WELCOME TO THE WORLD OF SWEET ADVENTURES!

CANDY CAT Privacy Policy

CANDY CAT appreciates your visit to our websites and mobile applications (together referred to as "Online offers") and your interest in our products. We care about your privacy and data protection. We are committed to offering the highest standards of products and services. Thus, we value each of our existing or prospective clients and aim at maintaining appropriate protection of your personal data and personal information (hereinafter “Data”).

The protection of privacy during the processing of personal data, as well as the security of all business data, is an important concern for us. We keep the personal data collected during your visit to Online offers confidential and process them only in accordance with legal regulations.

Data protection and information security are included in our corporate policy.

The purpose of this Privacy Policy is to inform you in a clear, simple and complete manner how CANDY CAT collects and processes your Data when you use our website, app or other digital platforms, when you purchase Candy Cat products via our platforms or via our points of sales, when you visit our points of sales, when you fill in and submit one of our loyalty Cards, when you apply for a job at CANDY CAT or when you otherwise interact with or are displayed content about CANDY CAT, as required by the data protection laws in the territories in which we do business.

The conditions of our processing of your personal data and your personal rights in this connection are further described below in accordance with the rules of the General Data Protection Regulations (EU) 2016/679 (hereinafter "GDPR").

1. Controller’s Contact information

If you have any questions about our processing of your personal data or you wish to exercise your rights, you are always welcome to contact us:

CANDY CAT Data Protection Commissioner (all countries)

e-mail: y.biryukova@candycat.com

Estonia

Candy Cat Estonia OÜ
Reg. number: 16365241
Address: Harju maakond, Tallinn, Keslinna Linnaosa, Masina tn 22, 10113, Estonia
e-mail: s.grinkevits@candycat.com

Poland

CANDY CAT POLSKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
Reg. number (NIP): 5272955939
Address: st. Jana Pawla II Avenue, No. 43A, lok. 37B, seats. WARSAW, code 01-001, Poland
e-mail: klisovska@candycat.com

Romania

CANDY CAT RO S.R.L.
Reg. number (CUI): 44406516
Address: Str.C.A.Rosetti, nr.25, camera 1, parter, ap.3, Bucuresti, sector 2, Romania
e-mail: e.nikitina@candycat.com

Serbia

Candy Cat d.o.o. Beograd
Reg. number: 21785512
Address: Belgrade, Vladimira Popovića 38-40, floor 1, 11070 Novi Belgrade, Serbia
e-mail: k.tunikovskaia@candycat.com

Slovakia

Candy Cat Slovakia s.r.o.
Reg. number: 160614/B
Address: Zámocká 6619/3, 811 01 Bratislava - district Staré Mesto, the Slovak Republic
e-mail: k.tunikovskaia@candycat.com

2. Collection, processing and use of personal data

2.1. Categories of processed data

The following categories of data are processed:

• • Name and surname of the client;
• • Email address;
• • Phone number;
• • Delivery address;
• • Billing address;
• • Bank account number;
• • Video images from inside the shops;
• • Transaction data relating to the payment made by the customer to CANDY CAT;

We also inform you that we also process necessary personal data:

• • Communication between the administrator and the client
• • Behavioral records on websites/social media pages operated by CANDY CAT

2.2. Principles

Personal data is all information relating to an identified or identifiable person and includes, for example, names, addresses, telephone numbers, e-mail addresses, main contractual data, payment information made by you, which is an expression of a person's identity.
We collect, process and use personal data (including IP addresses) only when there is a legal basis for this or you have given your consent to the processing or use of personal data in relation to this matter, for example by registering on website operated by CANDY CAT.

