‍1. Introduction
Karmalicious AB (“we” or “us”) is the provider of the Karma sales platform through which you can purchase take away food items from restaurants, cafés and bakeries (to name a few) and order food at restaurants (each food supplier is hereinafter called a “Merchant”). Basically, the Merchant provides the food and we provide a platform where you can purchase the food. You can both save surplus food at a discounted price and purchase regular food items through Karma. As a Merchant you can also offer food for sale through the Karma for Business application. The services are hereinafter referred to as the “Services”.
In this privacy policy (“Privacy Policy”) we describe the personal data we collect, how and why we use it, and what choices and rights you have regarding your personal data. This Privacy Policy applies when you use the mobile application Karma or Karma for Business (together, the “Apps”), visit our website www.karma.life (the “Website”), use our Services, subscribe to our newsletter or otherwise interact with us
Please take a moment to familiarize yourself with our privacy practices, accessible via the headings below, and contact us if you have any questions.
‍
2. Who is the data controller for the personal data?
Unless otherwise stated, Karmalicious AB is the data controller for personal data we collect through the Services as described in this Privacy Policy. Our address is Karmalicious AB, Mailbox 163, 111 73, Stockholm, Sweden.
‍
3 What personal data do we collect?
What data we collect about you depends on what Services you use and what data you choose to share with us. For the purposes described in the following section, we may collect and use the following types of data about you:
‍
Data that you provide to us
- Contact information – including your full name, phone number and email address
- Username – if you have chosen to add a username‍
- Information from contact forms or surveys – including Contact information and other information you choose to share with us‍
- Food preferences – when you order food, you might choose to include food preferences in your order information. You may also choose to store your food preferences on your profile. Food preferences may contain information that can be attributed to a person’s health or religion and that is considered as sensitive information. To protect your privacy, we request that you only share the information necessary to prepare the food and do not include any sensitive information in your order information. If you choose to share sensitive information with us (and thereby with the Merchant), this information will only be used to prepare and deliver the ordered food to you. Sharing sensitive information is voluntary and based on your consent.
Data collected otherwise
- Contact information – If you choose to log in to the Services using credentials from a third party application (e.g. Google or Facebook), we will receive your contact information from the third-party service. If you are a Merchant or a representative of a Merchant, we may collect your professional contact information such as name, job title/role, company, and professional e-mail address from publicly available sources.
- Criminal data - Information about criminal activities or violations of our terms or agreements or suspicion of such activities.
- Redacted payment data – To provide secure payments, we use the well-renowned third-party payment service providers Stripe and Adyen in our check-out. As independent service providers, Stripe’s and Adyen’s Privacy Policies (respectively) applies to the payment. We do not process your credit card information, however we receive from the relevant payment service provider redacted payment information including card type, time stamps and information that the purchase is completed.
- User generated information – Automatically collected information through logs and cookies including IP-address, login information, time stamps, and location data based on your IP-address or your GPS on your mobile device.
- Geographic data – Location data from your unit e.g., collected via cookies.
- Information on how you use our Services – Automatically collected information on how often you use our Services and which restaurants you order from.
- Order information – Automatically collected information about your orders.
- Log data – Log data (e.g., in connection with your use of our mobile application or when you visit our website) and IP address.
- Information from other sites (with your consent) – Automatically collected browser data about what other sites and apps you visit. This data is only stored pseudonymized in aggregate form.
- Technical information about your device – Automatically collected technical information, including device-specific information, such as your hardware model, operating system version, unique device identifiers, language settings and mobile network information about your device.
‍
4. How and why do we use your personal data?
We may only use your data for informed reasons and where we have a legal basis to do so. The reasons for which we process your data are the following:
‍
Providing the Services ‍
To use the Services, you need to create a user account. We collect your contact information to create and verify your user account and for us to collect payment.
- Contact information
- Username
Your personal data is stored as long as you have a user account with us.
‍‍
Managing your order
We process your personal data to manage your orders that you place through our Website or the App, including the retrieval of your customer shopping basket, sending order confirmations, notifying the restaurant of your order, and managing complaints.
‍
- Contact information
- Order information
- Redacted payment data
- Username
Contract. This processing is necessary for your use of the Services and for us to fulfill our contractual obligations in the
Terms of Service for Users or
Terms of Service for Merchants, as applicable.
Legitimate interest. The processing to manage complaints is necessary to pursue our legitimate interest to be able to defend ourselves against any legal claims.
