Ingrid Privacy Policy

Our Privacy Policy was last updated on 13/10/2022.

In order for us to provide you with our services and support, we need to process your personal data. This privacy policy describes how we collect, use and retain your personal data, as well as which rights you have and how you can exercise those rights.

We use cookies and other similar technologies. Please refer to Section 8 below (Cookies) and visit our cookie policy for more information about the cookies and other similar technologies that we use.

We value your privacy. It is therefore very important to us that you understand this privacy policy and how and why we process your personal data.

1. Who is responsible for the personal data that we collect?

Our connected merchants

We may process your personal data in different situations. We provide a delivery experience platform to e-commerce companies/web shops which we have partnered with (we refer to them as our "connected merchants" below). For example, when you are in the process of purchasing a product from one of our connected merchants, the connected merchant will share some personal information about you so that we can ensure that your order will be fulfilled, tracked and shipped to you. Other examples are when we may assist our connected merchants with providing their customers (i.e. you) with personalized delivery options and extended tracking possibilities via our website https://www.ingrid.com/ (our "Website").

When you purchase a product from one of our connected merchants, we are in almost all cases not the data controller. The data controller will typically be the connected merchant who operates the web shop you have purchased the product from. We will, however, act as a data processor to the connected merchant. This means that we may receive and process your personal data, but solely subject to the connected merchant's instructions and for purposes that the connected merchant has determined. In other words, the merchant is responsible for your personal data that we process in this situation.

For more information about the processing of your personal data when we act as a data processor, please visit the connected merchant's website where you have purchased a product from and read their privacy policy or privacy notice.

We (Ingrid)

Please note that this privacy policy describes the processing activities undertaken by us in our capacity   as   data   controller   only.   A   data   controller   is   essentially   the   company   who   is responsible for your personal data. We have detailed the processing activities that we are responsible for below in Section 4 (For what purposes and on what legal grounds do we process your personal data?), but we have for your convenience below listed the main situations where we process your personal data:

1.2 The data controller for the activities listed above under "We (Ingrid)" is In-Grid AB, with registration number 556940-2661, and with address at Sveavägen 21, 111 34 Stockholm,Sweden. In this privacy policy we may refer to the data controller as "Ingrid", "we", "us" or"our".

2. What is personal data?

"Personal data" means any information relating to an identifiable natural person, for example a name, a personal registration number, an email address, location data or an online identifier.

"Processing " of personal data is a reference to what we do with your personal data, for example collection, use, structuring, storing and erasure of personal data.

3. What personal data do we collect?

You can read about the different categories of personal data that we collect from you in the table below. We have listed some examples of personal data in each category.

Category of personal data

Examples of personal data

Name and contact information

Your name, telephone number, email address, and sometimes company name and corporate registration number if you are acting on behalf of a company.

Shipping information

Your full shipping address, such as street address, apartment no., postal/zip code, city and country.

Device information

Your device type, operating system, IP address, language settings, country, browser settings and information about how you interact with our website and products/services.

Information provided in free text fields

Any information that you enter in free text fields (such as a message in a support request) will be processed by Ingrid. Please refrain from providing sensitive personal data.

4. For what purposes and on what legal grounds do we process your personal data?

We may process your personal data for different purposes, on the basis of different legal grounds and store your personal data for different periods of time. The processing activities we undertake also depend on whether you are acting in your capacity of a consumer (i.e. for your own purposes), or a natural person on behalf of a company (i.e. for business purposes).

We have made efforts to distinguish these activities from each other by providing information in two separate tables, one for consumers and one for business representatives. Please note that we have done this solely for your convenience. In practice, it is possible that processing activities in both tables may apply to your personal data. For this reason, we recommend that you read this section in full.

4.1 Consumer

Purpose

Category of personal data

Legal ground

Storage period

To improve your delivery experience by automatically populating the fields in our connected merchants' checkout flow with your information when you are in the process of purchasing products from our connected merchants.

Our legitimate interest (Article 6.1(f) GDPR).

The processing is necessary to provide the feature in our delivery experience platform, which we have determined overweighs your interest not to have your personal data processed for this purpose.

12 months

To respond to your questions or complaints, or otherwise tell you more about our business and our services when you contact us in general (including when you have reached out to us via social media such as Facebook, LinkedIn, Instagram and Twitter).

Our legitimate interest (Article 6.1(f) GDPR).

The processing is necessary to fulfill our legitimate interest in conducting our business and responding to your inquiry, which we have determined overweighs your interest not to have your personal data processed for this purpose.

3 months from our last communication.

To comply with a legal obligation, for example to provide information to public authorities where we are required to do so by law.

Compliance with legal obligations (Article 6.1(c) GDPR).

The processing is necessary to comply with our legal obligations.

