Privacy statement
 

Introduction
Scotch & Soda respects the privacy of all its customers, potential customers and visitors to its Websites and Applications (collectively "Web Services") and is highly committed to maintaining the privacy of all such visitors. We will use your personal data to make sure that your orders are handled as fast and easy as possible or that certain parts of the Web Services are more tailored to your interests. This statement describes how we deal with your personal data and online security.

This statement informs you about the following:
1. Who we are
2. What data we collect
3. What we need your data for
4. How we may share your data
5. Legal grounds for processing your data
6. Your data is safe at Scotch & Soda (online security)
7. We do not keep your personal data longer than necessary
8. Where your data is processed
9. Cookies and Do Not Track
10. Online Advertising
11. Data Management Platform
12. Your privacy rights
13. Objection and complaints
14. Changes to our privacy statement
15. Minors providing personal data
16. Information for California residents
17. Contact Us
18. California information sharing disclosure

 

1. Who we are
Scotch & Soda E-commerce B.V. is responsible for the processing of your personal data and acts as the “data controller,” which means we make the decisions regarding the personal data we collect from you.
If you have any questions, feedback or want to know more about how your personal data is processed, or if you want to access, correct or remove your personal data, please contact us at consumercare@scotch-soda.com. You may also write to us at: Scotch & Soda E-commerce B.V., Parellaan 76, 2132 WS, Hoofddorp, the Netherlands (department web store). You may also call us at: 1-866-544-1557.

 

2. What data we collect
Personal data is any data that can be used to identify you as a person. We collect data in the following ways:


Place and deliver an order
Personalize our Services
Creating an Online Account
Optimize our Marketing and Web Services
Book a styling session
Write a review
Contact customer service
Recommend products you may be interested in
Apply for a job
Choosing a digital receipt

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check.


  • If you place an order through our Web Services, we collect your name, e-mail, billing information, and shipment address in order to complete and deliver your order. In addition, we also offer you the option to store your credit card details in an encrypted and inaccessible format.

  • To make your shopping experience as nice as possible, we collect personal data about your orders and the use of our services. We use this data to personalize the Web Services and recommend products you might be interested in. We may also use this data to find patterns that can be used to further optimize our marketing.
  • If you have placed items in your shopping cart while using an online account but have not checked out these items, we may send you an abandoned cart e-mail informing you that the items are still for sale. For this purpose, we collect data about which items are placed in your cart.

  • If you create an online account on our Web Services, we collect your personal data on a secure server. You are asked to fill in your name, e-mail, billing information, shipment address, and password to allow you to place orders for our products. We store your billing and shipment address so that you do not have to fill in this information for any subsequent purchases.

  • The data and feedback we collect about the use of our Web Services help us to develop and improve the Web Services and other related services.
  • We collect and store data regarding your online and offline purchase history and behavior on our Web Services, CRM, media and e-mail data in a Data Management Platform (DMP). We may also store data received from other parties (including data vendors and social media) in our DMP. We analyze the data collected to target a specific audience, to match your data with customers that have a similar profile, to link devices that you use, and to show you targeted ads and offers, and to customize your online experience or ship products to you that you purchase offline.

  • If you book a styling session, we will collect your name, e-mail address and telephone number (and optionally your size and collection preferences) to set up a personal appointment in one of our stores.

  • If you decide to write a review, you can do this under your own name or anonymously. We reserve the right to not publish or to remove reviews.
  • If you contact our customer service, we will collect your name and e-mail address (and any additional data you may provide us with) to be able to respond to your questions or comments or to provide better service.
  • We will inform our customers (or potential customers after their consent) on new products, specials and other promotional activities by sending you our newsletter. If you no longer want to receive this newsletter, you can unsubscribe by use of the relevant opt-out button in the newsletter or send an e-mail to consumercare@scotch-soda.com.
  • If you apply for a job at Scotch & Soda through our Web Services, we will collect your name, e-mail address, phone number, CV/resume, photo, and cover letter.
  • If you choose to receive a digital receipt when buying in any of our brick and mortar stores, we may collect your e-mail address and an overview of the items you bought.

  • In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check.

 

3. What we need your data for

We only collect and further process your personal data for the purposes mentioned in the previous section.

Unless the further use of your data is compatible with the original purpose for which the data was collected, we will ask for your consent before using your personal data for purposes other than those listed above. We will inform you of, and, if necessary ask your consent for, any changes in the use of your personal data.

We may use your data for decisions based on automated decision-making, including profiling. For instance, we may use previous purchase data and or browsing data to suggest matching products to those previous purchases. By obtaining your consent, we are able to use automated decision-making both in advertising and on our Web Services.

We will inform you of new products, specials and other promotional activities by sending you our newsletter. If you no longer want to receive this newsletter, you can unsubscribe by use of the relevant opt-out button in the newsletter or send an e-mail to consumercare@scotch-soda.com.