We store your information up to 36 months after the purchase has been made to manage any complaints. In the event of a dispute, we may store your data longer to the extent that it is required to protect our legal interests.
‍
Administration of payment and bookkeeping
We process your personal data to manage the payment of your purchase and for bookkeeping purposes.
- Contact information
- Order information
- Redacted payment data
Contract. This processing is necessary for your use of the Services and for us to fulfill our contractual obligations in the
Terms of Service for Users or
Terms of Service for Merchants, as applicable.
Legitimate interest. Some processing is necessary for us to fulfill our legal obligations under applicable bookkeeping laws.
Your personal data is stored up to seven years or according to general bookkeeping principles and applicable bookkeeping laws.
‍
Providing customer service‍
We use contact information and information from contact forms to respond to customer enquiries, diagnose problems in the App or in the Services and provide other customer care and support services.
- Contact information
- Information from contract form and surveys
We store the information up to twelve months after the customer service matter has been closed. In the event of a dispute, we may store the data longer to the extent that it is required to protect our legal interests.
‍
Providing an enhanced user experience‍
When ordering food, you may choose to filter food offerings based on your food preferences and can opt in to view food offerings near your location. For these purposes we process your food preferences and location data, respectively. You can also choose to activate push notices to receive offerings relevant to you.
- Food preferences
- Location data
- Data that identifies you
Consent. We process your personal data for these purposes only if you consent to it. You may at any time recall your consent for sharing food preferences by changing your filter options in the App or on the Website. You may change or update your data sharing and push notices in the App or through the settings on your mobile device.
Your personal data is stored as long as you have activated the settings.
‍
Sending newsletters
‍If you are a customer of ours, we may use your contact information and information on how you use our Services to send you updates over email about news we think might interest you, such as promotions or information about new service offerings. You may at any time choose to unsubscribe by using the “unsubscribe” instructions provided in each newsletter.
- Contact information
- Information on how you use our Services
Legitimate interest. This processing is based on our legitimate interest to update our customers of new features and promote our Services.
We process your personal data until you inform us that you no longer wish to receive newsletters or send outs from us.
‍
Promoting our Services
If you consent to marketing cookies and similar technologies on our Website or in our Apps, we may collect information from other sites to create user audiences for marketing purposes, to display targeted advertisements and to measure how users interact with our advertisement. This may include profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this. For more information regarding cookies, see section 5.
- User generated information
- Log data
- Information on how you use our Services
Consent. We process your personal data for these purposes only if you consent to it. You may at any time recall your consent or change your preferences through the “Cookie settings” link in the footer of the Website or through the settings on your mobile device.
Your personal data is stored for 1 year from the “date of creation”, i.e., 1 year from the logging event in question. Reports and statistics on an aggregated level (i.e., non-personal data) will be retained until further notice.
‍
Business operations
We use personal data to develop aggregated analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.
- User generated information
- Log data
- Information from other sites
- Technical information about your device
- Information on how you use our Services
Legitimate interest. The processing is necessary to fulfill our legitimate interest of monitoring our business operations.
Your personal data is stored for 2 years from the “date of creation”, i.e., 2 years from the logging event in question or from the date of your response in relation to surveys. Reports and statistics on an aggregated level (i.e., non-personal data) will be retained until further notice.
‍
Invoicing
If you are a Merchant or a representative of a Merchant that has entered into an agreement with us regarding our provision of the Services, we need to process your contact information for invoicing and accounting purposes.
Contract. This processing is necessary for the performance of contract between us and the legal entity that you represent.
The information is stored for 7 years for bookkeeping purposes.
‍
Contacting potential customers
We may advertise our Services and reach out to prospective merchant customers or representatives thereof to offer demos, quotes and more information on the Services.
Legitimate interest. This processing is based on our legitimate interest to market and grow our business. You may opt out of such communications by us at any time by unsubscribing from communications.
Your personal data is stored until up to 2 years. We will remove your data if you inform us that you no longer wish to receive newsletters or send outs from us.
‍
Security, safety and dispute handling
We use personal data to protect the security and safety of our Services, users, customers, the Apps and Website and to detect and prevent fraud.
-
User generated information
-
Log data
-
Contact information
Legitimate interest. This processing is necessary to serve our legitimate interest to protect our business and to defend ourselves from fraud.
Your personal data is stored up to 2 years from the suspicious activity.
‍
Establish, exercise, and defend legal claims‍
For the purpose of establishing, exercising, and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data. We may process your personal identity number and/or coordination number if we deem this necessary to establish, exercise and defend out legal claims.
