ARRAK OUTDOOR Privacy Policy (GDPR)


At ARRAK OUTDOOR we take your privacy seriously, and thus we aim for a high level of data protection. For example, we would never share or sell your information to another company. This privacy policy explains how we collect and use your personal data. It also describes your rights and how you can enforce them. It is important that you read and understand the privacy policy and feel safe with how we handle your personal data. You are always welcome to contact us if you have any questions at all. Using the table of contents below you can easily navigate to the sections that are of particular importance to you.


TABLE OF CONTENTS

What is personal data and what is processing of personal data?
Who is responsible for the personal data that we collect?
What personal data do we collect about you as our customer, and for what purposes?
From what sources do we collect your personal data?
Who may we share your personal data with?
Where do we process and store your personal data?
For how long do we store your personal data?
What are your rights as a registered member?
How do we process personal identification numbers?
What are cookies and how do we use them?
Are you able to control the use of cookies?
How is your personal data protected?
What does it mean that the Data Protection Authorities (Integritetsskyddsmyndigheten) is the supervising authority?
How do you best contact us if you have questions regarding data protection?

What is personal data and what is processing of personal information?

Personal data is any kind of information that directly or indirectly can be connected to or identify a physical person who is alive. For example, images or sound recordings treated in a computer can be considered personal information even if no names are mentioned. Encrypted information and various forms of electronic identities (for example your IP address) are considered personal data if they can be connected to a physical person. Processing of personal data is everything that happens to the information. Every action performed using personal data is considered processing of that data, regardless if it’s performed automatically or not. Common actions include collecting, registering, organising, structuring, storing, processing and deleting.


Who is responsible for the personal data that we collect?

ARRAK OUTDOOR AB, org. nr. 556932-9831 Brunnemyrsvägen 4, 451 55, Uddevalla, are responsible for the personal information collected by the company.

Valid from 2018-05-25

1.

What personal data do we collect about you as our customer, and for what purpose?

Purpose

Processing actions

Type of personal data

To handle orders/purchases

Delivery (including receipt and contact regarding delivery).

Identification and age check. Handling of payment (including analysis of possible payment solutions which may entail a check of payment history and collection of credit checks from Klarna).

Address confirmation against SPAR. Handling of returns and guarantee claims.

 

Name.
Personal number. Contact information (for example address, e-mail and phone number). Payment history. Payment information. Credit check from credit check company. Purchasing information (for example which item you have ordered or if the item is to be delivered to a different address).

User information for My Pages (members only).

 

Legal reason: Fulfilment of the purchase agreement. This collection of personal data is required to fulfil our obligations according to the law. If the information is not provided, we are unable to fulfil our obligations and are forced to deny your purchase.

Storage period: Until the purchase is complete (including delivery and payment) and for 36 months thereafter in order to handle any claims or returns. If you make a second purchase within the 36 month period, the storing of all information is extended by another 36 months.


2.

Purpose

Processing actions

Type of personal data

To fulfil the legal duties of the company.

Necessary handling in order to fulfil our legal duties according to the law, court decisions or authority decisions (for example bookkeeping, money laundry laws, or laws regarding product responsibility and product safety, which may require providing communication and information to the public and customers regarding product issues and product recalls if deemed defect or a health threat).

 

Name.
Personal number. Contact information (for example address, e-mail and phone number). Payment history. Payment information. Your communication.

Information regarding time of purchase, place of purchase, errors/complaints. User information for My Pages (members only).

 

Legal reason: Legal obligations. This collecting of your personal data is required by law. If the information is not provided our legal obligations may not be fulfilled and we are forced to cancel your purchase.

Storage period: Until the purchase is complete (including delivery and payment) and for 36 months thereafter in order to handle any claims or returns. If you make a second purchase within the 36 month period, the storing of all information is extended by another 36 months.

PurposeProcessing actionsType of personal data

In order to handle customer service cases and claims.

Communication and answering any questions directed to our customer service department (by phone or through digital channels, including social media).
Identification. Investigation of any claims or complaints, and support cases (including technical support).

Name.
Personal number. Contact information (for example address, e-mail and phone number). Your communication with us. Purchase time, purchase location, any errors or complaints. Technical information about your gear.

Health information (for example allergic reactions and health conditions that you tell us about).

User information for My Pages (members only).

Legal reason: Lawful interest. Treatment is necessary to fulfil our and your interest of handling customer service cases.

Storage period: Until the customer service case has been concluded and for 36 months thereafter. If within this 36 month period you make another purchase, the information will be stored for another 36 months.