 

4. How we may share your data
We will not share your personal data with third parties except as disclosed below or with your additional consent. We may share your personal data with our third-party service providers, including, but not limited to:

Functional
  • Simplybook.it - to help us set up an appointment with you when you book a styling session.
  • Paazl - to provide the labels for the packages that we send to you
  • Adyen - our payment services provider
  • Salesforce - to store your client profile and to send you our newsletters
  • ContactCare - to respond to your customer service questions
  • Equinix - to host our servers
  • Highstreet Mobile Retail - to provide a platform to host our App
  • TrustedShops - to ask you to review our service
Analytics
  • Hotjar - to gather your feedback about our website and optimize your website experience
  • Google Optimize - for visual website A/B and multivariate testing to optimize your experience
  • Google Analytics - to collect and display detailed statistics from our Website(s). The purpose of this service is to give us a clear overview of visitor flows, traffic sources and pageviews. Based on this information we can improve our Website(s) and improve your shopping experience on our Website(s) and App(s).
Marketing
  • Conversant - to show you personalized messages and advertisements
  • Salesforce - to store your client profile and to send you our newsletters, targeted ads and offers
  • Facebook - to show you personalized messages and advertisements
  • Rakuten - to display relevant products to you
  • Awin - to display relevant products to you
  • Google Adwords ‚Äì to share and display relevant products on Google platforms
 

These service providers are granted access to some or all of your personal data as necessary for the purposes described above and may use cookies (as defined and described in our Cookie Statement) or other automatic collection technology on our behalf. The service providers are contractually restricted by way of a data processing agreement in the way they may process your personal data.

We reserve the right to disclose your personal data to official authorities or third parties to the extent we reasonably believe that disclosure is required by law, or to protect your or others' rights, property or safety.

In certain situations, we may ask for your consent to share your information with other unaffiliated third parties who are not described elsewhere in this policy.

Please note that the use of any feature made available to you on our Web Services such as Facebook Connect, or the "like" feature (also connected to Facebook), may result in your personal data being collected or shared by us or by others. We cannot control how your data is collected, stored, used, or shared by third-party sites. Please review the privacy policies and settings of these third parties, including the social networking sites, to make sure you understand and agree with how they manage your data.

If you do not want us to share your personal data with a social media site or application, you should not access such social media site or social media application. For example, you should not click a "like" button on a product detail page.

We may also share your personal data with applicable third parties in the event of a reorganisation, merger, sale, assignment or other disposition of all or a portion of our business, assets or shares.

 

5. Legal grounds for processing your data
Consent
By the following acts you give us your consent to process your personal data:

  • Creating an online account
  • Booking a styling session
  • Writing a review
  • Contacting our customer service
  • Applying for a job through our Services

We will ask your consent before we send you a newsletter if you are not yet our customer.

 

You have the right to revoke your consent at all times. When you revoke your consent, we will stop processing your personal data.

Necessary for the performance of an agreement
When you place an order, you enter into a purchase agreement with us. In order to process and deliver your order, we need certain personal data, such as your name, e-mail, billing and shipment address. Additionally, when you choose to receive a digital receipt, we need certain personal data such as your e-mail to complete the transaction.

Legitimate interests
We may process your personal data for the purposes of our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms.
For our legitimate business interests, we may process your personal data to:

  • Personalize our Web Services
  • Recommend products that you may be interested in
  • Optimize our marketing
  • Develop and improve the functionality of our Web Services

To opt out of receiving interest-based advertising from third parties, you may click on either of the following links, or see more information in our Cookie Statement:
In addition, you have the right to object to processing your personal data for interest-based advertising. If you would like to exercise this right, please contact us at consumercare@scotch-soda.com. Please note that if you exercise such right accordingly, this may limit us to process your data for your benefit as set out above.

 

 

6. Your data is safe at Scotch & Soda (online security)
We appreciate the trust you place in Scotch & Soda. We are committed to protecting your personal data. We have implemented reasonable security measures, including Secure Socket Layer (SSL) encryption technology and other tools to protect all of your personal data we may collect through our Web Services. We use a variety of measures to ensure that your personal data is protected from unauthorized access, improper use or disclosure, unauthorized modification or alteration, unlawful destruction, or accidental loss. However, the internet is an open system and Scotch & Soda cannot guarantee that the personal data you submit will not be intercepted by others. All of our employees who have access to or are involved in the processing of personal data are bound by contractual confidentiality obligations and will respect the confidentiality of any such personal data.

Our Web Services may include links to website(s) operated by third parties. Such third parties may collect personal data from visitors to their website(s). Scotch & Soda cannot guarantee the content or privacy practices of any such third party website(s) and does not accept responsibility for such website(s). We recommend you to read the privacy policies of third party website(s).