Contact details
Criminal data
Geographic data
Order information
User generated information
Log data
Information from contact forms or surveys
Username
Legitimate interest. This processing is necessary to serve our legitimate interest to protect our business and to defend ourselves from fraud, disputes, and claims.
Exemption for special categories of data. Special categories of personal data, including criminal data, are only processed to fulfil our legitimate interest of establishing, exercising or defending legal claims.
Your personal data is stored for as long as necessary to identify and respond to any suspected criminal activities or violations of our terms or agreements. Personal data for these purposes is not stored for longer than 10 years from the end of the investigation in question, or from when the legal process has ended.
‍
5. How do we use cookies?
Some of the personal data collected about you is obtained automatically from your device through the use of “cookies” or similar tracking technologies (hereinafter “cookies”) when you visit our Website. Cookies are small text files that are stored on your device and collect aggregate information about your device and how you use our Services, Apps and Website.
We use cookies to:
- Ensure the basic functionality of the Website
- Maintain the security of the Website
- Analyze the use of our Website and help us make it better
- Promote and market our Services
When you visit our Website, you will be requested to set your cookie preferences. You can choose to allow all cookies, including marketing and analytics cookies, or to only enable certain types of cookies. You may at any time withdraw your consent or change your preferences by clicking “cookie settings” in the footer.
‍
Categories of personal data
Information on how you use our Services
Information from other sites
Technical information
Legitimate interest. Some cookies are necessary for the Website to function as intended, and these will be installed automatically on your device based on our legitimate interest to provide you with a functioning and secure Website.
Consent. Cookies used for marketing and analytical purposes will only be installed if you consent to our use of such cookies when visiting our website (as part of selecting your cookies preferences).
For information regarding each cookie's retention period and specific purpose, please see
link.
‍
6. What about childrens’ personal data?
Children under the age of thirteen are not eligible to use our Services and we ask that such individuals do not submit any personal information to us or use the Services. Although visitors of all ages may navigate through the Websites or use our Apps, we do not knowingly collect or request personal information from those under the age of thirteen without parental consent. If, following a notification from a parent, guardian or discovery by other means, a child under thirteen has been improperly registered on our site by using false information, we will cancel the child’s account and delete the child’s personal information from our records. Other age restrictions may be set forth in the Terms for Service for Users from time to time.
‍
7. Who can access your personal data?
When necessary, we share your personal data with others. The recipient is the data controller for processing your personal data.
|
Merchants
|
To provide our Services, we share your name, and (if you include such) your Food Preferences to the Merchants.
If you opt in to follow merchants for exclusive deals & news, we may share your Food preferences, Contact information and how you use our Services to enable the Merchants to provide you with exclusive deals & news.
|
Legitimate interest. To fulfill our legitimate interest of being able to provide our Services to you.
Legitimate interest. To fulfill our legitimate interest to provide you with exclusive deals & news.
|
|
Authorities (e.g. the Police and the Swedish Tax Agency)
|
|
To fulfill potential legal obligations that we are subject to, e.g. in connection with requests from authorities or other legal requests.
|
|
Legal obligation. Processing is necessary to fulfill our legal obligations.
|
|
Authorities (including courts) and legal advisers
|
|
To exercise, establish or defend legal claims.
|
|
Legitimate interest. The processing is necessary to fulfill our legitimate interest of managing and defending legal claims, e.g., in relation to a dispute.
|
|
Buyers, vendors and external advisers/other involved parties
|
|
Take necessary actions in connection with selling all or part of our business or in connection with a merger or other investment.
|
|
Legitimate interest. To fulfill our legitimate interest of being able to sell all or part of our business or in connection with a merger or other investment.
|
‍‍
Service providers
To fulfill the purposes of the processing of your personal data, we transfer personal data to external parties such as service providers that we have engaged. These parties provide services within the areas of, inter alia, IT (such as data storage, support and management services) and finance (e.g., book-keeping systems). For example, we use suppliers to manage marketing, analytics, data storage, and web hosting on our behalf. For our partners to perform their services, it is sometimes necessary for us to share your data with them. These suppliers will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We do not sell any personal data to partners or any other third parties.
‍
8. Third party links
The Website and/or Apps may contain links to other websites or applications that are owned and operated by third parties that are not affiliated with us. When you use those links, you leave the Website or Apps (as applicable) and we are unable to control how the owners of the websites or applications you link to handle any information they gather about you, including their privacy practices and use of cookies.
