Privacy

image

Chelsea Peers NYC Privacy Policy

This Privacy Policy describes how your personal information is collected, used, and shared when you visit or make a purchase from https://chelseapeersnyc.com.

PERSONAL INFORMATION WE COLLECT

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information.”

We collect Device Information using the following technologies:

- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

- “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.

Additionally when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers, email address, and phone number. We refer to this information as “Order Information.”

When we talk about “Personal Information” in this Privacy Policy, we are talking both about Device Information and Order Information.

HOW DO WE USE YOUR PERSONAL INFORMATION?

We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:

Communicate with you;

Screen our orders for potential risk or fraud; and

When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

SHARING YOUR PERSONAL INFORMATION

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Shopify to power our online store--you can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use the Site--you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.

HOW WE SHARE YOUR INFORMATION
We may process your personal information for our legitimate business interests.
‘Legitimate Interests’ means the interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience. It can and does also apply to processing which is in your interests too.
Processing for our legitimate interests may include processing for the purposes of (i) fraud prevention and compliance; (ii) certain direct marketing and promotional activities; (iii) the provision and operation of referral marketing programmes; (iv) network and information systems security; (v) data analytics; (vi) enhancing, modifying or improving our service; (vii) identifying usage trends; or (viii) determining the effectiveness of promotional campaigns or advertising.
In connection with the above activities, we may share your personal information with trusted suppliers like mention me who assist us in our data processing activities.
When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law).
You have the right to object to this processing if you wish and if you wish to do so please contact us at hello@chelseapeers.com. 

DO NOT TRACK

Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

YOUR RIGHTS

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident we note that we are processing your information in order to fulfil contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.

DATA RETENTION

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information.

CHANGES

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Children’s Privacy

Our Service does not address anyone under the age of 13 (“Children”). We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a child under 13 without verification of parental consent, we take steps to remove that information from our servers.

Hotjar

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

 

Klarna

In cooperation with Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, we offer you the following payment options. Payment is to be made to Klarna:

  • Pay Later

  • Pay in 3

Further information and Klarna’s user terms you can find here. General information on Klarna can be found here. Your personal data is handled in accordance with applicable data protection law and in accordance with the information in Klarnas privacy statement.

In order to be able to offer you Klarna’s payment options, we will pass to Klarna certain aspects of your personal information, such as contact and order details, in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you.

General information on Klarna you can find here. Your personal data is handled in accordance with applicable data protection law and in accordance with the information in Klarna’s privacy policy.

Jurisdiction

This Policy shall be governed and construed in accordance with the laws of England and Wales, without regard to its conflict of law provision.

Ometria Data Privacy

As a sophisticated marketer we trust that you are already aware of your company’s responsibilities, as a data controller, towards data subjects under:

● The Privacy and Electronic Communications (EC Directive) Regulations 2003 (and its seven updates) (“PECR”), which regulates the sending of marketing messages, cookies and other technologies

● The General Data Protection Regulation 2016 (“the GDPR”), which governs the personal data of the customer, including information derived from marketing messages, website visits etc.

● The Data Protection Act 2018, which implemented, amongst other laws, the GDPR into UK national law and which succeeded the Data Protection Act 1998, which in turn brought into UK law the EU Data Protection Directive 1996 (i.e. the predecessor to the GDPR)(“the Directive”)

As you on-board with Ometria, you will need to revisit your privacy notice and cookie policy to ensure that what we do on your behalf is brought to your customers’ attention in a clear and transparent way. This is done by having privacy and cookie policies written in a clear and intelligible style appropropriate to your target audience.

A central plank of the GDPR is that individuals are told what information is collected, the lawful ground(s) for processing, the rights of individuals under the GDPR, the data protection authority that individuals can complain to, along with details of who the retailer shares data with and whether the data is processed outside of the EEA (i.e. outside of the EU, Iceland, Liechtenstein and Norway).

One of the most relevant provisions of PECR for the retailer is that no unsolicited marketing messages may be sent to an individual without their consent (see Regulation 22). As such, and what is well known in the retail ecommerce community, is that no email message, push notification, SMS or similar message may be sent to a customer without their express consent. From 25th May 2018, a higher level of consent is required under the GDPR than was required under the Directive, namely that the individual’s consent is “freely given, specific, informed and unambiguous” in respect of personal data. As such the retailer should up-date its privacy policy to ensure that the customer understands what Ometria’s pixel does, in the same way as it should be doing if using, say, Facebook’s tracking pixel.

What is frequently overlooked though is that PECR also applies to similar technologies to cookies, which in the context of the sending of emails includes pixel tracking (see Regulation 6).

Emails

Each Ometria email includes an email tracking pixel which will track email opens (if the receiver has images enabled in their email client/mailbox). This is the standard approach for measuring open and click rates, and is used by all email platforms in the market.

All links in Ometria emails are proxied through a link redirection service that records data for each link clicked. This leads to a set of events which includes:

● Event type (delivery, bounce, open, click, spam complaint, unsubscribe)
● Email address of the recipient (already known to us as we sent it)
● IP address of the recipient (in the case of open and click)
● GEO location based on IP address (city level) (in the case of open and click)

● Device type (mobile/computer/tablet) and browser (ie/firefox/chrome/safari)

It is important that the retailer understands that consent is required for the collection and storage of all information since PECR is not limited, as the GDPR is, to personal data. This general lack of understanding is something the ICO recently highlighted in a report relating to adtec and real time bidding platforms.

Cookies

PECR is also well known for imposing an obligation on controllers to bring to the individual’s attention the cookies that it uses.

