Karmalicious AB ("we" or "us") is the provider of the Karma sales platform through which you can purchase take away food items from restaurants, cafés and bakeries (to name a few) and order food at restaurants (each food supplier is hereinafter called a "Merchant"). Basically, the Merchant provides the food and we provide a platform where you can purchase the food. You can both save surplus food at a discounted price and purchase regular food items through Karma. As a Merchant you can also offer food for sale through the Karma for Business application. The services are hereinafter referred to as the "Services".
In this privacy policy ("Privacy Policy") we describe the personal data we collect, how and why we use it, and what choices and rights you have regarding your personal data. This Privacy Policy applies when you use the mobile application Karma or Karma for Business (together, the "Apps"), visit our website www.karma.life (the "Website"), use our Services, subscribe to our newsletter or otherwise interact with us
Please take a moment to familiarize yourself with our privacy practices, accessible via the headings below, and contact us if you have any questions.
Unless otherwise stated, Karmalicious AB is the data controller for personal data we collect through the Services as described in this Privacy Policy. Our address is Karmalicious AB, Mailbox 163, 111 73, Stockholm, Sweden.
What data we collect about you depends on what Services you use and what data you choose to share with us. For the purposes described in the following section, we may collect and use the following types of data about you:
We may only use your data for informed reasons and where we have a legal basis to do so. The reasons for which we process your data are the following:
To use the Services, you need to create a user account. We collect your contact information to create and verify your user account and for us to collect payment.
Categories of Personal Data: Contact information, Username
Legal Basis: Contract. This processing is necessary for your use of the Services and for us to fulfill our contractual obligations in the Terms of Service for Users or Terms of Service for Merchants, as applicable.
Retention Period: Your personal data is stored as long as you have a user account with us.
We process your personal data to manage your orders that you place through our Website or the App, including the retrieval of your customer shopping basket, sending order confirmations, notifying the restaurant of your order, and managing complaints.
Categories of Personal Data: Contact information, Order information, Redacted payment data, Username
Legal Basis: Contract. This processing is necessary for your use of the Services and for us to fulfill our contractual obligations in the Terms of Service for Users or Terms of Service for Merchants, as applicable. Legitimate interest. The processing to manage complaints is necessary to pursue our legitimate interest to be able to defend ourselves against any legal claims.
Retention Period: We store your information up to 36 months after the purchase has been made to manage any complaints. In the event of a dispute, we may store your data longer to the extent that it is required to protect our legal interests.
We process your personal data to manage the payment of your purchase and for bookkeeping purposes.
Categories of Personal Data: Contact information, Order information, Redacted payment data
Legal Basis: Contract. This processing is necessary for your use of the Services and for us to fulfill our contractual obligations in the Terms of Service for Users or Terms of Service for Merchants, as applicable. Legitimate interest. Some processing is necessary for us to fulfill our legal obligations under applicable bookkeeping laws.
Retention Period: Your personal data is stored up to seven years or according to general bookkeeping principles and applicable bookkeeping laws.
We use contact information and information from contact forms to respond to customer enquiries, diagnose problems in the App or in the Services and provide other customer care and support services.
Categories of Personal Data: Contact information, Information from contract form and surveys
Legal Basis: Legitimate interest. This processing is necessary to fulfill our contractual obligations in the Terms of Service for Users or Terms of Service for Merchants, as applicable, or if you are not a user of the Services, to serve our legitimate interest to respond to customer queries.
Retention Period: We store the information up to twelve months after the customer service matter has been closed. In the event of a dispute, we may store the data longer to the extent that it is required to protect our legal interests.
When ordering food, you may choose to filter food offerings based on your food preferences and can opt in to view food offerings near your location. For these purposes we process your food preferences and location data, respectively. You can also choose to activate push notices to receive offerings relevant to you.
Categories of Personal Data: Food preferences, Location data, Data that identifies you
Legal Basis: Consent. We process your personal data for these purposes only if you consent to it. You may at any time recall your consent for sharing food preferences by changing your filter options in the App or on the Website. You may change or update your data sharing and push notices in the App or through the settings on your mobile device.
Retention Period: Your personal data is stored as long as you have activated the settings.
If you are a customer of ours, we may use your contact information and information on how you use our Services to send you updates over email about news we think might interest you, such as promotions or information about new service offerings. You may at any time choose to unsubscribe by using the "unsubscribe" instructions provided in each newsletter.
Categories of Personal Data: Contact information, Information on how you use our Services
Legal Basis: Legitimate interest. This processing is based on our legitimate interest to update our customers of new features and promote our Services.
Retention Period: We process your personal data until you inform us that you no longer wish to receive newsletters or send outs from us.
If you consent to marketing cookies and similar technologies on our Website or in our Apps, we may collect information from other sites to create user audiences for marketing purposes, to display targeted advertisements and to measure how users interact with our advertisement. This may include profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this. For more information regarding cookies, see section 5.
Categories of Personal Data: User generated information, Log data, Information on how you use our Services
Legal Basis: Consent. We process your personal data for these purposes only if you consent to it. You may at any time recall your consent or change your preferences through the "Cookie settings" link in the footer of the Website or through the settings on your mobile device.
Retention Period: Your personal data is stored for 1 year from the "date of creation", i.e., 1 year from the logging event in question. Reports and statistics on an aggregated level (i.e., non-personal data) will be retained until further notice.
We use personal data to develop aggregated analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.
Categories of Personal Data: User generated information, Log data, Information from other sites, Technical information about your device, Information on how you use our Services
Legal Basis: Legitimate interest. The processing is necessary to fulfill our legitimate interest of monitoring our business operations.
Retention Period: Your personal data is stored for 2 years from the "date of creation", i.e., 2 years from the logging event in question or from the date of your response in relation to surveys. Reports and statistics on an aggregated level (i.e., non-personal data) will be retained until further notice.
If you are a Merchant or a representative of a Merchant that has entered into an agreement with us regarding our provision of the Services, we need to process your contact information for invoicing and accounting purposes.
Categories of Personal Data: Contact information
Legal Basis: Contract. This processing is necessary for the performance of contract between us and the legal entity that you represent.
Retention Period: The information is stored for 7 years for bookkeeping purposes.
We may advertise our Services and reach out to prospective merchant customers or representatives thereof to offer demos, quotes and more information on the Services.
Categories of Personal Data: Contact information
Legal Basis: Legitimate interest. This processing is based on our legitimate interest to market and grow our business. You may opt out of such communications by us at any time by unsubscribing from communications.
Retention Period: Your personal data is stored until up to 2 years. We will remove your data if you inform us that you no longer wish to receive newsletters or send outs from us.
We use personal data to protect the security and safety of our Services, users, customers, the Apps and Website and to detect and prevent fraud.
Categories of Personal Data: User generated information, Log data, Contact information
Legal Basis: Legitimate interest. This processing is necessary to serve our legitimate interest to protect our business and to defend ourselves from fraud.
Retention Period: Your personal data is stored up to 2 years from the suspicious activity.
For the purpose of establishing, exercising, and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data. We may process your personal identity number and/or coordination number if we deem this necessary to establish, exercise and defend out legal claims.
Categories of Personal Data: Contact details, Criminal data, Geographic data, Order information, User generated information, Log data, Information from contact forms or surveys, Username
Legal Basis: Legitimate interest. This processing is necessary to serve our legitimate interest to protect our business and to defend ourselves from fraud, disputes, and claims. Exemption for special categories of data. Special categories of personal data, including criminal data, are only processed to fulfil our legitimate interest of establishing, exercising or defending legal claims.
Retention Period: Your personal data is stored for as long as necessary to identify and respond to any suspected criminal activities or violations of our terms or agreements. Personal data for these purposes is not stored for longer than 10 years from the end of the investigation in question, or from when the legal process has ended.
Some of the personal data collected about you is obtained automatically from your device through the use of "cookies" or similar tracking technologies (hereinafter "cookies") when you visit our Website. Cookies are small text files that are stored on your device and collect aggregate information about your device and how you use our Services, Apps and Website.
We use cookies to:
When you visit our Website, you will be requested to set your cookie preferences. You can choose to allow all cookies, including marketing and analytics cookies, or to only enable certain types of cookies. You may at any time withdraw your consent or change your preferences by clicking "cookie settings" in the footer.
Categories of Personal Data: Information on how you use our Services, Information from other sites, Technical information
Legal Basis: Legitimate interest. Some cookies are necessary for the Website to function as intended, and these will be installed automatically on your device based on our legitimate interest to provide you with a functioning and secure Website. Consent. Cookies used for marketing and analytical purposes will only be installed if you consent to our use of such cookies when visiting our website (as part of selecting your cookies preferences).
Retention Period: For information regarding each cookie's retention period and specific purpose, please see link.
Children under the age of thirteen are not eligible to use our Services and we ask that such individuals do not submit any personal information to us or use the Services. Although visitors of all ages may navigate through the Websites or use our Apps, we do not knowingly collect or request personal information from those under the age of thirteen without parental consent. If, following a notification from a parent, guardian or discovery by other means, a child under thirteen has been improperly registered on our site by using false information, we will cancel the child's account and delete the child's personal information from our records. Other age restrictions may be set forth in the Terms for Service for Users from time to time.
When necessary, we share your personal data with others. The recipient is the data controller for processing your personal data.
| Recipients | Purpose(s) | Legal basis |
|---|---|---|
| Merchants | To provide our Services, we share your name, and (if you include such) your Food Preferences to the Merchants. If you opt in to follow merchants for exclusive deals & news, we may share your Food preferences, Contact information and how you use our Services to enable the Merchants to provide you with exclusive deals & news. | Legitimate interest. To fulfill our legitimate interest of being able to provide our Services to you. Legitimate interest. To fulfill our legitimate interest to provide you with exclusive deals & news. |
| Authorities (e.g. the Police and the Swedish Tax Agency) | To fulfill potential legal obligations that we are subject to, e.g. in connection with requests from authorities or other legal requests. | Legal obligation. Processing is necessary to fulfill our legal obligations. |
| Authorities (including courts) and legal advisers | To exercise, establish or defend legal claims. | Legitimate interest. The processing is necessary to fulfill our legitimate interest of managing and defending legal claims, e.g., in relation to a dispute. |
| Buyers, vendors and external advisers/other involved parties | Take necessary actions in connection with selling all or part of our business or in connection with a merger or other investment. | Legitimate interest. To fulfill our legitimate interest of being able to sell all or part of our business or in connection with a merger or other investment. |
To fulfill the purposes of the processing of your personal data, we transfer personal data to external parties such as service providers that we have engaged. These parties provide services within the areas of, inter alia, IT (such as data storage, support and management services) and finance (e.g., book-keeping systems). For example, we use suppliers to manage marketing, analytics, data storage, and web hosting on our behalf. For our partners to perform their services, it is sometimes necessary for us to share your data with them. These suppliers will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We do not sell any personal data to partners or any other third parties.
The Website and/or Apps may contain links to other websites or applications that are owned and operated by third parties that are not affiliated with us. When you use those links, you leave the Website or Apps (as applicable) and we are unable to control how the owners of the websites or applications you link to handle any information they gather about you, including their privacy practices and use of cookies.
This Privacy Policy applies only to the Website and Apps and does not govern activities on linked websites or applications. We encourage you to review the privacy policy of any other website or application you visit, download or access to understand its owner's practices on how it collects, uses and discloses your information.
Karma may use suppliers and third-party providers to process personal data in a matter which includes transfer of personal data to countries outside of the EU/EEA area (so called "third countries"). These transfers are necessary for providing our Services.
Transfers of personal data outside of the EU/EEA area will be processed/performed in accordance with applicable data privacy laws, including the GDPR. Such transfers either rely upon an adequacy decision from the European Commission or legal safeguards through the European Commission's Standard Contractual Clauses (SSC's) for transfer of personal data outside of the EU/EEA area, combined with supplementary technological and organizational protection measures including encryption and anonymization/pseudonymization.
Should you have any questions regarding Karma's transfers of personal data to countries outside the EU/EEA area, please contact us by using the contact details provided at the end of this Privacy Policy. You are entitled to receive a copy of any documentation demonstrating that appropriate safeguards have been taken to protect your personal data during a transfer to a third country.
To learn more about third country transfers, please read here.
We will retain your personal information for as long as we deem it necessary for the purposes described in Section 5 of this Privacy Policy.
For purposes of clarity, you are entitled to terminate your user account at any time, at what point all information connected to your account will either be deleted or anonymized. However, binding legal requirements or other legitimate reasons may require that we store certain information for various periods of time, and as such we may be unable to delete all information from our databases.
You can always alter the information you have submitted when creating your user account through the settings of your user account in the App or on the Website. We may alter, modify or delete any information you submit to the Website or through the App if we believe, in our sole discretion, it is in violation of our Terms of Service for Users or Terms of Service for Merchants, as applicable, otherwise against good taste.
While no system is completely secure, we take several precautionary measures to help prevent personal information about you from loss, theft, misuse and unauthorized access. Such measures include access control to physical locations and events logging in IT-systems, access restrictions to personal data, pseudonymization and encryption procedures and confidentiality routines.
Under applicable data privacy laws, you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary to fulfill your rights. Please submit requests for exercising your rights by contacting us using the contact details set out below.
You have, under certain circumstances, the right to exercise the following rights:
You may request confirmation whether personal data about you is processed by us and, if that is the case, access your personal data and additional information regarding the operation, such as the purposes of the processing. You are also entitled to receive a copy of the personal data undergoing processing.
You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concern your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary to manage or defend legal claims.
You have the right to have inaccurate personal data concerning you rectified.
You may have your personal data erased under certain circumstances:
You may ask us to restrict the processing of your personal data to only comprise storage of your personal data under certain circumstances, such as when the processing is unlawful, but you do not want your personal data erased, or for the period during which we investigate if the processing is unlawful or if the personal data is inaccurate.
You have the right to at any time withdraw your consent to the processing of personal data to the extent the processing is based on your consent.
You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used, and machine-readable format and ask for the information to be transferred to another data controller (where possible).
Click here to read more about the rights that you have in relation to the processing of your personal data.
If you have questions or complaints regarding our processing of your personal data, we kindly ask you to contact us over email at privacy@karma.life. You also have the right, at any time, to file a complaint to the Swedish Authority for Privacy Protection (IMY, https://www.imy.se), which is the supervisory authority for data protection matters in Sweden.
Occasionally we may, in our discretion, make changes to our Privacy Policy, for example to reflect changes in the Services or regulatory requirements. When we update this Privacy Policy, we will revise the last update date.
If there are major changes to the Privacy Policy or in how we use your personal data, we will inform you either by posting a notice of such changes on our Website and in our Apps, prior to them taking place, or by directly sending you an email.
If you have any questions about the use of your personal information, please send us an email to privacy@karma.life.
Karmalicious AB
Mailbox 163, 111 73, Stockholm, Sweden