Login

Language

Cart

Your cart is empty

Privacy

Privacy and Data Protection Policy

1. Introduction

This policy outlines the practices of our website regarding the collection, use, and protection of personal data in compliance with the General Data Protection Regulation (GDPR) and the General Services Providers Regulation (GSPR). As an e-commerce platform operating in the European Union (EU), we are committed to ensuring the privacy and protection of our customers' data.

2. Definitions

Personal Data: Any information that relates to an identified or identifiable natural person, such as name, contact details, transaction history, etc.

Data Subject: The individual whose personal data is processed.

Controller: The entity (our e-commerce business) that determines the purposes and means of processing personal data.

Processor: Any third-party service provider (e.g., payment processors, cloud services) that processes data on behalf of the data controller.

Processing: Any operation performed on personal data, including collection, storage, use, and disclosure.

3. Data Collection and Purpose

We collect personal data for the following purposes:

Account Creation: To register and manage customer accounts.

Order Processing: To process and deliver orders, handle payments, and provide customer support.

Marketing and Communications: To send order confirmations, promotional offers, and newsletters (if consented to).

Compliance with Legal Obligations: To comply with tax, accounting, and legal requirements.

Customer Support: To respond to customer inquiries, complaints, and feedback.

We will ensure that all personal data is collected with the consent of the data subject, and data will only be used for the stated purposes.

4. Lawful Basis for Processing

Under the GDPR, we process personal data based on one or more of the following legal bases:

Consent: Where the data subject has given explicit consent for processing.

Contractual Necessity: Where the processing is required for the performance of a contract with the data subject (e.g., completing an order).

Legal Obligation: Where processing is required to comply with legal obligations (e.g., tax laws).

Legitimate Interests: Where processing is necessary for the legitimate interests of our business, provided these interests do not override the rights and freedoms of the data subject.

5. Data Sharing and Third-Party Providers

We may share personal data with trusted third-party providers to assist in delivering services to our customers. All third-party processors are required to comply with applicable data protection laws, including the GDPR. These third parties may include:

Payment gateways (e.g., Stripe, Shopify Payments, etc.)

Shipping companies (e.g., DHL, FedEx, etc.)

Email marketing platforms (e.g., Klaviyo)

Customer support services

We ensure that Data Processing Agreements (DPAs) are in place with all third-party service providers.

6. Data Subject Rights

In accordance with the GDPR, data subjects have the following rights:

Right to Access: Customers have the right to request a copy of their personal data.

Right to Rectification: Customers can request the correction of inaccurate or incomplete data.

Right to Erasure: Customers can request the deletion of their personal data in certain circumstances (e.g., withdrawal of consent).

Right to Restrict Processing: Customers can request the restriction of processing under certain conditions.

Right to Data Portability: Customers can request to transfer their data to another service provider in a structured, commonly used, and machine-readable format.

Right to Object: Customers can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Customers can withdraw consent at any time where processing is based on consent.

To exercise any of these rights, customers can contact our data protection officer (DPO) at Service.EU@heys.com.

7. Data Retention

We will only retain personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. For example:

Order Information: Retained for at least 5-6 years for tax and legal reasons.

Marketing Data: Retained as long as the customer remains subscribed to our newsletter or until consent is withdrawn.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These include:

Encryption of sensitive data.

Regular security audits and assessments.

Access controls to limit who can access customer data.

Ensuring all third-party service providers are GDPR compliant and implement similar security measures.

9. International Data Transfers

In cases where personal data is transferred outside the EU/EEA to third countries, we ensure compliance with the GDPR by using appropriate safeguards, such as the use of Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs).

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance the user experience on our e-commerce platform. Cookies help:

Remember login credentials

Analyze website traffic and user behavior

Display relevant advertising

Users can manage their cookie preferences through the cookie consent banner or browser settings. By continuing to use the website, customers consent to our use of cookies. Learn more.

11. Breach Notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals. If necessary, affected individuals will also be informed directly.

12. General Services Providers Regulation (GSPR) Compliance

Our company ensures compliance with the General Services Providers Regulation (GSPR) by:

Ensuring all service providers comply with privacy and data protection laws.

Regularly auditing our third-party services for compliance.

Keeping our customers informed about how their data is processed by third parties.

13. Changes to This Policy

We reserve the right to update this policy at any time to reflect changes in data protection laws, business practices, or technological advancements. Any changes will be communicated through the website or via email to registered users.

14. Contact Information

For any questions or concerns about our GDPR and GSPR policy, or to exercise your data protection rights, please contact:

Data Protection Officer (DPO): Heys EU GmbH

Customer Support: Service.EU @heys.com

Website: https://eu.heys.com/

15. Conclusion

By using our services, you consent to the collection and processing of your personal data in accordance with this policy. We are committed to safeguarding your privacy and ensuring that your data is handled responsibly.

This policy complies with the GDPR (Regulation (EU) 2016/679) and the GSPR for e-commerce platforms in the EU region, ensuring that your personal data is secure, processed transparently, and in accordance with legal requirements.