Personal Data Policy
Once Upon AB is the personal data controller for the processing of personal data through our digital channels such as this website, mobile apps and/or other future digital interfaces. This personal data policy (hereinafter the “Personal Data Policy”) is to ensure that you, as a user, may rest assured that we, as personal data controller, handle your data in accordance with applicable personal data legislation. You need not provide any personal data in order to visit the digital channels but, if you do not provide the requested information, it is possible that you will not be able to obtain the products (hereinafter the “Products”), offers, functions, tools, services or resources provided by us through the app (hereinafter the “Service”) or visit all parts of the digital channels. If you have any remaining questions, feel free to contact us. Information regarding how to contact us is available in the “Contact information” section which you will find at the end of this Personal Data Policy.
1. Personal data which is processed
“Personal data” means every type of information which is directly or indirectly related to a natural, living person (hereinafter referred to as “Personal Data”). We must collect Personal Data in order for the Service to at all operate and be meaningful for you as a user. We collect and process the following Personal Data regarding you:
1.1 Via the app
In conjunction with your creation of an account via the app, we collect the following Personal Data: e-mail address. We also process the information you share with us in conjunction with the use of the Service, e.g. when you upload and/or contribute content and information (for example, pictures and text materials you have chosen for your Products(s)). In conjunction with ordering a Product in the app, we collect information regarding you in order to process the order. This includes your name, your address and contact information in the form of telephone numbers and e-mail addresses to the extent we are not already in possession of the same.
1.2 Via the website
2. Sensitive personal data
Sensitive personal data is information which reveals race or ethnic origin, political views, religious or philosophical convictions, or membership in a labour union and personal data concerning health or sex life (hereinafter referred to as “Sensitive Personal Data”). Health information may consist of, for example, sick leave, pregnancy and doctors visits. Depending on the pictures and text material you choose to share with us, we may process Sensitive Personal Data within the context of the Service.
3. What do we use the personal data for?
We will process the Personal Data collected by us for the following purposes:
1. In order to be able to communicate with you;
2. To deliver the Service and ensure that the Service works;
3. In order to be able to produce and deliver the Product you have created and ordered via the app;
4. In order to be able to offer you the opportunity to order Products once again;
5. To analyse your use of the Service to improve the Service and develop new Products and services;
6. To administer your account and use of the Service and communicate with you, e.g. via notices, e-mail and in other ways;
7. To inform you regarding our updates to the Service and the general terms and conditions which are applicable to the use of the app;
8. To market the Service, either within or outside the Service, including functions and content of the Service; and
9. For the express purposes otherwise presented in this Personal Data Policy.
Your integrity is very important to us and we will process your Personal Data you share with us with the utmost care and in accordance with “best practices”, the Personal Data Policy and applicable laws and rules. In the absence of your consent therefor, we will not release your Personal Data to a third party in any manner other than as follows from this Personal Data Policy.
4. Legal basis
Information we collect in conjunction with your registration of a user account via our app is processed by us in order to fulfil our obligations under the agreement with you as a customer, i.e. to provide the app and the Service in general. When we collect information regarding you when you place an order via the app, we process this data in order to fulfil our undertakings relating to the order, i.e. to produce and deliver the Product you have ordered.
Information saved following completion of delivery of the Product and which is related to a certain order is stored to satisfy our legal obligations pursuant to the Swedish Bookkeeping Act.
When we analyse user behaviour, we do so in light of our legitimate interest in developing the Service and our Products. In the event we process personal data regarding you in conjunction with direct marketing, we do so in light of our legitimate interest in marketing the Service and our Products.
5. Information from third parties
In certain cases, we may supplement the Personal Data provided by you with information from a third party for the purpose of evaluating and improving the digital channels in the Service.
We obtain information regarding your name and e-mail address from Facebook if you choose to log in to the Service through your Facebook account. In addition, we obtain information from our collaboration partners for news despatches in order to evaluate our marketing.
6. Information to third parties
Other than as stated in the Personal Data Policy and our general terms and conditions, we will not share the Personal Data you provide to us with third parties other than when (i) such has been specifically agreed upon between you and us, (ii) where necessary to protect your rights, (iii) as required by law, a decision of a governmental authority or a court of law, (iv) we retain independent suppliers for our services in connection with our digital channels or the Service, (v) we retain third parties to produce a Product which is designed in accordance with your order in the Service.
These providers may process Personal Data and sometimes require limited access to Personal Data which has been collected via the digital channels or the Service. We shall at all times strive to limit such access to Personal Data and shall only share information reasonably necessary in order for the providers to be able to carry out their work or provide their services. We will also require that such providers
(i) protect your Personal Data in accordance with the Personal Data Policy and (ii) do not use or disclose your Personal Data for any purpose other than to provide the agreed products or services. Personal Data will not be disclosed to third parties for marketing purposes without your written consent.
At no time will we disclose customer lists, order histories or similar information to third parties. Exemptions are made only where a judicial body requests information which contains your personal data. In such an event, our attorney will first and foremost examine and approve the request.
7. Transfers to third countries
In the event we choose to retain providers outside the EU/EEA, e.g. cloud service providers, this is done primarily for the purpose of producing and / or delivering a product designed according to your order in the service.
When transferring to third countries we will take all reasonable legal, technical and organisational measures in order to ensure that your Personal Data is handled in a secure manner and at an adequate level of protection.
For a detailed description of which transfers take place to third countries, see the linked description: “thirdcountrytransfers”
8. Storage time
Your Personal Data will not be retained for a period of time in excess of what is necessary taking into account the purposes of processing, and we will otherwise erase Personal Data in the manner following from applicable legislation. We save your Personal Data connected to your account as long as you have an account in the Service provided you do not, prior thereto, request that we erase your Personal Data. Products which you have created through the Service will be erased at the same time you remove your account.
Personal Data related to an order is stored by us in accordance with the rules of the Swedish Bookkeeping Act.
We also save digital copies of the Products which you have ordered during a period of ninety (90) days. The purpose of this is to be able to reproduce Products about which complaints have been made.
We do not save your personal identification number or your card or bank information. All processing concerning payments is handled via third party suppliers of the payment service. In order to obtain information regarding the manner in which they process your personal data, we refer you to their privacy policies.
The file names of the pictures you upload in the app are not saved but, rather, are replaced by a new name series which, in turn, is managed by our system.
9. Your rights
You have the right to request information regarding which Personal Data (if any) we process regarding you. If you believe that we possess personal data regarding you which is incorrect, you may, furthermore, request correction of your personal data.
You are entitled to object to personal data we process regarding you in accordance with a so-called legitimate interest. This applies, for example, when we process your personal data in order to send direct marketing to you. Notify us if you do not want us to continue with this type of processing of your personal data.
You are also entitled to request that we temporarily limit certain processing of personal data regarding you and a right to request to be erased.
If you wish to know whether we process Personal Data regarding you, you may send a written and signed request to us (see “Contact information” below).
Our digital channels may contain links to other websites provided by other companies. The Personal Data Policy does not apply to these websites. Accordingly, you should read the personal data policies of such websites prior to releasing personal data.
We take all suitable technical and organisational security measures necessary in order to protect the Personal Data against unauthorised access, alteration or destruction. However, there is always a risk involved in providing Personal Data via digital channels since it is not possible to completely protect technical systems from encroachment.
Communications between you and Once Upon take place via a so-called SLL protocol, an encrypted transmission between service and user which maintains a recognised high standard. SSL is used, for example, by Facebook, Instagram and Google. Your information is saved on the Google Cloud Platform servers and, in conjunction with payment in AWS (Amazon Web Services) in accordance with their agreement. Logs of user behaviour are saved by us through Google Analytics, Firebase Analytics and Firebase Crashlytics.
13. Personal Data Incidents
In conjunction with a security incident concerning Personal Data, e.g. hacking or an unintentional loss of personal data, we must document the incident and notify the same to the Swedish Authority for Privacy Protection within 72 hours. We may also require information from you, e.g. if there is a risk of ID theft or fraud.
14. Amendments to the Personal Data Policy
In the event we must amend the Personal Data Policy, we will provide notice when you log on to the Service and on the digital channels in general and provide information regarding the content of the new terms and conditions approved by you.
15. Invalid provisions
In the event a competent court of law finds any provision of the Personal Data Policy to be invalid, such shall result only in a reasonable adjustment of the provision in question. Other provisions will continue to apply with full force and effect.
16. Applicable law
The Personal Data Policy shall be governed by and interpreted in accordance with Swedish law without the app of choice-of-law rules. Disputes or requirements which arise concerning, or in relation to, the Personal Data Policy or in conjunction with breaches, termination or invalidity of these terms and conditions shall be conclusively resolved by Swedish courts of law with the Luleå District Court as the court of first instance unless otherwise required by compulsory law.
17. Supervisory authority
For more information regarding applicable legislation, our liability for the processing of personal data and your rights, please visit http://www.imy.se. Questions concerning the processing of personal data may also be posed directly to the Swedish Authority for Privacy Protection to which you may also turn in the event you have any complaints concerning the manner in which we have processed your personal data.
18. Contact information
In the event you have any questions regarding the Personal Data Policy or any other question regarding our processing of your Personal Data, feel free to contact us at: Once Upon Publishing AB, company registration no. 559073-3670, Storgatan 26, 931 32 Skellefteå, firstname.lastname@example.org