In the event that we are required by law to inform you of a breach to your personal information, we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

 

7. We do not keep your personal data longer than necessary
Order information
When you place an order for our products, we retain that information for a minimum period of six years following the end of the financial year in which you placed your order. This is in accordance with our legal obligation to keep records for tax purposes.

Correspondence and enquiries
When you make an enquiry or contact us by e-mail or via our contact form, we retain your information for 24 months after the complete resolution of your enquiry.

Mailing list
We retain the information you used to sign up for our newsletter until you unsubscribe or we decide to cancel our newsletter service, whichever occurs first.

In any other circumstances, we will retain your information for no longer than necessary, taking into account the following:

  • The purposes and use of your information both now and in the future (such as whether it is necessary to continue to store that information in order to continue to perform our obligations under an agreement with you or to contact you in the future).
  • Whether we have any legal obligation to continue to process your information (such as any record-keeping obligations imposed by relevant law or regulations).
  • Whether we have any legal basis to continue to process your information (such as your consent).
  • Any relevant agreed-upon industry practices regarding how long information should be retained.

 

 

8. Where your data is processed
Your data is processed within the European Union. In addition, we share a database with our Scotch & Soda affiliates in the United States. When personal data is shared with our US affiliates, we make sure that appropriate safeguards are in place to protect your data. More specifically, we will adhere to the standard contractual clauses of the EC or to the EU-US Privacy Shield Frameworks.

 

9. Cookies and Do Not Track
We use cookies on our Website(s). More information on the use of cookies and your options to reject the use of cookies can be found in our Cookie Statement.

 

10. Online Advertising
Scotch & Soda may participate in interest-based advertising. As described above, we may automatically collect data regarding how you browse websites, use applications, and shop in order to enhance your customer experience, improve our customer service, and provide you with communications and promotions from us or others. The objective of interest-based advertising is for Scotch & Soda or its advertising partners to show you ads that are more relevant to your interests. You can limit Scotch & Soda’s and our partners’ ability to collect and use your data for these purposes. To opt out of receiving interest-based advertising, click on either of the following links:
- www.networkadvertising.org
- www.aboutads.info
To successfully opt out, you must have cookies enabled in your web browser. Please note that if you choose to opt out, you may continue to see ads on our Website(s) and receive communications from us, but such ads and communications will not be based on how you browse and shop. As described above, you can also prevent automatic collection of some data by disabling cookies on your web browser.

 

11. Data Management Platform
As described above, we use a Data Management Platform that enables us to store your data and combine it with data received from third parties. When you log in to our Web Services we are able to connect this data to your customer ID. The sources from which we collect data change regularly. If you would like to know which sources we currently use, you can reach out to us on the address indicated under the Contact us section.
Using a DMP allows us to show you specific (targeted) advertisements on our Web Services or on third party websites or platforms, such as Facebook, Instagram or Google. The DMP also allows us to send you targeted e-mails and personalize our Web Services to your interests.
We do not sell the data collected in the DMP to third parties. Salesforce only processes the data in the DMP on our behalf. We have executed a data processing agreement with Salesforce where they have agreed, among other things, to only process the data in data centers established in the EU.
If you would like to be removed from the DMP, you can send a request to the address indicated under the Contact us section. If you would like to opt-out from targeting via the Salesforce DMP technology platform, visit this website to enable the browser opt-out.

 

12. Your privacy rights
Under applicable privacy laws (General Data Protection Regulation (GDPR)), you have, inter alia, the right to:

  • Ask for access to your personal data (access)
  • Ask to change or correct your personal data (rectification)
  • Ask to delete your personal data (erasure/right to be forgotten). Please note that although we will grant a request to delete information if required by law, in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes.
  • Ask to restrict the processing of your personal data (restriction).
  • Ask to transfer your data to another controller or to yourself if we have processed your data based on your consent or based on the agreement you have entered into with us (data portability).
  • Object to the (further) processing of your personal data if we have processed your data based on our legitimate interests (objection).

If you would like to know more or would like to invoke your rights, please contact us at consumercare@scotch-soda.com or toll free at 1-866-544-1557.

 

Note that, as required by law, we will require you to prove your identity. We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name, the last item you purchased from us, or the date of your last purchase from us. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, California consumers may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

  1. A completed Authorized Agent Designation Form (available upon request) indicating that you have authorization to act on the consumer’s behalf and signed and notarized by the consumer. We will reimburse the consumer for reasonable notary costs evidenced by a receipt.
  2. If you are a business, proof that you are registered with the Secretary of State to conduct business in California.
  If we do not receive the required pieces of information, the request will be denied.

