Data Controller

For the personal data processing described in this policy, Evanoff Food AB (Holy Pop, VAT: SE 556894914201, address: Gårdsvägen 18, 169 70 Solna, Sweden, email: info@eatholypop.com) is the data controller. If you have any questions or concerns about this policy and/or our processing of your personal data, please feel free to contact us at info@eatholypop.com.

Your Rights

Regardless of the situation and the purpose for which we process your personal data, you always have the following rights:

• The right to access the data we process about you by requesting a so-called register extract.
• The right to request rectification (correction of incorrect data).
• The right to request erasure (removal of personal data that should no longer be processed).
• The right to request restriction (partial cessation of processing).
• The right to obtain the data we process about you in a structured, commonly used, and machine-readable format if you want to transfer it to another entity (so-called data portability).

If we process your personal data based on consent, you also have the right to withdraw your consent at any time, free of charge. If you wish to exercise any of these rights, you can do so most easily by contacting us at info@eatholypop.com.

Complaints

If you have complaints about our processing of your personal data, you have the right to lodge a complaint with the supervisory authority, the Data Inspection Board (Email: datainspektionen@datainspektionen.se, Phone: 08-657 61 00, Website: www.datainspektionen.se).

Customer Matters

1. What Personal Data Do We Process?

When you contact us via email, phone, letter, or through our website (contact form, complaint form), you provide personal data such as name, email address, phone number, and address. Additionally, the information you provide in connection with your inquiry may contain personal data, e.g., possible allergies or health information related to a potential damage case. If your question concerns allergies and you voluntarily indicate that you are allergic, it means that you provide us with sensitive personal data.

1. Why Do We Process Your Personal Data?

We process your personal data to be able to receive your inquiry/complaint/feedback and respond to you. To assist you, we need to know who to contact and how to contact you. If your case involves compensation due to a defect in a product, we need to process your contact information to pay any compensation to you.

If you have suffered damage (e.g., dental damage or other damage cases) due to our products, we process your personal data to investigate whether we should compensate for this damage or not. This work may involve sensitive personal data about your health.

If your question concerns allergies and you indicate that you are allergic, it means that you provide us with sensitive personal data. We do not need to process this information, but when you notify us, it means we process it. We will not save this information in any way but only respond to your question. There is no other purpose for processing such information than to provide you with a response and service.

2. Legal Basis

When we initially receive your inquiry/comment (the “message”), we process the personal data contained in the message based on a balance of interests. We assess that we have a legitimate interest in being able to respond to your question and provide the service you request. We assess that our legitimate interest in this case outweighs your interest in protecting your personal data, as it is you who have actively started a dialogue with us. If your case involves compensation due to a defect in a product or compensation due to damage caused by our products, the processing of personal data – including processing sensitive data in these cases – is supported by the legal obligations we have under the Product Liability Act.

3. How Long Do We Process Your Personal Data?

We process your personal data for the time necessary to respond to your question and/or assist you with your case – this includes paying compensation for defective products. Your personal data will be deleted if we have not had a dialogue with you within six months from the last communication. If you provide information about your allergies in connection with a question, this information will never be saved – sensitive data is deleted immediately after we have responded to your question.

Data processed to investigate a damage case under the Product Liability Act is processed for up to three years after compensation was paid or not, as you have the right to take legal action within this period.

4. Who Do We Share Your Personal Data With?

We share your personal data with the IT services we use to provide the contact forms and the email tool we use. If your case concerns an occurred damage, we share your personal data with our insurance company that will investigate the incident. We do not share your personal data with any other third party unless we are required to do so by law. We will never sell your personal data to third parties for direct marketing, and we will not transfer your personal data to countries outside the EU/EES or the USA.

When You Email or Contact Us via Social Media

1. What Personal Data Do We Process?

When you contact any of our employees via email, you provide your email address, name, and possibly other personal data that your email contains. If you leave comments, like posts, etc., via Holy Pop’s Instagram and TikTok profiles, you provide personal data in the form of a name and possibly other personal data depending on what your post/comment contains.

2. Why Do We Process Your Personal Data?

We process your personal data to respond to your email and/or comment/activity on social media. If your contact with us is based on one of the services we offer or relates to any part described in sections 1-6, we will process your email, post, comment, etc., in accordance with the legal bases described above.

3. Legal Basis

If your question/comment/post, etc., cannot be attributed to any of the above-described conditions (sections 1-6), we process your personal data based on a balance of interests where we have a legitimate interest in responding to and addressing your questions/comments, etc. As you have contacted us, we find that it is not a processing you cannot foresee. We, therefore, assess that our legitimate interest outweighs your interest in protecting personal data.

4. How Long Do We Process Your Personal Data?

If your contact with us concerns a condition described above, we will process your personal data according to the storage criteria specified there. If it is a general question to us without being related to any existing customer relationship and/or case, we will stop processing your personal data once we have answered your question. To facilitate any follow-up questions, we will naturally wait for possible follow-up questions before stopping the processing of your personal data for this purpose.