2.3. Data processing objectives and legal bases

We and the service providers employed by us process personal data for the following purposes:

• • Provision of these Online offers (our websites and mobile applications) Legal basis: our legitimate interest in direct marketing, insofar as this takes place in accordance with data protection and competition law.
• • Providing these Online offers and executing a contract under the conditions offered by us Legal basis: performance of a contract.
• • Determination of disruptions/disturbances and for security reasons. Legal basis: fulfillment of legal obligations to ensure data security and justified interest in solving disruptions/disturbances and the security of our offers
• • Self-promotion and promotion by other operators, as well as market research and analysis to the extent permitted by law Legal basis: legitimate interest on our part for direct marketing, insofar as this takes place in accordance with data protection and competition law
• • Customer opinion surveys or product surveys conducted by mail, email and/or telephone Legal basis: our legitimate interest in improving products/services; your consent Note: If we commission a market research institute for this purpose, this institute will act only on the basis of the assignment received and will comply with our directives.
• • Sending an e-mail or SMS/MMS newsletter, with the consent of the recipient. Legal basis: your consent
• • Securing and asserting our rights. Legal basis: justified interest on our part in securing and asserting our rights

2.4. Registration

If you want to use/access benefits that require the conclusion of a contract, you must register. In order to register, we collect personal data necessary for the conclusion and execution of the contract (for example, first name, last name, date of birth, e-mail address, if applicable, data about the preferred payment method or about the account holder), as well as, if applicable, additional data on a voluntary basis. Mandatory fields are marked separately.

2.5. Log files

Every time you use the Internet, your browser transmits certain information that we store in so-called "log files".

Log files are only saved for a short period to determine disturbances, but also for security reasons (e.g. to clarify attack attempts) and are subsequently deleted. Log files that must be handled as evidence are excluded from the deletion rule, but only until the respective incident is fully resolved, and they can be transmitted, depending on each case, even to the competent investigative authorities. Log files are also used for analysis purposes (with or without the full IP address). See the Web Analytics module.

In particular, the following information is saved in the log files:

• • IP address (internet protocol address) of the terminal used to access the Online Offers;
• • Internet address of the website from which the Online Offer was accessed (the so-called origin URL or destination URL);
• • Name of the service provider used to access the Online Offer;
• • Name of files or information accessed;
• • Date and time, as well as recovery duration;
• • Amount of data transferred;
• • Operating system and information about the Internet browser used, including installed add-ons (for example, Flash Player);
• • http status code (eg "Request succeeded" or "File not found").

2.6. Data transfer

2.6.1. Transfer of data to other controllers

Personal data is transmitted to other controllers mainly only when necessary for the performance of a contract, if we or the third party has a legitimate interest in the transfer or if you have given your consent. Details of the legal bases can be found in the section Purposes of processing and legal bases (Article 4.3). When data is transferred to third parties based on a legitimate interest, this is explained in this data protection notice.

In addition, data may be transferred to other controllers when we are required to do so according to applicable legal regulations.In addition, data may be transferred to other controllers when we are required to do so according to applicable legal regulations.

2.6.2. Service Providers (General)

We have engaged external service providers for tasks such as sales and marketing services, contract management, payments, scheduling, data hosting and courier. We have carefully selected these service providers and regularly evaluate them, especially with regard to the effective management and protection of saved data. All service providers are required to ensure confidentiality and comply with legal provisions.

2.6.3. Parcel announcements

In order to announce the dispatch of the parcels, we transfer your e-mail address and phone number to specialized courier companies in order to execute the contract.

These companies process the data as a data controller.

2.6.4. Payment service providers

We use external payment service providers.

Depending on the type of payment method chosen during the ordering process, we transfer the data used for payment processing (for example: bank account or credit card data) to the financial institution responsible for the payment or to the payment service providers contracted by us. Sometimes payment service providers also collect and process such data as controllers. In this case, (payment service providers are data controllers) the data protection notice or privacy policy of that payment service provider applies.

2.6.5. Transfer to recipients outside the EEA

We may also transfer personal data to recipients outside the EEA in so-called third countries. In such cases, before the transfer we ensure that the recipient of the data ensures an adequate level of data protection (for example, as a result of an adequacy decision of the European Commission regarding the respective country or the agreement with the recipient based on so-called clauses EU model), and that you have given your consent to such a transfer.

