Last updated: February 13 2022
Why and for whom?
At Tinybuddy AB, VAT ID (SE559159701701) ("Tinybuddy", "we", "us", "our") we care about personal privacy. This means that we respect and safeguard your privacy and your right to control and transparency in the processing of your Personal Data.
The Policy sets out our treatment of Personal Data where you communicate with us, purchase our products or visit our website www.tinybuddy.eu (together "Features").
This policy is directed towards:
- Potential customers
- Visitors to our website
"Processing of Personal Data" means anything that can be done with Personal Data, such as storage, modification, reading, disclosure, etc.
"Applicable law" means the law applicable to the processing of Personal Data including the General Data Protection Regulation (GDPR), complementary national legislation, as well as practices, guidance and recommendations issued by a national or European supervisory authority.
"Personal data" is any information that can be linked to an identifiable, living person.
"Controller" means the company/organisation that determines the purposes for which and the manner in which Personal Data is processed and is therefore also responsible for ensuring that Personal Data is processed in accordance with Applicable Law.
"Processor" means the company/organisation that processes Personal Data on behalf of the Controller and may therefore only process the Personal Data in accordance with the Controller's instructions and Applicable Law.
"Data Subject" means the living, natural person whose Personal Data is processed.
Tinybuddy's data protection responsibilities
The information in this Policy covers the Processing of Personal Data for which Tinybuddy is the Controller, i.e. the Processing for which we determine the purpose (why a processing is done) and means (in what way, what personal data, for how long, etc.). The Policy does not describe how we process personal data in our role as a Data Processor - i.e. when we process personal data on behalf of our customers.
We provide an online shop for individuals and businesses. We therefore need to process your personal data in order to deliver the goods you have ordered.
Tinybuddy's processing of personal data
We have a responsibility to describe and demonstrate how we meet the requirements placed on us when processing your Personal Data. This section aims to give you an understanding of the types of Personal Data we process about you and for what purposes.
How long do we keep your Personal Data?
We keep your Personal Data for as long as is necessary for the purpose for which it was collected. Depending on the legal basis on which we base the processing, this may a) follow from a contract, b) depend on a valid consent, c) result from legislation or d) follow from an internal assessment based on a balancing of interests.
We never keep your Personal Data for longer than necessary and regularly delete Personal Data. Tinybuddy also takes reasonable steps to keep the Personal Data it processes up to date and to delete outdated and otherwise inaccurate or redundant Personal Data.
The main purpose of the personal data processing we carry out is to provide, perform and improve our services to you. There are several reasons why we may need to collect, process and store your data.
We mainly process the following personal data:
- Contact and identification details to confirm your identity, verify your details and communicate with you
- Information about your use of the service or product in order to improve your customer experience
- Consumption patterns in order to provide you with specific offers
- Payment information to offer direct debit and other payment methods
How do we access your personal data?
We collect your personal data in a number of ways. We primarily access your personal data:
- By providing us with your personal data yourself
- Through third party analytics technology e.g. cookies
- Through information created from the analysis of data
In order for us to process your personal data, we must have a legal basis for the respective processing. In our operations, we process your personal data mainly on the following grounds:
Contract - The processing is necessary for the performance of obligations under a contract between us or in preparation for entering into a contract with the Data Subject.
Balancing of interests - Tinybuddy may process personal data if we consider that there is a legitimate interest that outweighs the protection of the privacy of the Data Subject and if the Processing is necessary for the purpose in question, e.g. in direct marketing.
Legal obligation - We are required by applicable laws and regulations to process personal data as a result of our activities.
If you would like further information about the legal basis(s) on which we process your personal data, you always have the right to request a so-called register extract. Read more under "How to use your rights" below.
You are in control of your Personal Data. We always strive to ensure that you can exercise your rights as effectively and smoothly as possible.
Access - You always have the right to obtain information about the Personal Data processing operations that concern you in a so-called register extract. The register extract shows, among other things, which of your personal data we have stored and for what purposes and on what legal basis. We only disclose data if we have been able to ensure that it is actually you who is asking for the data.