For as long as we are required pursuant to applicable law, or otherwise in accordance with the storage periods set forth in this privacy policy (depending on which processing activity that is applicable).

4.2 Business

Purpose

Category of personal data

Legal ground

Storage period

To promote our services by sending direct marketing to you via email when you opt-in to receive direct marketing via our Website.

Your explicit consent (Article 6.1(a) GDPR).

The processing is necessary to provide you with the promotional material and/or information you have requested to receive.

Until you withdraw your consent to receive further direct marketing.

To provide you and your business with answers, consultation, insights and similar information, either in writing or during a scheduled meeting, when you book a demo on our Website.

Our legitimate interest (Article 6.1(f) GDPR).

The processing is necessary to fulfill our legitimate interest in establishing customer relationships and conducting our business, which we have determined overweighs your interest not to have your personal data processed for this purpose.

For the duration of the customer relationship.

For 12 months after our last communication if no customer relationship has been established.

To administer our customer relationship with the business you represent, including managing your user account, providing customer support via different channels (e.g. via our Website, via chat functions, by email or telephone, or during meetings), and documenting support matters.

Performance of contract (Article 6.1(b) GDPR).

The processing is necessary to fulfill our contractual obligations with the customer.

For the duration of the customer relationship.

To defend ourselves against any legal claim.

Our legitimate interest (Article 6.1(f) GDPR).

The processing is necessary to fulfill our legitimate interest in defending our business against legal claims, which we have determined overweighs your interest not to have your personal data processed for this purpose.

For as long as necessary pursuant to applicable law (for example statute of limitations), or otherwise in accordance with the storage periods set forth in this privacy policy (depending on the applicable processing activity).

5. How can you withdraw your consent?

You have the right to withdraw your consent at any time if our processing of your personal data is solely based on your explicit consent. Please note that if you withdraw your consent, this will not affect the legality of the processing that we have undertaken prior to you withdrawing your consent. If you would like to withdraw your consent, please send an email to privacy@ingrid.com. You can also contact us using the contact information below in Section13 (How to contact us).

6. Who do you share your personal data with?

We will always ensure that third parties can provide sufficient guarantees in protecting your personal data before we share any of your personal data. We have listed the categories of third parties with whom we may share your personal data below.

6.1 Public authorities

We may need to share your personal data to a public authority for the purpose of complying with applicable law. The legal ground is to comply with a legal obligation.

6.2 Mergers and acquisitions

We may need to share your personal data for the purpose of selling Ingrid, or all or parts ofIngrid's assets, to a potential buyer who wishes to acquire the same, or if we are otherwise subject to a merger with another company. The legal ground is our legitimate interest to complete such transactions, which we have determined overweighs your interest not to have your personal data processed for this purpose.

6.3 Suppliers and contractors

In order to provide, and for the sole purpose of providing, our services to you, we may need to share your personal data with certain carefully selected suppliers and contractors. Such suppliers and contractors could be consultants or providers of legal, technical and IT support/functionalities, and storage providers (such as cloud storage). They will only process your personal data based on our instructions to them, and we will always ensure that the necessary agreements (for example a so called data processing agreement) are in place to protect your personal data at all times. The legal ground is our legitimate interest in conducting our business by accessing these services and functionalities, which we have determined overweighs your interest not to have your personal data processed for this purpose.

6.4 Direct marketing

We use HubSpot's email marketing services to manage our direct marketing. If you opt-in to receive direct marketing via email from us, we will therefore share your email address withHubSpot Ireland Limited and HubSpot, Inc. The legal ground is your explicit consent to receiving direct marketing from us.

7. Where do we process your personal data?

As a main rule, we will process your personal data only within the European Union (EU) and the European Economic Area (EEA). In some situations, for example when the services and functionalities we need are provided outside of the EU/EEA, we may need to transfer your personal data outside of the EU/EEA.

Regardless of whether your personal data is processed within or outside the EU/EEA, we will at all times ensure that the same level of technical and organizational measures are in place to protect your personal data. Should we transfer your personal data outside of the EU/EEA, we will take additional appropriate measures to safeguard your personal data, which may as amain rule include one of the following measures.

In addition to one of the above measures, we will always seek to take any additional securitymeasures that we deem appropriate and necessary to safeguard your personal data at alltimes.

8. Cookies

We use cookies and other similar technologies on our Website and on our connected merchants' websites. Cookies are small files that are placed and stored on your web browser or device when you visit our Website and/or our connected merchants' websites.

When you visit our Website, these files store information that are used for, for example, functionality purposes to make it easier to use our Website.

When you visit our connected merchants' websites, these files store information about some of   your   personal   information   to   provide   you   with   a   fast   and   straight   forward   shopping experience, which includes auto-filling some of your information in the checkout when you are in the process of purchasing a product from one of our connected merchants.