You have the right to receive an overview of recipients from third countries and a copy of the specific agreed provisions that ensure an adequate level of data protection, but only upon express written request. Use the information in the Controller’s Contact Information section for this purpose.

2.6.6. Duration of storage of personal data

In accordance with the applicable legislation, for the purpose of carrying out the execution of the contract and for the purpose of registering the contract and any future application, as well as protecting the rights and obligations of the parties, the storage and processing of personal data is carried out for a maximum period of 10 years from the execution last contract, unless otherwise required by law to retain contract documentation for a longer period (for example, we are required to make documents such as contracts and invoices available for a certain period of time due to retention periods under legislation applicable).

We mainly store your data as long as necessary to provide our Online Offers and associated services, as long as we have a justified interest in storing them.

The processing mentioned above is possible pursuant to Article 6 paragraph (1) letter (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council: "the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract."

3. Use of cookies

3.1. General data

Cookies are small text files saved on your computer when you visit an Online Offer. If you access this Online Offer another time, your browser will transmit the content of the cookies to the respective offerer, thus allowing the terminal to be re-identified. Reading cookies allows us to optimally configure Online Offers, facilitating their use.

3.2. Deactivation and deletion of cookies

When you visit our websites you will be asked in a pop-up window if you agree to the use of cookies on our website or if you want to disable them in the settings.

If you decide to block cookies, your browser has a blocking option. This cookie has the sole purpose of assigning your objection. Disabling cookies may disable individual functions of our websites. Note that, for technical reasons, a blocking cookie can only be set for the browser that was used to set it. If you delete cookies, if you use another browser or another terminal, you will have to block them again.

Preferences do not apply to cookies that are set during your visits to third-party websites.

Your browser allows you to delete all cookies at any time. For this, consult the support functions of your browser.

3.3. Overview of cookies used by us

In this section you can find an overview of the cookies used by us.

3.3.1. Absolutely necessary cookies

Certain cookies are necessary to securely deliver our Online Offers. This category includes, for example:

• • Cookies that identify or authenticate our users;
• • Cookies that temporarily save certain information entered by the user;
• • Cookies that store certain user preferences (for example, searches or language settings);
• • Cookies that store data to ensure unobstructed playback of video or audio content.

3.3.2. Analytical cookies

We use analytical cookies to record the usage behavior (e.g. ad banners accessed, searches performed) of our users and evaluate it statistically.

3.3.3. Advertising cookies

We also use cookies for advertising purposes. User behavior profiles created with the help of such cookies (e.g. advertising banners accessed, subpages visited, searches performed) are used by us to show you advertisements or offers tailored to your interests ("interest-based advertising" ).

3.3.4. Conversion cookies

Our conversion tracking partners set a cookie on your computer ("conversion cookie") if you arrived at our website through an ad from that partner. These cookies generally expire after 30 days. If you visit certain pages that we host and the cookie has not yet expired, we and that conversion tracking partner can see that a particular user accessed the ad and was directed to our page. The information collected by the conversion cookie is used to create conversion statistics and determine the total number of users who viewed that ad and were directed to a page with a conversion tracking tag.

3.3.5. Tracking cookies in association with social plugins

Certain pages of our Online Offers integrate content and services from other providers (e.g. Facebook, Twitter), which may in turn use cookies and active components. CANDY CAT cannot influence the processing of personal data carried out by these providers.

4. Web Analytics

We need statistical information about the use of our Online Offerings in order to make them more user-friendly, to carry out extensive measurements and market research.

To do this, we use the web analytics tools described in this section.

The usage profiles created by these tools, using analytical cookies or analyzing log files, do not contain personal data. The tools either do not use IP addresses at all or immediately restrict them when collecting data.