Rights - If you discover that the Personal Data we process about you is not correct, please contact us and we will fix it!
Radering - Do you want us to forget about you completely? You have the right to request deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected. If we are required to keep your data by law or a contract we have entered into with you, we will ensure that it is only processed for the specific purpose set out in the law or contract. We will then ensure that the data is deleted as soon as possible.
Objection - Do you disagree with us that our interest in processing your Personal Data outweighs your interest in privacy protection? Don't worry - if so, we'll review our balance of interests and make sure it still holds. We will, of course, take your objection into account when we reassess to evaluate whether we can still justify our Processing of your Personal Data. If you object to direct marketing, we will remove your Personal Data immediately without reviewing our assessment.
Restriction - You can also ask us to restrict our Processing of your data:
- While we are processing a request from you for any of your other rights.
- If, instead of requesting erasure, you would like us to indicate that the data will not be processed for a particular purpose. For example, if you do not want us to send you advertising in the future, we still need to keep your name to know that we will not contact you.
- In cases where we no longer need the data for the purpose for which it was collected, provided that you do not have an interest in us retaining the data to pursue a legal claim.
Data portability - We may provide you with the data you have provided to us or that we have received from you in connection with entering into a contract with you. You will receive your data in a commonly used and machine-readable format that you can then take with you to another Data Controller.
Withdraw consent - If you have consented to one or more specific processing operations of your Personal Data, you have the right to withdraw your consent at any time and thereby ask us to cease the Processing immediately. Please note that you can only withdraw your consent for future Processing(s) of Personal Data and not for any Processing that has already taken place.
How you exercise your rights
Contact us at firstname.lastname@example.org and we will help you.
Transfer of Personal Data
In order to conduct our business, we may need to use the services of others who process Personal Data on our behalf, known as Processors.
Where our Processors transfer Personal Data to a country outside the EU/EEA, we have ensured that the Processing is lawful under Applicable Law by ensuring that one of the following requirements is met:
- there is a decision from the European Commission that the country ensures an adequate level of protection;
- the application of the EU Commission's standard contractual clauses for third country transfers; or
- other appropriate safeguards that comply with applicable law.
We have entered into Personal Data Processing Agreements (PDPAs) with all our Processors. The PUB Agreement governs how the Processor may process the Personal Data and the security measures required for the processing of the Personal Data.
We may also need to disclose your Personal Data to certain designated authorities in order to comply with legal obligations or governmental orders.
Our Data Processors
Tinybuddy does not sell your personal information to anyone and we do not, of course, share your personal information with anyone. However, in some cases we may share your Personal Information with selected third parties. If this happens, we will ensure that the transfer is done in a secure manner that preserves your privacy. Below are categories of recipients with whom we may share your information.
- Advertising agencies and suppliers of printing and advertising.
- IT providers for business systems and case management, for example. In order to carry out our assignments and services, we store your data in our business systems (a system that manages our customers and contacts).
- Statistics to contribute to industry statistics and to improve the customer experience.
Tinybuddy has put in place technical and organisational measures to ensure that your personal data is processed securely and that it is protected from loss, misuse and unauthorised or unauthorised access.
Our security measures
Organizational security measures are measures that are implemented in working methods and procedures within the organization. Our organisational security measures are:
- Login and password management
- Information Security Policy
- Physical security (premises, etc.)
Technical security measures are measures that are implemented through technical solutions. Our technical security measures are:
- Access list
- Access log
- Secure network
- Regular check of security level
- Two-step verification
If we don't keep our promises
If you feel that we are processing your Personal Data incorrectly, even after you have alerted us, you always have the right to lodge your complaint with the Privacy Authority.
More information about our obligations and your rights can be found on the website of the Swedish Data Protection Authority (https://www.imy.se/). You can also contact the Authority at email@example.com.
Changes to this policy
We reserve the right to make changes to this Policy. Where the change affects our obligations or your rights, we will provide advance notice of the changes so that you have an opportunity to review the updated Policy.
Please contact us if you have any questions about your rights or if you have any other questions about how we process your personal data: