The Green Labs Group INC
June 2, 2021
For the purposes of the laws of European Union, including the General Data Protection Regulation (GDPR), we are the “data controller” of all personal information of individuals located in the European Economic Area (EEA) that are collected through the GL Services.
If you are a located in the EEA, you may have additional rights under GDPR, including the right to:
- ask us to stop using your personal information for direct-marketing purposes. If you exercise this right, we will stop using your personal information for this purpose; and
- ask us to consider any valid objections which you have to our use of your personal information where we process your personal information on the basis of our, or another person’s, legitimate interest.
If you are a California resident, you may be entitled to additional rights over your personal information.
- COLLECTION OF PERSONAL INFORMATION
Depending on our relationship, we will collect and use your personal information in different ways. Please see the sub-headings below to find out more about the personal information that we collect about you and how we use this personal information
If you choose not to provide the personal data we request from you below, we may not be able to provide you with the products and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for the personal data unless they have been marked as optional (*).
- Visitors to our Sites
When you visit our Sites, we (or third parties on our behalf) may collect and use any of the following categories of personal information about you:
Type(s) of personal information
Our lawful basis for processing this personal information under GDPR (see section 5 for further details)
We use this for analytics purposes to improve the functionality of our Sites
Browser IP address
a) We use this to identify you when you return to our Sites
a) Legitimate interest
b) When you have started a purchase journey for our Products, but abandoned your basket, we use this with other personal information to send you an abandoned basket email, so you can pick up where you left off to finish your purchase of our Products
Contact details (first and last name, email address)*
a) When you have started a purchase journey for our Products, but abandoned your basket, we use this with other personal information to send you an abandoned basket email, so you can pick up where you left off to finish your purchase of our Products
b) We collect this information where you have signed-up to join our mailing list (e.g. via a pop-up on our Sites) and will use it to send you email marketing. If you wish to stop receiving these emails, you can opt-out by changing your account settings or by clicking on an unsubscribe link in each such email
Usage data (mouse movements and clicks, keystroke data, video recording of all pages you visit on our Sites)*
We use this to improve our marketing and understanding of how our customers use our Sites so we can make improvements
Social media widgets data (e.g. IP address, data concerning which page you are visiting on our Sites, cookie data)*
Personal information you provide if you enter a survey, sweepstake, contest or other promotional activity, or attend an event (such as a trade show)
We use this to administer rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by GL or our business partners
Performance of a contract
Information provided when you correspond with us
We use this to deal with any enquiries or issues you have about our Products or Services and to provide customer support
Performance of a contract (including in order to take steps at the request of the visitor prior to entering into a contract)
- Other processing of your personal information
Whatever our relationship with you is, we may also collect, use and store your personal information for the following additional reasons:
- to deal with any enquiries or issues you have about how we collect, store and use your personal information, or any requests made by you for a copy of the information we hold about you. If we do not have a contract with you, we may process your personal information for these purposes where it is in our legitimate interests for customer services purposes;
- for internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, ensuring the security of company facilities, research and development, and to identify and implement business efficiencies. We may process your personal information for these purposes where it is in our legitimate interests to do so;
- to comply with any procedures, laws and regulations which apply to us – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others to comply, as well as where we are legally required to do so; and
- to establish, exercise or defend our legal rights – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others, as well as where we are legally required to do so.
- COOKIES AND BEACONS
Unlike persistent cookies, session cookies are deleted when you log off from GL Sites and Apps and close your browser. Although most browsers automatically accept cookies, you can change your browser options to stop automatically accepting cookies or to prompt you before accepting cookies. The help section of your web browser, most likely found on the toolbar, typically tells you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Please note, however, that if you choose not to accept cookies, you may not be able to access all portions and/or features of GL Sites and Apps.
- BEHAVIORAL TARGETING / RE-TARGETING
- OUR LEGAL BASIS FOR USING YOUR PERSONAL INFORMATION OF USERS LOCATED IN EEA
- a) our use of your personal information is necessary to perform our obligations under any contract with you or take steps to enter into a contract with you (for example, to sell our Products and provide you with GL Services, to fulfil an order which you place with us (make and receive payment) and provide customer services, ); or
- b) our use of your personal information is necessary for complying with our legal obligations (for example, if you contact us requesting access to personal information we hold about you); or
- c) where neither (a) nor (b) apply, use of your personal information is necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of our Sites and Apps). Our legitimate interests are to:
- run, grow and develop our business and improve the GL Services;
- operate our Sites and Apps;
iii. carry out marketing, market research and business development;
- invest in and roll out new products to benefit the communities in which we operate; and
- for internal group administrative purposes.
We may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time after giving it, as described below).
If we rely on your consent for us to use your personal information in a particular way, but you later change your mind, you may withdraw your consent by contacting us at [email protected] and we will stop doing so. However, if you withdraw your consent, this may impact the ability for us to be able to provide the GL Services that require use of your personal information for that relevant purpose.
- AGGREGATE AND NON-PERSONAL INFORMATION
GL may aggregate and analyze, non-personally-identifying information about the performance of GL Services. From time to time, GL may disclose and use aggregate and non-personally-identifying information for industry analysis, demographic profiling, marketing and advertising, and other business purposes, e.g., by reporting on trends in the usage of its devices, Sites or GL Services.
- DISCLOSURE TO THIRD PARTIES
We will not sell the personal information that you provide us. We do not provide personal information collected by GL Services to any third party for such third party’s direct marketing purposes.
We will share your personal information with the following categories of third parties:
- Our Service Providers. We may employ third-party companies and individuals to administer and provide GL Services on our behalf, (including, without limitation, bill and credit card payment processing, maintenance, administration, support, hosting, marketing (including email marketing) and database management services). These third parties may have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
GL takes children’s privacy seriously. Our GL Services are not directed to children under the legal age in your jurisdiction, and we do not knowingly collect personal information from children under the legal age in your jurisdiction. If you are under the legal age in your jurisdiction, please do not submit any personal information through our Sites or Apps without the consent and participation of a parent or guardian. If we learn that we have collected personal information from a child under the legal age in your jurisdiction we will take steps to delete such information from our files as soon as possible.
Please contact us at [email protected] if you are aware that we may have inadvertently collected personal information from a child under the legal age in your jurisdiction.
- INDIVIDUAL RIGHTS UNDER GDPR
If you are located in the European Economic Area, you have the following rights under GDPR:
- Right of access. You have a right of access to any personal information we hold about you. You can ask us for a copy of your personal information; confirmation whether your personal information is being used by us; details about how and why it is being used; and details of what safeguards are in place if we transfer your information outside of the European Economic Area (“EEA”).
- Right to rectify your information. You have a right to request the rectification of any of your personal information which is out of date or incorrect.
- Right to delete your information. You have a right to ask us to delete any personal information which we are holding about you in certain specific circumstances. You can ask us for further information on these specific circumstances by emailing us at [email protected].
- Right to restrict use of your information: You have a right to ask us to restrict the way that we process your personal information in certain specific circumstances. You can ask us for further information on these specific circumstances by emailing us at [email protected].
- Right to stop marketing: You have a right to ask us to stop using your personal information for direct-marketing purposes. If you exercise this right, we will stop using your personal information for this purpose.
- Right to data portability: You have a right to ask us to provide your personal information to a third party provider of services. This only applies to your personal data that you have provided to us that we are processing with your consent and for the purposes of contract fulfilment, which is being processed by automated means. In such a case we will provide you with a copy of your data in a structured, commonly used and machine-readable format or (where technically feasible) we may transmit your data directly to a separate data controller.
- Right to object. You have a right to ask us to consider any valid objections which you have to our use of your personal information where we process your personal information on the basis of our or another person’s legitimate interest.
- Right to withdraw consent – where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that occurred prior to such withdrawal.
- Where you are located in France: Right to provide us with instruction on the management of your data after your death. You have the right to provide us with instruction on the management of your personal data after your death.
We will consider all such requests and provide our response within a reasonable period (and in any event within one month of your request unless we tell you we are entitled to a longer period allowed by applicable law). Please note, however, that certain personal information may be exempt from such requests in certain circumstances, for example if we need to keep using the information to comply with our own legal obligations or to establish, exercise or defend legal claims.
If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.
Please note that removing your personal information may limit our ability to provide GL Services to you. If you completely delete all such personal information, your account will be deactivated and you may lose access to the Services and your use of the Products.
- LINKS TO OTHER SITES AND SERVICES
GL Services may contain links to other websites or services. The fact that we link to a website or service is not an endorsement, authorization, or representation that we are affiliated with that third party. We do not exercise control over any third-party websites or services. Other websites and services follow different rules regarding the use or disclosure of the personal information you submit to them. We encourage you to read the privacy policies or statements of the other websites you visit and services that you use.
- DATA RETENTION
The security of your personal information is important to us. We follow generally-accepted industry standards for the data and processing that we do, and take all reasonable steps to protect the personal information submitted to us, both during transmission and once we receive it, including without limitation:
(i) using encryption when collecting or transferring sensitive personal information;
(ii) limiting physical access to our premises;
(iii) limiting access to the personal information we collect about you;
(iv) ensuring that we have appropriate security safeguards to keep personal information secure; and
(v) where required by law, destroying or de-identifying personal information.
However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. We will comply with all privacy laws and make any legally required disclosures regarding breaches of the security, confidentiality, or integrity of personal information consistent with our ability to determine the scope of a breach and our obligations to law enforcement.
- INTERNATIONAL TRANSFER
IMPORTANT: When you use GL Services, your data may be used, stored and/or access by staff operating outside the EEA such as the United States and possibly other countries, including Canada and Serbia, working for us, our partners or our suppliers.
If you have a concern or complaint about how your personal information has been treated by us, you can contact us at [email protected].
In accordance with Article 77 of the General Data Protection Regulation, you may also make a complaint to the data protection regulator in the country where you usually live or work, or where an alleged infringement of the General Data Protection Regulation has taken place. In France, the data protection regulator is the Commission Nationale de l’Informatique et des Libertés (CNIL). In the UK, the data protection regulator is the Information Commissioner’s Office.
- PRIVACY NOTICE FOR CALIFORNIA RESIDENTS UNDER THE CALIFORNIA CONSUMER PRIVACY ACT
CCPA allows California residents, upon a verifiable consumer request, to request that a business that collects consumer personal information give consumers access, in a portable and (if feasible) readily usable form, to the specific pieces and categories of personal information that the business has collected about the consumer, the categories of sources for that information, the business or commercial purposes for collecting the information, and the categories of third parties with which the information was shared. California residents also have the right to submit a request for deletion of information under certain circumstances.
We do not, and will not, sell your personal information. We collect, use and share your personal information as described below.
COLLECTION, USE AND SHARING OF PERSONAL INFORMATION
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“personal information”). We collect personal information from you when you use our website, mobile app or any of our products, software or services (together, “Services”). We obtain your personal information directly from you when you create your online or app account with us or use our Services or indirectly (e.g., through cookies or other tracking mechanisms). We also obtain your personal information from third parties that interact with us in connection with Services. In the preceding 12 months, we have collected and disclosed the following categories of consumer personal information:
Name, alias, online identifier, IP address, postal address, email address, account name.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
Name, physical characteristics or description, address, telephone number, credit card number, debit card number, medical information, product and customer support inquiries.
Protected classification characteristics under California or federal law.
Age, race, color, veteran or military status.
Records related to your purchases of our products or services, tendencies based on your order information, records related to survey, sweepstakes or contest entries.
Face imagery, voice recordings, keystroke patterns
Internet or other similar network activity.
Browsing history, browser type, browser IP address, mouse and keystroke data, video recordings of the pages you visit on our sites and other electronic activity information collected through technologies like cookies, web beacons, social media widgets and browser web storage), log information, wi-fi
Inferences drawn from other personal information.
Profile reflecting a person’s preferences related to usage of our Services.
“Personal information” under the California Consumer Privacy Act does not include information that is
- publicly available from government records;
- de-identified or aggregated consumer information;
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
- certain personal or financial information covered under certain sector-specific privacy laws.
ACCESS AND DATA PORTABILITY RIGHTS
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months, subject to certain exceptions. Once we receive and confirm your verifiable consumer request and unless an exception applies, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we disclosed your personal information for a business purpose, a list specifying such disclosures, identifying the personal information categories that each category of recipient obtained.
DELETION REQUEST RIGHTS
You have the right to request that we delete your personal information, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a product or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect and protect against security incidents, malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise a right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in research in the public interest that adheres to applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Otherwise use the information internally in a lawful manner compatible with the context in which you provided the information.
EXERCISING ACCESS, DATA PORTABILITY AND DELETION RIGHTS
To exercise the access, data portability and deletion rights described above, you or your authorized agent can submit a verifiable consumer request by sending us an email to [email protected]. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We may ask for additional information that will help us do so. We will only use that additional information in the verification process, and not for any other purpose. You do not have to create an account with us to submit a request.
RESPONSE TIMING AND FORMAT
We will respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
We will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and capable of being transmitted by email.
We do not charge a fee to process or respond to your verifiable consumer request unless such request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We do not, and will not, discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide different quality of goods or services; or suggest you will receive a different price, rate, level, or quality of goods or services.
OTHER CALIFORNIA PRIVACY RIGHTS
California’s “Shine the Light” law (California Civil Code Section 1798.83) permits users of our Services that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please email us at [email protected].
California law, CalOPPA (California Business & Professions Code Section 22575 (a)) requires us to let you know how we respond to web browser “Do Not Track” (DNT) signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not honor Do Not Track requests at this time.