This Privacy Policy applies only to the Website and Apps and does not govern activities on linked websites or applications. We encourage you to review the privacy policy of any other website or application you visit, download or access to understand its owner’s practices on how it collects, uses and discloses your information.
‍
9. Appropriate safeguards for transfers of personal data outside the EU/EEA
Karma may use suppliers and third-party providers to process personal data in a matter which includes transfer of personal data to countries outside of the EU/EEA area (so called “third countries”). These transfers are necessary for providing our Services.
Transfers of personal data outside of the EU/EEA area will be processed/performed in accordance with applicable data privacy laws, including the GDPR. Such transfers either rely upon an adequacy decision from the European Commission or legal safeguards through the European Commission’s Standard Contractual Clauses (SSC’s) for transfer of personal data outside of the EU/EEA area, combined with supplementary technological and organizational protection measures including encryption and anonymization/pseudonymization.
Should you have any questions regarding Karma’s transfers of personal data to countries outside the EU/EEA area, please contact us by using the contact details provided at the end of this Privacy Policy. You are entitled to receive a copy of any documentation demonstrating that appropriate safeguards have been taken to protect your personal data during a transfer to a third country.
To learn more about third country transfers, please read here.
‍
10. For how long do we store your data?
We will retain your personal information for as long as we deem it necessary for the purposes described in Section 5 of this Privacy Policy.
For purposes of clarity, you are entitled to terminate your user account at any time, at what point all information connected to your account will either be deleted or anonymized. However, binding legal requirements or other legitimate reasons may require that we store certain information for various periods of time, and as such we may be unable to delete all information from our databases.
You can always alter the information you have submitted when creating your user account through the settings of your user account in the App or on the Website. We may alter, modify or delete any information you submit to the Website or through the App if we believe, in our sole discretion, it is in violation of our Terms of Service for Users or Terms of Service for Merchants, as applicable, otherwise against good taste.
‍
11. How do we keep your data secured?
While no system is completely secure, we take several precautionary measures to help prevent personal information about you from loss, theft, misuse and unauthorized access. Such measures include access control to physical locations and events logging in IT-systems, access restrictions to personal data, pseudonymization and encryption procedures and confidentiality routines.
‍
12. What are your rights?
Under applicable data privacy laws, you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary to fulfill your rights. Please submit requests for exercising your rights by contacting us using the contact details set out below.
You have, under certain circumstances, the right to exercise the following rights:
‍
|
You may request confirmation whether personal data about you is processed by us and, if that is the case, access your personal data and additional information regarding the operation, such as the purposes of the processing. You are also entitled to receive a copy of the personal data undergoing processing.
|
|
You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concern your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary to manage or defend legal claims.
|
|
You have the right to have inaccurate personal data concerning you rectified.
|
You may have your personal data erased under certain circumstances.
When your personal data is no longer needed for the purposes for which it was collected
- If you withdraw your consent for certain processing activities
- If you object to your personal data being processed for direct marketing
- If our processing of your personal data would be found to be unlawful
- If erasure is required in order to fulfill a legal obligation
|
|
You may ask us to restrict the processing of your personal data to only comprise storage of your personal data under certain circumstances, such as when the processing is unlawful, but you do not want your personal data erased, or for the period during which we investigate if the processing is unlawful or if the personal data is inaccurate.
|
|
You have the right to at any time withdraw your consent to the processing of personal data to the extent the processing is based on your consent.
|
|
You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used, and machine-readable format and ask for the information to be transferred to another data controller (where possible).
|
‍
Click here to read more about the rights that you have in relation to the processing of your personal data.
If you have questions or complaints regarding our processing of your personal data, we kindly ask you to contact us over email at privacy@karma.life. You also have the right, at any time, to file a complaint to the Swedish Authority for Privacy Protection (IMY, https://www.imy.se), which is the supervisory authority for data protection matters in Sweden.
‍
13. Changes or updates to the Privacy Policy
Occasionally we may, in our discretion, make changes to our Privacy Policy, for example to reflect changes in the Services or regulatory requirements. When we update this Privacy Policy, we will revise the last update date.
If there are major changes to the Privacy Policy or in how we use your personal data, we will inform you either by posting a notice of such changes on our Website and in our Apps, prior to them taking place, or by directly sending you an email.
‍
14. How to contact us
If you have any questions about the use of your personal information, please send us an email to privacy@karma.life.