Website interaction data

In the case of Ometria, the retailer installs a small Javascript file on their pages (served from a static file CDN to minimize load time) which sends a small HTTP request to Ometria’s fleet of tracking servers when an event occurs.

Once an event is recorded in the persistent log store, it is processed by the ‘real time’ system. This system records a small in-memory object for each active visitor across all the sites being tracked. This per visitor information includes:

● Country (IP geolocation)
● Number of pages viewed (stored in a persistent cookie) ● Time on site (stored in a persistent cookie)
● Time of last interaction (stored in a persistent cookie)
● Unique visitor ID (stored in a persistent cookie)
● Number of previous visits from this visitor ID
● Landing page URL
● Last page viewed URL
● Products and categories viewed in a visit

● Channel that sent the visit (e.g. search, CPC, referral) along with contextual information about the source (e.g. search keywords, referring page URL)

● Device type (mobile/computer/tablet) and browser (ie/firefox/chrome/safari)
● Contents of shopping basket (id, products, quantity and value) (stored in a persistent cookie) ● Previous visitor information (e.g. identity and customer information)

● Each incoming event updates the active session record for the visitor that sent the event. Details about active sessions (lists and aggregations by dimension) can be extracted from the real time system via REST API from the web application servers and are used to power the real-time dashboard.

● Visits (sessions) are said to be 'complete' after 30 minutes of inactivity. So if no page view (or other) events have been received for 30 minutes the visit is 'closed' and sent to the ingestion queues for further processing. Only after this point are abandoned baskets and profile identification events processed.

Ometria’s cookie

The Ometria javascript tracking library uses first party cookies (set to the domain of the retailer's page). Data stored inside this cookie includes:

● Unique visitor ID (random ID)

● Email address of contact if they identified / logged in

● Basket contents when navigating the site Traffic source for this visit and first visit Number of pages viewed

● Time of first and last event

This cookie is called "ometria" and data stored in the cookie is appended to the 'interaction tracking data' described above. The cookie has a 1 year lifetime, which is renewed each time it is updated as a result of an interaction by the customer. Thus, if the first interaction is 01/02 the cookie will persist until 31/01 in the following year. However, if there is subsequent interaction on 01/06, the cookie will then persist until 31/05 in the following year.

Retailers will need to ensure that its cookies policy is up-dated to include Ometria’s cookie.

Profiling

The potential risks to profiling, as identified by the ICO, are:

1. Profiling is often invisible to individuals. 2. People might not expect their personal information to be used in this way. 3. People might not understand how the process works or how it can affect them. 4. The decisions taken may lead to significant adverse effects for some people.

We think that 1 - 3 can be addressed by clear language used in retailers’ privacy policies. Point 4, relates to Article 35 of the GDPR.

The Ometria Service has been provisioned for the sending of personalised marketing messages to provide retailers’ customers with marketing experiences based on their tastes, profiles and other predicted activities. To achieve that end, Ometria uses machine learning to build a single customer view. It could be said that to achieve the single customer view that Ometria is profiling data on the customer. In the context of the GDPR, “profiling” is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviours, location or motives.” (Art 4(4)).

It is difficult to see, in the retail space, how the profiling of the type undertaken by Ometria leads either to a wholly automated decision or ones where there is either (a) legal effect or (b) something similarly affecting as envisaged by Article 35, especially given that the ICO has said that, “These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.” Examples of automated processing within the scope of the GDPR would be:

● automatically refusing an online credit application
● automated e-recruiting practises without any human intervention

In the case of Ometria, data from the interaction logs are merged into the ecommerce data. For example, transaction interaction events are merged with the transaction ecommerce database, so that the session ID for the visitor who made the transaction is also stored in the database. This allows the interaction history of a visitor to be processed along with their transactional history. Ometria can also identify customers (with identities and purchase histories) to the visitor IDs for the devices they use to access the site (maybe multiple devices/browsers per identity).

Customer data from third party sources are also merged into the unified customer profiles. This merging can occur based on an email address or another unique persona identification field. Third party data custom events may, depending upon what the retailer has decided to share with Ometria, include:

● Email interaction data from Email Service Providers, including emails sent, opened and clicked. Also can import and synchronize email list subscriptions and unsubscriptions allowing Ometria to give the retailer a unified view of who has subscribed and unsubscribed from their mailing lists.

● CRM and helpdesk data. For example, customer requests and support tickets.

● Review data from third party review systems include Trustpilot and yotpo. Social data, including likes and interactions with the retailer’s brand. Off-site advertising data, including clicks and ad impressions.

Ecommerce data are synchronized periodically via API to API import. We have developed a flexible data model representing core ecommerce data types (product, transaction and customer records).

In plain terms in deciding on whether Article 35 applies to the type of processing we do on the retailer’s behalf, one could ask the question, “Will the sending of an email, which the customer has subscribed to receive, the content and timing of which is based on the information that Ometria has gathered from the retailer and the customer’s interaction with the retailer, lead to a significant adverse effect on the recipient?” We think not, as the logical extension is that buying an item as a result of receiving a personalised message gives rise to harm to the recipient. It is for the retailer, as the data controller, to

make its own decision following its reading of the GDPR, guidance given by the ICO and other data protection authorities and its understanding of the Ometria Service.

Whether or not one considers our single customer view amounts to profiling, the retailer’s privacy policy must describe our collection of data and, for example, how the retailer uses our platform to, say, segment its data (which results in the marketing message the customer receives, its content and when).

CONTACT US

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at hello@chelseapeersnyc.com or by mail using the details provided below:

Renfold, Island Studios, 47 British Grove, London, W4 2NL, United Kingdom