For more information about the cookies that we use, please read our cookie policy here.

9. For how long do we store your personal data?

We will keep your personal data for as long as it is necessary in order for us to fulfill the purpose for which we collected your personal data. We have indicated the necessary storage periods in the table in Section 4 (For what purposes and on what legal grounds do we process your personal data?).

Please note, however, that Ingrid may be required to retain personal data for a longer period if we are required to do so pursuant to applicable law or a binding decision by a public authority or court of law. If that is the case, we will retain it for the period required under law or such decision.

10. How do we protect your personal data?

We take the protection of your personal data seriously. We have reasonably and appropriate technical and organizational measures in place in our business to ensure that your personal data is safeguarded and protected against loss, destruction, misuse, and unauthorized access and disclosure, at all times.

Our employees work under strict confidentiality and follow clear instructions on how to manage your personal data in accordance with applicable data protection laws and our own policies. We only grant employees access your personal data when it is necessary in order for them to perform their duties.

We continuously evaluate our security measures to remedy any vulnerabilities we may identify in an effort to make sure that your personal data is safe with us.

11. Your rights and how you can exercise them

You have rights with regard to your personal data. Please read this Section to understand them, as well as how you can exercise them. You are always welcome to contact us if you need more information about your rights. You can also read more about your rights on the Swedish Authority for Privacy Protection's website here.

11.1 Right to information

You have the right to be informed about how we process your personal data. We respect this right by being transparent with you in our communication, on our Website and by providing you with the information in this privacy policy.

11.2 Right of access

You have the right to obtain a confirmation from us as to whether or not we process your personal data. If we do process your personal data, you also have the right to obtain access to the personal data by requesting a copy showing which data we have about you, and how we use it. Please note that we may ask for additional information in order to identify you to ensure that personal data is disclosed to the correct individual.

11.3 Right to rectification

You have the right to request that we correct inaccurate information about you, as well as to complete any incomplete information.

11.4 Right of erasure

You sometimes have the right to request the erasure of personal data that concerns you. We are required to erase the personal data in question, for example if the personal data is no longer necessary in relation to the purposes for which the personal data was initially collected.
Please note that we are not obliged to delete your personal data if it is necessary to retain it to comply with legal obligations, or for the establishment, exercise or defense of legal claims.

11.4 Right of erasure

You sometimes have the right to request the erasure of personal data that concerns you. We are required to erase the personal data in question, for example if the personal data is no longer necessary in relation to the purposes for which the personal data was initially collected.
Please note that we are not obliged to delete your personal data if it is necessary to retain it to comply with legal obligations, or for the establishment, exercise or defense of legal claims.

11.4 Right of erasure

You sometimes have the right to request the erasure of personal data that concerns you. We are required to erase the personal data in question, for example if the personal data is no longer necessary in relation to the purposes for which the personal data was initially collected.
Please note that we are not obliged to delete your personal data if it is necessary to retain it to comply with legal obligations, or for the establishment, exercise or defence of legal claims.

11.5 Right to restriction of processing

You have the right to request that we restrict our processing of your personal if you for example believe that the information we have about you are inaccurate, our processing is unlawful, or we no longer need the information for the purposes they were collected.

11.6 Right to object

You have the right to object to our processing of your personal data if our processing is based on a legitimate interest. You always have the right to object to our processing of your personal data for direct marketing purposes.

11.7 Right to data portability

You have the right to request a copy of the personal data in a machine-readable format that concerns you and which we process to perform a contract or based on your consent. You can then have such personal data transmitted to a different data controller.

11.8 Right to withdraw your consent

You have the right to withdraw your consent. Please refer to Section 5 (How can you withdraw your consent?) for more information.

11.9 Right to lodge a complaint

If you have any complaints about the way in which we process your personal data, you are always welcome to reach out to us. You also have the right to lodge a complaint to a supervisory authority (such as the Swedish Authority for Privacy Protection) here.

12. Changes to this privacy policy

We reserve the right to introduce updates and make amendments to this privacy policy. This is necessary to ensure that we have the ability to constantly improve our services to you and to introduce new functionalities. We may also be required to make changes to the way in which we process your personal data pursuant to applicable law or a decision issued by a public authority or court of law. If we make any changes to this policy, we will update the "Last updated" date at the top of this policy, so please make sure to check in from time to time.

13. How to contact us

If you have any questions about the processing of your personal data, this privacy policy or if you have concerns regarding our processing of your personal data, please contact us using the following contact information:

In-grid AB
Sveavägen 21
111 34 Stockholm
Sweden
Email: privacy@ingrid.com
Website: https://www.ingrid.com/