The tools provide processed data only for processors who comply with our directives and not for their own purposes.

Below you can find information about what each tool offers and how you can refuse data collection and processing through that tool.

Please note that with regard to tools that use blocking cookies, the blocking function affects a device or browser and is thus valid for the terminal or browser used at the time. If you use multiple terminals or browsers, you must block on each device and each browser.

Otherwise, you can generally avoid the formation of user profiles by disabling the use of cookies; for this, see the Deactivation and deletion of cookies section.

4.1. Google Analytics

Google Analytics is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). We use Google Analytics with the additional function provided by Google to anonymize IP addresses. During this time, Google already shortens IPs within the EU in most cases, but does so only in exceptional cases in the United States, and in both regions only saves the short form of IP addresses.

You can refuse the collection or processing of your data using the following link to download and install a browser plugin.

4.2. Use of remarketing tools

In order to optimize our online marketing, we use so-called remarketing technologies. This is aimed at creating a more interesting Online Offer, customized according to your needs. For this, we use the tools presented below.

Usage profiles created with the help of advertising cookies or third-party advertising cookies, so-called web beacons (invisible graphic elements also called pixels or counting pixels) or comparable technologies that are not combined with character data personal.

Tools are used by providers to show our users Online Offers or advertisements based on interests, but also to control the frequency with which users see certain advertisements. The person responsible for processing the data associated with the tools is the respective provider. Tool providers may, as appropriate, transfer information to third parties for the reasons stated above.

The tools either do not process users' IP addresses at all, or they restrict them immediately after data collection.

You can find information about a tool provider for each tool, as well as how to opt out of data collection by that tool.

Please note that with regard to tools that use blocking cookies, the blocking function affects a device or browser and is thus valid for the terminal or browser used at the time. If you use multiple terminals or browsers, you must block on each device and each browser.

4.3. Google AdSense

Google AdSense is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). You can find more information about this tool here.

You can refuse the collection and processing of your data by this tool by accessing the user references.

4.4. DoubleClick

DoubleClick is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). You can find more information about this tool here.

You can refuse the collection and processing of your data by this tool by accessing the user references .

5. Social Plugins

In our Online Offers we use so-called social plugins from various social networks; these are described individually in this section.

When using the plugins, your browser establishes a direct connection with the servers of the respective social network. In this way, the respective provider receives information that your browser has accessed from the site of our Online Offers, even if you do not have a user account with this provider or are not currently logged into the account. Log files (including IP addresses) are in this case transmitted directly by your browser to the respective provider and may be stored there. The provider or its servers may be located outside the EU or EEA (eg in the United States).

Plugins are individual extensions provided by social network providers. For this reason, we cannot influence the extent of the data collected and stored by them.

You can find the purpose and scope of the social network's continued collection, processing and use of data, as well as your rights and setting options to protect your privacy by consulting the data protection notices of the respective social network.

If you do not want the social network providers to receive and, if applicable, store or use the data, you must not use the respective plugins.

5.1. Facebook plugins

Facebook is operated at www.facebook.com by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA and at www.facebook.de by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland ("Facebook"). You can find an overview of Facebook plugins and their layout here: http://developers.facebook.com/plugins; find information about data protection at Facebook here: http://www.facebook.com/policy.php.

5.2. Google+ plugins

Google+ is operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). You can find an overview of Google plugins and their appearance here. Find information about data protection at Google+ here.

6. Authentication (login) through social networks

We offer you the possibility to connect to our Online Offers through the authentication options of social networks such as Facebook Connect.

To register, you will be redirected to the page of the respective social network, where you can log in with your local data. This means connecting your account on that network to our service. In this way, information from your public profile, email address and identification tags of friends in the network, as well as other data, if applicable, is transmitted to us through the respective social network.

Instead, the social network used for registration receives the login status, browser information and IP address. The social network provider or its server may be located outside the EU or EEA (eg in the United States).