13. Objection and complaints
If we have collected personal data from you on the basis of our legitimate interests, you can at all times object to the processing of your personal data by contacting us at consumercare@scotch-soda.com. Unless we have compelling legal grounds for the processing which override your interest to stop the processing, we will stop processing your personal data.
If you do not agree with our decision in relation to your personal data, you have the following options:

  • Contact us, so that we can try to resolve the issue together. You will find our contact details below.
  • Lodge a complaint with the Dutch supervisory authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.
  • Ask the Dutch supervisory authority to mediate to resolve the issue.

 

 

14. Changes to our statement
Our Privacy Statement may change from time to time to reflect changes to our services or changes in the Applicable privacy laws. We will not reduce your rights under this Privacy Statement without your explicit consent. We will post any changes to our Privacy Statement on this page. We will notify you personally, for example through an email notification, of significant changes to our Privacy Statement. Our privacy policy includes an “effective” and “last updated” date. The effective date refers to the that the current version took effect. The last updated date refers to the date that the current version was last substantively modified.

 

15. Minors providing personal data
Persons below the age of 18 may only provide personal data to Scotch & Soda if they have written consent from one of their parents or a legal guardian who has read this privacy statement.

 

16. Information for California Residents
California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether certain categories of information are collected, "sold" or transferred for an organization "business purpose" (as those terms are defined under California law). You can find a list of the categories of information that we collect and share in the California Information Sharing Disclosure section. Please note that because this list is comprehensive it may refer to types of information that we share about people other than yourself. If you would like more information concerning the categories of personal information (if any) we share with third parties or affiliates for those parties to use for direct marketing please submit a written request to us using the information in the "Contact us" section below. We do not discriminate against California residents who exercise any of their rights described in this Privacy statement.

 

17. Contact us
Scotch & Soda E-commerce B.V. is responsible for the processing of your personal data and acts as the controller. If you have any questions, feedback or want to know more about how your personal data is processed, or if you want to access, correct, or remove your personal data, please contact us at consumercare@scotch-soda.com. You may write to us at: Scotch & Soda E-commerce B.V., Parellaan 76, 2132 WS, Hoofddorp, the Netherlands (department web store). You may also call us at our toll-free number at 1-866-544-1557.

 

18. California Information Sharing Disclosure
California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether the following categories of personal information are collected, transferred for "valuable consideration" or transferred for an organization's "business purpose" (as those terms are defined under California law). The table below indicates the categories of personal information we collect and transfer in a variety of contexts. Scotch & Soda does not sell any personal information to third parties. Please note that because this list is comprehensive, it may refer to types of information that we collect and share about people other than yourself. For example, while we transfer credit card or debit card numbers for our business purpose in order to process payments for orders placed with us, we do not collect or transfer credit card or debit card numbers of individuals that submit questions through our website's "contact us" page.

  

Categories of Personal Information We Collect

To Whom We Disclose Personal Information for a Business Purpose

Identifiers – this may include real name, alias, postal address, unique personal identifier, online identifier, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Data brokers
  • Government entities, as may be needed to comply with law or prevent illegal activity
  • Internet service providers
  • Joint marketing partners
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and financial institutions
  • Professional services organizations, this may include auditors and law firms
  • Social networks

Additional categories of personal information described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) – this may include signature, physical characteristics or description, state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, and other financial information, medical information, and health insurance information.

  • Affiliates or subsidiaries
  • Business partners
  • Government entities, as may be needed to comply with law or prevent illegal activity
  • Internet service providers
  • Joint marketing partners
  • Operating systems and platforms
  • Other Service Providers

Characteristics of protected classifications – this may include age, sex, race, ethnicity, physical or mental handicap, etc.

  • Operating systems and platforms
  • Other Service Providers

Commercial information – this may include information about products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Data brokers
  • Government entities, as may be needed to comply with law or prevent illegal activity
  • Internet service providers
  • Joint marketing partners
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and financial institutions
  • Professional services organizations, this may include auditors and law firms
  • Social networks

Internet or other electronic network activity information – this may include browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement.

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Data brokers
  • Government entities, as may be needed to comply with law or prevent illegal activity
  • Internet service providers
  • Joint marketing partners
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and financial institutions
  • Professional services organizations, this may include auditors and law firms
  • Social networks

Geolocation data

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Data brokers
  • Government entities, as may be needed to comply with law or prevent illegal activity
  • Internet service providers
  • Joint marketing partners
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and financial institutions
  • Professional services organizations, this may include auditors and law firms
  • Social networks

Audio, electronic, visual, thermal, olfactory, or similar information

  • Other Service Providers

Professional or employment-related information

  • Other Service Providers

Non-public education information (as defined in the Family Educational Rights and Privacy Act)

  • Other Service Providers

Inferences drawn from any of the information listed above


Effective Date: 12 February 2020
Last Update: 23 July 2020