECR is not limited, as the GDPR is, to personal data. This general lack of understanding is something the ICO recently highlighted in a report relating to adtec and real time bidding platforms.
PECR is also well known for imposing an obligation on controllers to bring to the individual’s attention the cookies that it uses.
Website interaction data
Once an event is recorded in the persistent log store, it is processed by the ‘real time’ system. This system records a small in-memory object for each active visitor across all the sites being tracked. This per visitor information includes:
● Country (IP geolocation)
● Number of pages viewed (stored in a persistent cookie) ● Time on site (stored in a persistent cookie)
● Time of last interaction (stored in a persistent cookie)
● Unique visitor ID (stored in a persistent cookie)
● Number of previous visits from this visitor ID
● Landing page URL
● Last page viewed URL
● Products and categories viewed in a visit
● Channel that sent the visit (e.g. search, CPC, referral) along with contextual information about the source (e.g. search keywords, referring page URL)
● Device type (mobile/computer/tablet) and browser (ie/firefox/chrome/safari)
● Contents of shopping basket (id, products, quantity and value) (stored in a persistent cookie) ● Previous visitor information (e.g. identity and customer information)
● Each incoming event updates the active session record for the visitor that sent the event. Details about active sessions (lists and aggregations by dimension) can be extracted from the real time system via REST API from the web application servers and are used to power the real-time dashboard.
● Visits (sessions) are said to be 'complete' after 30 minutes of inactivity. So if no page view (or other) events have been received for 30 minutes the visit is 'closed' and sent to the ingestion queues for further processing. Only after this point are abandoned baskets and profile identification events processed.
● Unique visitor ID (random ID)
● Email address of contact if they identified / logged in
● Basket contents when navigating the site Traffic source for this visit and first visit Number of pages viewed
● Time of first and last event
This cookie is called "ometria" and data stored in the cookie is appended to the 'interaction tracking data' described above. The cookie has a 1 year lifetime, which is renewed each time it is updated as a result of an interaction by the customer. Thus, if the first interaction is 01/02 the cookie will persist until 31/01 in the following year. However, if there is subsequent interaction on 01/06, the cookie will then persist until 31/05 in the following year.
Retailers will need to ensure that its cookies policy is up-dated to include Ometria’s cookie.
The potential risks to profiling, as identified by the ICO, are:
1. Profiling is often invisible to individuals. 2. People might not expect their personal information to be used in this way. 3. People might not understand how the process works or how it can affect them. 4. The decisions taken may lead to significant adverse effects for some people.
We think that 1 - 3 can be addressed by clear language used in retailers’ privacy policies. Point 4, relates to Article 35 of the GDPR.
The Ometria Service has been provisioned for the sending of personalised marketing messages to provide retailers’ customers with marketing experiences based on their tastes, profiles and other predicted activities. To achieve that end, Ometria uses machine learning to build a single customer view. It could be said that to achieve the single customer view that Ometria is profiling data on the customer. In the context of the GDPR, “profiling” is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviours, location or motives.” (Art 4(4)).
It is difficult to see, in the retail space, how the profiling of the type undertaken by Ometria leads either to a wholly automated decision or ones where there is either (a) legal effect or (b) something similarly affecting as envisaged by Article 35, especially given that the ICO has said that, “These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.” Examples of automated processing within the scope of the GDPR would be:
● automatically refusing an online credit application
● automated e-recruiting practises without any human intervention
In the case of Ometria, data from the interaction logs are merged into the ecommerce data. For example, transaction interaction events are merged with the transaction ecommerce database, so that the session ID for the visitor who made the transaction is also stored in the database. This allows the interaction history of a visitor to be processed along with their transactional history. Ometria can also identify customers (with identities and purchase histories) to the visitor IDs for the devices they use to access the site (maybe multiple devices/browsers per identity).
Customer data from third party sources are also merged into the unified customer profiles. This merging can occur based on an email address or another unique persona identification field. Third party data custom events may, depending upon what the retailer has decided to share with Ometria, include:
● Email interaction data from Email Service Providers, including emails sent, opened and clicked. Also can import and synchronize email list subscriptions and unsubscriptions allowing Ometria to give the retailer a unified view of who has subscribed and unsubscribed from their mailing lists.
● CRM and helpdesk data. For example, customer requests and support tickets.
● Review data from third party review systems include Trustpilot and yotpo. Social data, including likes and interactions with the retailer’s brand. Off-site advertising data, including clicks and ad impressions.
Ecommerce data are synchronized periodically via API to API import. We have developed a flexible data model representing core ecommerce data types (product, transaction and customer records).
In plain terms in deciding on whether Article 35 applies to the type of processing we do on the retailer’s behalf, one could ask the question, “Will the sending of an email, which the customer has subscribed to receive, the content and timing of which is based on the information that Ometria has gathered from the retailer and the customer’s interaction with the retailer, lead to a significant adverse effect on the recipient?” We think not, as the logical extension is that buying an item as a result of receiving a personalised message gives rise to harm to the recipient. It is for the retailer, as the data controller, to
make its own decision following its reading of the GDPR, guidance given by the ICO and other data protection authorities and its understanding of the Ometria Service.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at firstname.lastname@example.org or by mail using the details provided below:
Renfold, Island Studios, 47 British Grove, London, W4 2NL, United Kingdom