- make it easier for you to understand which data we collect and how we use it
- give you increased control over your data
- and provide a detailed explanation of your rights as a user.
1. IN GENERAL
Inside The Box AB, 559178-5125. Sweden. We, the team of Inside The Box, email address: firstname.lastname@example.org (“Email Address”), process your personal data when you use our app or website (“Website” and, together with the Apps, “Products”). The processing of your personal data takes place in compliance with applicable local data privacy laws, e.g. the EU General Data Protection Regulation (“GDPR“), the Swedish data protection act in its current form and the California Consumer Privacy Act (“CCPA“).
In general the controller of data processing is Inside The Box. You can contact us via email under the Email Address.
Data Protection Officer. Our data protection officer can be contacted under the Email Address. Should you have any questions regarding the processing of your personal data, please do not hesitate to contact him/her.
3. WHICH DATA WE COLLECT AND PROCESS
In General. Inside the box processes personal data that you as a user of the Products make available to us, for example by using our Products, and that others provide to us (“Data”).
These are the categories of personal data we collect directly or indirectly from you:
- Identity information – includes: name (first, last), e-mail address, profile picture, unique consumer identifier number, social media identifiers and information passed along to us in case of social media account login, hardware usage and access, lock installation address, location tracked information and drop off solution images.
- Contact information – includes: your phone number, shipping and billing address, e-mail address. We use it to contact you for different reasons depending on the purpose.
- Location information – includes: your residential location, current log-in location (IP address), and/or GPS location (if you wish to share it with us, for example through your mobile device settings) or other phone related location data (e.g. via WiFi or Bluetooth), or the specific Inside The Box site you visited that might give us clues about where you are. We use it to operate our products and adapt your product experience to your location.
- Purchase information – includes: payment provider, subscription, price, currency, VAT (based on country info). We use payment providers to process payments. Although we do not store any credit card information ourselves, we store a payment ID number that is given out by the respective provider (e.g. Apple, Google, Klarna, Stripe) and can be allocated to you. We use it to process your payments.
- Behavioural and Profile information – includes: your delivery and shopping history, preferences, product reviews, social media interactions with us, and any other intelligence we have about you to help us learn you as a consumer better, including “Community information”. We use it to know you better as a consumer, so we can send you marketing messages containing only products and services that we think you might be interested in.
- Social Media information – includes: information obtained through your interaction with us on various social media channels such as Facebook, Instagram, Google, etc., including: any social media information that is publicly available such as your social media handles, social media interactions and public postings, your “Likes” and other reactions, your social media connections, your photos that are public, or those you send to us by mentioning us or following our social media posts by using “handles” or “hashtags”. We obtain this information from the social media network (e.g. Facebook, Snapchat, Instagram, etc.) directly or indirectly through third-party agencies we have agreements with.
- Device information – includes: Information about your device or browser that give us an idea about your behaviour or device usage. Your device information is collected by our apps, and your browser information is collected by our cookies, tags, and pixels. This is often required for network security purposes. This includes, but not limited to: IP address, date and time of the visit, how long you remained on our website, transmitted data volume, the referral URL (if you came to our site via a different site or an advertisement), the pages visited on our site, your browser type (including language and version of the browser software) and add-ons, device identifier and features, device type, versions, operating system.
- Activity information – includes: delivery and return data (for example parcel delivery/return timeline and or IDs, activity type), lock activity data (for example on lock openings / closing or when one time accesses are used, lock battery status). We use it to operate our products, to help you see and enhance access transparency to your device and the user experience and to suggest products/pricing models might be best for you based on your exercise patterns.
- Preference information – includes: preferred language, login location, buying patterns, return rate and your Inside The Box product reviews. We use it to give you convenience when you visit and/or shop on our sites and apps.
4. Data from Others.
Registration via social media. If you register a Inside The Box account via social login, we will receive the following information:
- Facebook Inc. (1601 South California Avenue, Palo Alto, CA 94304, USA, “Facebook”): First and last name, email address, gender, birthdate, profile picture;
- Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”): First and last name, email address, gender, birthdate; and profile picture.
5. Third party service Use
AWS & Google Analytics for Mobile General. For Apps on iOS and Android we use Amazon Web services (for more information see here) and Google Analytics for Mobile (for more information see here) and webb. User data is transmitted in an anonymized form to Google. Our Apps use identification for mobile devices, including the Google Advertising ID (“GAID”) and the ID for Advertising for iOS (“IDFA”), as well as technologies similar to cookies for the use execution of the Analytics for mobile service.
Purpose. We use AWS and Google Analytics to analyze and constantly improve the use of our Products. Through the statistics we are able to improve our services and make them more interesting for users. In those special cases in which personal data is transmitted to the USA, Google is certified via EU-US privacy shield. The basis for the processing of data are our legitimate interests.
6. SHARING OF PERSONAL DATA
We share data with third parties to enable the Service this is necessary, for the purposes,due to a request from a national authority, due to a court ruling, if required by law, if necessary to investigate and defend ourselves against any third-party claims or allegations, to exercise or protect the rights and safety of Inside The Box, our members, personnel, or if you have (explicitly) consented beforehand. We attempt to notify you about legal demands for your data when we think it is appropriate, unless prohibited by law or court order, or when the request is an emergency. We may dispute such demands when we believe that the requests are overbroad, vague or lack proper authority.
Special categories of access data, such as access policy id:s, data lock ID, will never be shared with others outside the Inside The Box organization without your explicit consent..