3.

Purpose

Processing actions

Type of personal data

To implement and handle participation in contests and/or events.

Communication before and after participation in a contest or an event (for example confirming participation, answering questions or performing evaluations).

Identification and age checks. The choice of winner and communicating any prizes (for example payments or travel bookings).

Name.
Personal number. Contact information (for example address, e-mail and phone number).

Information provided related to the contest. Information provided to evaluate events.

Legal reason: Lawful interest. Treatment is necessary to provide for our and your interest in handling your participation in contests and/or events.

Storage period: During the time period of the contest/event (including evaluation).


4.

Purpose

Processing actions

Type of personal data

To evaluate, develop and improve our services, products and customer management systems.

Adapting services to be more user friendly (for example changing the interface to improve information flow or to enhance features used the most by our customers in our digital channels). Foundation material to improve product and logistic flow (for example to prognose purchases, storage and deliveries). Foundation material to develop and improve our range of products and services. Foundation material to improve resource management and the environmental perspective (for example by making purchases and planning of deliveries more effective).

Foundation material for the purpose of planning new or discontinue existing establishments of shops and storehouses.

Provide our customers with the opportunity to influence our range of products and services. Foundation material to improve IT-systems to raise security levels of the company and our visitors/customers.

Analysis of the information we collect for the purpose. Based on the information we collect (for example purchase history, age and gender) you are sorted into a customer group (customer segment) on which analysis is performed at an aggregated level using de-identified data without any individual connection to you as a person. The insights from this analysis are the foundation of which products we order and how we develop My Pages at arrakoutdoor.com.

Age.
Gender.
City of residence.
Communication and feedback regarding our services and products.

Purchase and user generated data (for example clicks and visiting history).

Technical data regarding units used and their settings (for example language settings, IP address, web browser settings, time zone, operating system, screen size and platform). Information regarding how you have used our service, login method, where and for how long you have visited specific pages, how you got here and how you exit the service, etc.

Legal reason: Lawful interest. Treatment is necessary to provide our interest and the interest of our customers to evaluate, develop and improve our services, products and system.

Storage period: From the time of collection and for 36 months thereafter.


5.

Purpose

Processing actions

Type of personal data

To prevent abuse of a service or to prevent and investigate crimes against the company.

Prevention and investigation of potential fraud or other illegal actions.

Prevention of spam, phising, harrassment, attempts of illegal logins to user accounts or other actions forbidden by law or our purchase, membership or service terms.

Protection and improvement of our IT environment against attacks and breaches.

Purchase and user generated data (for example clicks and page view history).

Technical data regarding units and their settings (for example language settings, IP address, web browser settings, time zone, operating system, screen size and platform). Information on how our services are used.

Legal reason: Fulfilment of legal obligation (if applicable) alternatively lawful interest. If no legal obligation exists, the treatment is necessary to ensure our lawful interest in preventing abuse of a service or to prevent and investigate crimes against the company.

Storage period:From the time of collection and 36 months thereafter.


6.

Purpose

Processing actions

Type of personal data

To deliver a personal and customised experience of our services.

The creation of content that is personal to you, for example through relevant product recommendations, presentations of specific benefits and offers, and other similar actions that results in an easier process for you.

Simplified use of our services (for example by saving favourites to simplify future purchases or to remind you of forgotten/abandoned digital shopping carts). Personal communication based on your membership behaviour.

Analysis of the data that we collect for this purpose. Based on the information that we collect (for example membership level, purchase history and click history) we perform an analysis at an individual level. The insights from this analysis are the foundation of our communication with you and which offers, benefits and information, such as bonuses, are presented to you on My Pages.

Name.
User name.
Age.
Gender.
City of residence.
Membership level.
Purchase history.
Purchase and user generated data (for example clicks and visiting history).
Selected customer options regarding communication channels.


Legal reason: Fulfilment of the agreement of membership of the loyalty programme. This collection of your personal data is required for us to fulfil our obligations according to the agreement regarding membership of the loyalty programme. If the information is not provided our obligations cannot be fulfilled and we are forced to deny your membership.

Storage period: Until the membership is cancelled (may happen manually or automatically, for example as a result of inactivity for a period of 24 months).

From what sources do we collect your personal data?

Other than the data that you provide to us yourself, or which we collect based on your purchases and how you use our services, we may also collect personal information from others (so called third parties). The information we collect from third parties are: 1) Address information from public registers to ensure that we have your correct address. 2) Information about credit from credit check institutes, banks or other companies.


Who may we share your information with?

Personal Data Assistants. In cases where it is necessary in order to provide you with our services we share your personal information with companies who are so called personal data assistants to us. A personal data assistant is a company that processes information on our behalf and according to our instructions. We have companies who help us with:

1) Transportation (logistics and shipping companies).
2) Payment solutions (card handling companies, banks and other providers of payment solutions).
3) Marketing (print and distribution, social media, media consultants and advertising agencies).
4) IT services (companies handling the running of IT solutions, technical support and maintenance of IT solutions).

When your information is shared with personal data assistants it is done only for the purposes for which the information was collected (for example to fulfil our obligations according to the purchase agreement or loyalty membership terms). We check all third parties to ensure that they are able to provide sufficient guarantee regarding safety and the integrity and secrecy of your personal data. We have written agreements with all third party companies through which they guarantee the safety of the personal information that they process and agree to follow our security demands as well as limitations and demands regarding international transfer of personal data.

Companies that are independently responsible for personal data. We also share your information with certain entities that are independently responsible for personal data. This means that we are not in control of how the information handed to the company is processed and treated. Independently responsible entities are:

1) Government authorities (police, tax authorities or other government authorities) if we are required to do this by law or when there is suspicion of crime.
2) Companies providing public product transportation (logistics companies and shipping suppliers).
3) Companies offering payment solutions (card payment companies, banks and other payment services).

When your information is shared with other companies that are independently responsible for personal data the integrity policy and personal data handling processes of that company applies.

Where do we process and store your personal data?

We always aim to process and store your personal information within the EU/EEA and all our IT systems are located within the EU/EEA. During system support and maintenance, however, we may have to transfer information outside of the EU/EEA, for example when sharing your information with personal data assistants and third parties who, on their own or through a subcontractor, are established or store information in a country outside of the EU/EEA. The third-party company may in these cases only access the information that is relevant to the purpose (for example log files).

Regardless of what country your personal data is processed in we take all reasonable legal, technical and organisational steps to ensure that the protection and security level remains the same as within the EU/EEA. In cases where personal data is processed outside of the EU/EEA the security level is guaranteed

10.

Either through a decision from the EU commission that the country in question ensures an adequate security level, or by use of so called suitable security measures. Example of suitable security measures are an approved code of conduct in the receiving country, binding internal company rules, or a Privacy Shield. If you wish to receive a copy of the security measures in place or information regarding where they are available, you’re more than welcome to contact us.

For how long do we store your personal data?

We never save your personal data for longer than is necessary for the specific purpose. Learn more about the specific storage periods under each individual purpose.

What are your rights as a registered member?

Right to access (register extract). We are always open and transparent regarding how we process your personal data, and in case you wish to have a better insight into what information we have about you it is possible to request access to the information (the information is provided in the form of a register extract with specified purposes, types of personal information, types of receivers, storage periods, information about where the data has been collected from, and the existence of automated decisions).

Consider that, in case we receive a request of access, we may ask for additional information to ensure effective management of your request and that the information is given to the correct person.

Right to correction. You can request to have wrongful information corrected. Within the scope of the given purpose you are also entitled to add information to any incomplete or partial personal information.

Right to delete. You can request that your personal data is deleted or removed in cases when:
The information is no longer required for the specific purpose of which they were collected or processed. You object against an evaluation of interest that we have made based on lawful interest and your reason for the objection weighs heavier than our lawful interest.
You object to the use of your personal data for direct marketing.
The personal data is treated or processed in an illegal manner.
The personal data must be deleted to fulfil a legal obligation to which we are held.
Personal information has been collected about a child (under the age of 13) for which you are the legal guardian and the collection has taken place in relation to an offer of services in the information community (for example social media).

Remember that we have the right to deny your request if there are legal obligations preventing us from immediately deleting certain personal data. These obligations are specified by laws related to bookkeeping, taxes, banks and money laundering, but also consumer rights laws. It may also be that the processing of your personal data is required in order for us to ensure, enforce or defend legal claims. If we are unable to meet your request to have personal data deleted, we will instead block the information from being used for any purposes other than the purpose preventing us from deleting the information.

Right to limitation. You have the right to request that our processing of your personal data is limited. If you are objecting to the correctness of the information that we’re processing, you can request limited.

11.

Treatment during the time required to check whether the information is correct or not. If we no longer need the information for its original purpose, but you need them to ensure, enforce or defend a legal claim, you can request limited treatment of the information that we have. This means that you can request that we do not delete the information.

