Madeblunt Limited, trading as Blunt, ( we , us , our ) is a New Zealand company and complies with the New Zealand Privacy Act 1993 ( NZ Privacy Act ) and other applicable privacy and data protection laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
If you are based in the European Union and use our websites or have other dealings with us, the additional GDPR terms set out below ( GDPR Terms ) apply to you.
This policy does not limit or exclude any of your rights under the NZ Privacy Act and other applicable laws. If you wish to seek further information on the NZ Privacy Act, see www.privacy.org.nz .
CHANGES TO THIS POLICY
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
This policy was last updated on 24/05/2018
WHAT PERSONAL INFORMATION DO WE COLLECT AND HOW WE COLLECT IT
When you visit our websites, purchase products from us or have other dealings with us we collect the following information:
- Personal information that you provide directly to us, including:
- when you place an order for products available on the website, your name, email address, delivery address, your phone number and your credit card and other information you submit to us for billing purposes [a]
- if you sign up for an account on the website, your [ name and email address [b] ]
- if you sign up for our newsletter or other notifications, your [ name and email address [c] ]
- any information contained in your correspondence with us, for example, when you send us an email, phone us or submit an enquiry through the website, including your name, email, country of residence and phone number
- if you provide feedback, including submitting any feedback to the website or in response to an email, any information contained in your in your feedback
- information about your transactions with us
- any other information provided by you in the course of your dealings with us.
- ‘Clickstream’ information that is recorded when you click anywhere in a webpage, such as your IP address, geographical location, operating system and browser type.
- Third parties where you have authorised this, [ including when you click to purchase products on our websites via Facebook [d] ], or the information is publicly available.
HOW WE USE YOUR PERSONAL INFORMATION
- We will use your personal information provided directly by you:
- to verify your identity
- to provide our websites and products to you
- to market our products to you, including by contacting you electronically (e.g. by text or email for this purpose). You can stop receiving our promotional emails by following the unsubscribe instructions included in those emails
- to improve our websites and products that we provide to you
- [ to bill you and to collect money that you owe us, including authorising and processing credit card transactions ]
- to respond to communications from you.
- [ We use information generated by your access or use of our websites :
- to monitor the performance of the website to ensure that it performs in the best manner possible
- for security and system integrity purposes [f] ]
- to tailor content or advertisements to you. For further information, please refer to our cookies policy .
- to follow up with product delivery, and product satisfaction.
- We may also use your personal information:
- to protect and/or enforce our legal rights and interests, including defending any claim
- for any other purpose authorised by you, the Act or other applicable law
- to respond to lawful requests by public authorities, including to meet law enforcement requirements
- to transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
DISCLOSING YOUR PERSONAL INFORMATION
- We may disclose your personal information to:
- another company within our group
- our global distributors
- any business that supports our websites and sales of our products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or our products or that we use to process payments or fulfil orders. The third parties that supports our websites or sales of our products include:
- [ MailChimp – a cloud based communications provider that we use to store email addresses and to send emails
- Shopify – an e-commerce platform we use to provide the shopping functions on our websites
- Google Analytics – a web analytics service provider that we use to track and report website traffic (on an aggregated and anonymous basis)
- Okendo – a customer insights product we use to capture feedback relating to our products. ] [g]
- our professional advisers e.g accountants, lawyers, auditors
- any other person authorized by you
- a person who can require us to supply your personal information (e.g. a regulatory authority)
- any other person authorized by the NZ Privacy Act or other applicable law (e.g. a law enforcement agency)
- any other company in the case of a sale, merger, consolidation, liquidation, reorganization or acquisition.
- We may also disclose research and statistical analysis on an anonymized basis derived from your personal information to third parties.
PROTECTING YOUR PERSONAL INFORMATION
A business that supports our websites or the sale of our products to you may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand. Please see the GDPR Terms for further information about personal data transfers from the European Economic Area.
PROTECTING YOUR PERSONAL INFORMATION
We will take reasonable steps to keep your personal information safe from loss, unauthorized activity, or other misuse. We implement appropriate technical and organizational measures to ensure a level of security appropriate to risks inherent in processing personal information.
You can play an important role in keeping your personal information secure by maintaining the confidentiality of any password and accounts used in relation to our websites. Please do not disclose your password to third parties. Please notify us immediately if there is any unauthorized use of your account or any other breach of security.
ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION
Subject to certain grounds for refusal set out in the NZ Privacy Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at email@example.com . Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
For the purposes of the GDPR, we are the data controller (as defined in the GDPR) when processing personal data collected by us through our websites, when you purchase products from us or when you have other dealings with us.
These GDPR Terms was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to firstname.lastname@example.org
PROCESSING PERSONAL DATA
The legal basis for our processing of personal data depends on the type of personal data and the specific context in which we collect it. However, we normally process personal data only where (a) we have your consent to do so, (b) we need to process personal data to perform a contract with you (e.g. to provide our products to you), or (c) the processing is necessary for the purposes of our legitimate interests (except where such interests would be overridden by your fundamental rights and freedoms which require the protection of personal data).
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.
You do not have to provide us with some personal data that is automatically collected when you use our websites e.g. cookies. However, you will be required to provide us with your name, email address, phone number or postal address when you purchase products from us. The consequence of not providing this personal data is that we will not be able to fulfill your orders for products. You will be required to provide us with your name and email if you want to set you up an account on our websites or receive our newsletter.
Your rights in relation to your personal data under the GDPR include:
- right of access - if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data
- right to rectification - if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible
- right to erasure - we delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data
- right to withdraw consent - if the basis of our processing of your personal data is consent, you can withdraw that consent at any time
- right to restrict processing - you may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible
- right to object to processing - you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR
- right to data portability - you may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller
- rights related to autonomous decision making, including profiling – you have a right to not be subject to a decision based solely on automated processing including processing, which produces legal effects concerning you or similarly significantly affects you, except where such automated decision making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable laws or is based on your explicit consent
- the right to complain to a supervisory authority - you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority
Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at email@example.com . If you are not satisfied by the way we deal with your query, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissioner’s Office.
We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our websites and through other dealings with us, please contact our data protection officer.
INTERNATIONAL TRANSFER OF DATA
The personal data we collect through our websites or when you purchase products from us or have other dealings with us may be transferred to, and stored in, a country operating outside the European Economic Area ( EEA ). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection.
In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
Some of the personal data we collect is processed in New Zealand (where our operations are located). New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision in transferring personal data from the EEA to New Zealand.
Transfers to our global distributors
Transfers to other third party processors
The personal data we collect is also processed by the third party processors set out below.
For personal data processed in the United Sates, the European Commission has determined that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations in the United States under the EU-U.S. Privacy Shield. We have verified that our United States-based data processors have self-certified under the EU-US Privacy Shield framework.
For data held outside the EEA or the United States, we have entered into Standard Contractual Clauses as published by the European Commission with our third party processors.
DATA RETENTION POLICY
Personal data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.