If you do not want data transfer between us and the social network services, please log in through our services instead of the social network.

7. Newsletter, with the subscription option; the right to withdraw the agreement

You can subscribe to newsletters about our Online Offers. For this, we use the so-called two-step subscription procedure, which means that we will send you a newsletter by e-mail, mobile messenger (e.g. WhatsApp), SMS or push notification only after you have explicitly confirmed the activation of the service newsletter by accessing the link in the notification. If at a later date you wish to stop receiving newsletters, you can unsubscribe at any time by withdrawing your consent. You may opt-out of email newsletters by accessing the link provided in that email for Online Offers, as appropriate. This takes place within the administration settings. Alternatively, you can contact us using the contact details provided in the Controller’s Contact Information section.

8. External links

Our online offers may include links to websites of third parties – providers who are not associated with us. After you access the link, we have no influence on the collection, processing and use of personal data transmitted by accessing the link to the third party (such as IP address or URL of the site where the link is located), as we cannot, of course, monitor the behavior of third parties. We assume no responsibility for the processing of such personal data by third parties.

We recommend that you read their privacy policies to see how your personal information is collected and processed.

9. Security

Our employees and companies that provide services on our behalf have an obligation to ensure confidentiality and to comply with applicable data protection legislation.

We take all necessary technical and organizational measures to ensure an adequate level of security and protect your data managed by us, in particular against the risks of destruction, manipulation, loss, illegal or unintentional modification or unauthorized disclosure or access. Security measures are constantly being improved in line with technological progress.

10. User Rights

To exercise your rights, please use the details provided in the Contact section. In this case, ensure that it is possible to accurately identify the person concerned.

The right to information and access:

You have the right to obtain our confirmation regarding the processing or non-processing of personal data, as well as access to this data.

Right to rectification and erasure:

You have the right to rectification of your personal data without undue delay. Considering the purpose of the processing, you have the right to complete incomplete personal data, including by providing an additional statement.

This does not apply to data required for invoicing and accounting or subject to the legal retention period. If access to such data is not necessary, its processing is restricted (see below).

Restriction of processing:

You have the right to request the restriction of the processing of your data, but provided that the legal requirements requested in this case are met.

Refusal of data processing:

You have the right to refuse data processing by us at any time. We will no longer process personal data, unless we demonstrate compliance with legal requirements to provide justified reasons for continuing processing, beyond your interests, rights and freedoms or for the establishment, exercise or defense of legal actions.

Refusal of direct marketing:

In addition, you can at any time refuse the processing of your personal data for direct marketing purposes. Please note that, for organizational reasons, there may be, temporarily, an overlap between your refusal and the use of said data in order to carry out the campaign already in progress.

Refusal of data processing on the legal basis of "justified interest":

In addition, you have the right to refuse the processing of personal data at any time, provided that the legal basis of justified interest is applicable. In this case, we will stop processing your personal data, unless we can demonstrate compelling legitimate grounds, as required by law, for the processing that override your rights.

Withdrawal of consent:

If you have given your consent to data processing, you have the right to withdraw this consent with immediate effect. The legality of data processing prior to the revocation of consent remains unchanged.

10.1. Data Portability:

You have the right to receive the data you have provided to us in a common, structured, software-readable format – if technically possible – to request the transfer of that data to a third party.

10.2. The right to lodge a complaint with the supervisory authority:

You have the right to lodge a complaint with a supervisory authority. You can contact the competent supervisory authority in your home or country or the responsible supervisory authority in our case.

11. Changes to the Data Protection Notice

We reserve the right to change our security and data protection measures if this is necessary as a result of technical progress. In such cases, we will amend the Data Protection Notice accordingly. Therefore, please follow the current version of the Data Protection Notice, as there may be changes.

12. Date

This Privacy Policy was last updated on January 2023. We will inform you with regard to any substantial changes which may be made to this Privacy Policy.