Profile. Your profile image and sometimes contact information is visible to users with access to same lock. This means, as soon as you add a lock in the products, those people will be able to see parts of your profile information. Please note that your first name, last name, and profile picture are visible to all shared lock users. This is necessary to enable others to make clear for other that your account is active and correct..
Services You May Use. Inside The Box lets you connect to third-party services. For example, to enable you to select your own drop off point in the e-com checkout,. Please note that we do not have any influence on or knowledge of the scope and the further use of the Data by the respective checkout service, and cannot take any responsibility for the use of your Data by the respective e-com usage provider. Please see the e-commerce provider service’s respective privacy policies for details.
Service Providers. We share your information to others who help us provide and improve our Products (e.g. maintenance, analysis, audit, payments, fraud detection, marketing and development). Service providers will have access to your information as reasonably necessary to perform these tasks on our behalf, and are obligated not to disclose or use it for other purposes. We use processors such as Google, Facebook, Amazon Web Services, Inc., Customer.io, Segment and Mixpanel.
We do not sell any of your personal data to third parties.
7. HOW LONG WE STORE DATA
Retention Period. We need to maintain your data for as long as you have an account with us. If you are a user within the EU and you stop using our services without requesting to delete your data, we will keep it for 25 months after your last interaction with any Inside The Box touchpoint. Beyond that, we only store data, if it is legally necessary (because of warranty, limitation or retention periods) or otherwise required.
Account Deletion. If you decide to delete your account, all data that Inside The Box have about you will be deleted, with the following exceptions:
- Any details made public by you (e.g. routes, comments on other registered users’ sport activities, will be anonymized, i.e. it will be made clear that such details were provided by a deleted user).
- Any data required for Inside The Box’s performance of contractual obligations or compliance with statutory retention obligations shall not be deleted, but minimized to the necessary extent.
- A deletion request does not affect data, if the storage is legally necessary, for example for accounting purposes.
8. WHICH RIGHTS YOU HAVE
Exercise your Rights. To exercise your rights defined in sections 8, please send a request via email to the Email Address or via mail to our postal address.
Revocation of Consent. You can revoke your consent – in those cases where consent for processing is necessary – for future data processing at any time. However, this does not affect the lawfulness of data processing based on the consent before the revocation. In certain cases, we may continue to process your information after you have withdrawn consent, if we have another legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
Right of Access. You have the right to obtain (i) confirmation as to whether or not your data is being processed by us and, if so, (ii) more specific information on the data. The more specific information concerns, among other things, processing purposes, categories of data, potential recipients, or the duration of storage.
Right to Rectification. You have the right to obtain the rectification of inaccurate data concerning you from us. In case the data processed by us is not correct, we will rectify these without undue delay and inform you of this rectification. Please note that (i) you can rectify much of your information in the settings and (ii) it is not technically possible for us to rectify all kinds of data in our Product.
Right to Erasure. You have the right to delete data we store about you. Should you decide to do so, please go to your account settings on the Website and delete your account there. If you are unable to do this, please contact us via the email address. As a safety measure, we will send you an email in order for you to confirm this deletion. We will delete your data after this confirmation. Please note that your phone may still have data stored on it after deletion of your account.
Right to Restriction of Processing. You have the right to obtain a restriction of processing of your data from us in the following cases:
- you make an inquiry pursuant para. Right to Rectification above, if you so request;
- you are of the opinion that the processing of your data is unlawful, but are opposed to an erasure of Data;
- you still require the data for the establishment, exercise or defense of legal claims; or
- you have objected to the processing pursuant para. Right to Object below.
Right to Data Portability. You have the right to (i) receive a copy of your Data in a structured, commonly used and machine-readable format and (ii) transmit those data to another controller without hindrance from us. You can download a copy of your data in your account settings on the website.
Right to Object. You have the right to object at any time to the processing of data for which our legitimate interests are the legal basis, including profiling based on those provisions. You also have the right to object to processing of data for direct marketing purposes.
Right to File a Complaint. You have the right to file a complaint with your local supervisory authority, if you think that the processing of data infringes applicable law.
9. FURTHER IMPORTANT INFORMATION
Legal Bases. Data protection laws regulate that we are only allowed to collect and process your data, if we have lawful bases for processing. The lawfulness of data processing stems from:
- your (explicit) consent in cases where you have given (explicit) consent to the processing;
- the necessity for the performance of your user contract, e.g. where data is needed for a satisfactory use of the Product; or
Our legitimate interests include protecting you, Inside The Box, or others from security threats or fraud, complying with all applicable laws, managing and improving our business (e.g. customer service, reporting) including possible corporate transactions (e.g. M&A), enabling users to share their and connect via their experiences, and express all access and or delivery/return opinions.
- Security Measures. We are committed to protecting your data and implement appropriate technical and organizational security measures to protect it against any unauthorized or unlawful processing and against any accidental loss, destruction, or damage. Those security measures are constantly revised to comply with the latest technological developments.
- What does Inside The Box do when we transfer your personal data outside of the EU/EEA? Depending on the personal data processing activity, your personal data is shared with different “Categories of Recipients”. Where the recipient is located outside the EU/EEA, we have implemented necessary measures such as signing the EU Standard Contractual Clauses approved by the EU Commission or selecting vendors that certify and comply with the EU-US Privacy Shield Framework.
11. QUESTIONS, COMPLAINTS AND SUPPORT
email@example.com Inside The Box AB, Vetegatan 3, 118 59 Stockholm, SWEDEN