If you have objected to an evaluation of interest based on lawful interest that we have made as a legal foundation for the purpose, you can request limited treatment during the time required to check whether our lawful interest weights heavier than your interest to have the information deleted.

If the treatment has been limited according to any of the above situations we are only allowed to – other than storing – process the information to ensure, enforce or defend legal claims, to protect the rights of someone else, or for purposes that you have given your express consent for.

The right to object to certain type of processing. You are always entitled to not be subjected to direct marketing and to object to any use of your personal data that is based on an evaluation of interest.

Lawful interest: In cases where we use an evaluated interest as a legal foundation for a purpose you are able to object to the processing of your personal data. In order to keep processing your data after such an objection we need to prove that we have reasons to use your information that weigh heavier than your interests, rights or freedom. In other cases, we are only allowed to process the information to ensure, enforce or defend legal claims.


Direct marketing (including analysis for direct marketing purposes): You are entitled to object to your personal data being used for direct marketing. The objection also includes analysis of data (so called profiling) used for direct marketing purposes. Direct marketing means any type of targeted marketing efforts (for example via mail, e-mail or SMS). Marketing efforts where you as the customer has actively chosen to use one of our services or otherwise looked us up to learn more about our services does not count as direct marketing (for example product recommendations or other service functionality and offers on My Pages).

If you object to direct marketing, we will cease to process your personal data for this purpose as well as cease all forms of direct marketing efforts.

emember that you’re always able to change what channels we use to send our marketing and personal offers through. For example, you can choose to only receive offers by e-mail but not SMS. In those cases you do not need to object to the processing of your personal data as such, but rather limit our use of communication channels (by changing the settings on My Pages or by contacting customer services).

Right to data portability. If our right to process your personal data is based on either consent or the fulfilment of obligations by an agreement with you, you have the right to have your personal data that you have given to us transferred to a different personal data controller (so called data portability). A requirement for data portability is that the transfer is technically possible and can be performed automated.

How do we process personal numbers?

We will only process your personal identification number when it is clearly motivated for the purpose, necessary for safe identification or if there’s another reasonable purpose. We always minimise the use of your personal number as far as possible, particularly in cases where it is instead possible to use only your date of birth.

12.

What are cookies and how do we use them?


A cookie is a small text file consisting of letters and numbers which is sent from our web server and saved in your web browser or on your unit. At arrakoutdoor.com we use the following cookies:
1) Session cookies (a temporary cookie that ceases to exist when you close your web browser or unit.
2) Lasting cookies (cookies that remain on your computer until you remove them or they expire).
3) First party cookies (cookies placed by the website that you visit).
4) Third party cookies (cookies placed by a third party website. On our website these are primarily used for analysis, for example Google Analytics.)
5) Similar technologies (technologies storing information in your web browser or on your unit in ways similar to cookies).
The cookies that we use normally improve the services that we offer. Some of the services need cookies to function at all, while others improve the services for you. We use cookies for overall analytical information regarding your use of our services and to save settings such as language and other data. We also use cookies to provide you with relevant marketing material.

Are you able to control the use of cookies?

Yes! Your web browser or unit gives you the option to change the settings for the use of cookies. Go to settings in your web browser to learn more about how to change the cookie settings. Examples of things that you can change include only accepting first party cookies or deleting cookies when you close your web browser. Remember that some services may not work properly if you block or delete cookies. You can read more about cookies in general at pts.se.

How is your personal data protected?

We use IT systems to protect the integrity, secrecy and access to personal data. We have taken special security measures to protect your personal data against unlawful or unauthorised treatment (such as illegal access, loss, destruction or damage). Only people who actually need to process your personal data to fulfil our specified purposes have access to it.

What does it mean that the Data Protection Authorities (Integritetsskyddsmyndigheten) is the supervising authority?

The Swedish authority Integritetsskydsmyndigheten are responsible for supervising the adaption of the law, and anyone who believes that a company is mistreating personal data can file a complaint to Integritesskyddsmyndigheten.

How do you best contact us if you have questions regarding data protection?

Because we take data protection seriously we have appointed employees at our customer service department who handle these cases, and you can always reach them at [email protected].

We may make changes to our privacy policy. The latest version of the privacy policy is available on this website. When significant changes are made to how we process and treat your personal data (for example changes to given purposes or type of information collected), or updates that aren’t of significance to how we treat your information but which may be of importance to you, you will receive information on Arrak Outdoor.se and by e-mail (if you have provided an e-mail address) well in advance of the updates taking effect. Upon making information about the updates available we will also explain what the update entails and how it will affect you.