5. Who Do We Share Your Personal Data With?

We use different IT providers to ensure that our systems, such as our mailboxes, function and are saved. Therefore, your personal data is naturally shared with these providers. However, they cannot use your personal data – they are only to keep the IT services available to us. If you communicate with us via our social media channels, it means that the social media channel also has access to your personal data according to the terms you accepted when you created an account with them. In some cases, these entities may be located outside the EU/EES. We do not share your personal data with any other third party unless we are required to do so by law. We will not sell your personal data to third parties for direct marketing.

For Customers and Suppliers

1. What Personal Data Do We Process?

As a customer or supplier to us, we process personal data about those who are the contact person for the organization. This means that the contact person’s personal data, such as name, email address, phone number, and place of work, are processed by us. When we refer to “your personal data” below, we mean you as the contact person for the organization we work with in various ways.

2. Why Do We Process Your Personal Data?

We need to process your personal data to communicate with the companies and suppliers we have various agreements with to fulfill the obligations we have undertaken according to the agreement. This means that we need to process your personal data, for example, to send you the goods you have ordered, receive and record payments. Furthermore, we process your contact details to send marketing, invitations to events, news, etc., to you as the contact person for the company/organization we work with.

3. Legal Basis

The personal data processing that takes place to fulfill the obligations and commitments we have under the agreement with you as a customer or supplier is based on the contract as the legal basis. This basis supports such processing that takes place before, during, and after the contract period.

The personal data processing that takes place to send marketing, invitations, news, etc., to you is based on a balance of interests. We have assessed that we have a legitimate interest in sending this information to you as the contact person for the customer/supplier with whom we have an ongoing customer relationship. This is because we believe that it is of interest to you and the company you represent. We assess that our legitimate interest in this context outweighs your interest in protecting personal data because we have an existing customer relationship with the company you represent.

4. How Long Do We Process Your Personal Data?

We process your personal data as long as the company/organization you are the contact person for has an active contractual relationship with us. We review our data once a year to ensure that only current personal data is processed. If you for any reason cease to be the contact person for our contracting party, we will stop processing your personal data as soon as we become aware of it.

If your personal data (e.g., name) appears in our accounting materials, your personal data – even though we do not have an agreement with the company you are the contact person for or you are no longer the contact person for the contracting party – will continue to be processed by us. This is because we must retain accounting materials for up to seven years after the end of the financial year due to accounting legal obligations. The personal data processing supported by a balance of interests continues for up to one year after our last customer contact with you. Thereafter, the processing ceases.

5. Who Do We Share Your Personal Data With?

Your personal data will be shared with the IT solutions we use to manage customer/supplier agreements, handle orders, handle payments and accounting, and the mailing tool we use to communicate marketing, news, events, etc. Your personal data may also be shared within the group we are part of.

We do not share your personal data with any other third party unless we are required to do so by law. We will never sell your personal data to third parties for direct marketing, and we will not transfer your personal data to countries outside the EU/EES or the USA.

PR Activities to Professionals

1. What Personal Data Do We Process?

If you are a journalist, influencer, or in a similar professional role, we process your contact information when we are in contact with you. Your contact information often constitutes personal data. Usually, we have received your personal data through your consent, or we have collected your contact information from third parties based on a balance of interests. In some cases, you have provided your personal data to us with a desire to receive our PR mailings, for example, in connection with fairs, events, etc. In these contexts, you may also provide other personal data such as personal taste preferences – in such cases, we limit the mailings to these preferences.

2. Why Do We Process Your Personal Data?

We process your personal data to send information to inform about new products, provide inspiration on how Holy Pop’s products can be used seasonally, and possibly send samples to you. This is done for PR purposes. You may also receive invitations to various events, etc.

3. Legal Basis

When we purchase addresses to send information about our business for PR purposes, this is based on a legitimate interest. We assess that you – based on your profession – are interested in receiving this information from us. We assess that your interest in protecting your personal data in this context does not outweigh our legitimate interest.

If you continuously wish to receive PR mailings from us and want to be included in our mailing lists, we will request your consent to process your personal data in that way. In such cases, we base the processing on your consent, which you can withdraw at any time free of charge by emailing info@eatholypop.com.

If you have contacted us without any prior communication from us, we process your personal data based on consent. You can withdraw your consent at any time free of charge by emailing info@eatholypop.com.

4. How Long Do We Process Your Personal Data?

If we have received your personal data from purchased registers, we process your personal data for up to 24 months from the purchase date. If you do not wish to receive any more mailings from us, you are welcome to contact us by emailing info@eatholypop.com or by following the link in the mailing. If you have given your consent to continuously receive PR mailings, we process your personal data as long as we have valid consent from you. If you wish to withdraw your consent, you can do so by emailing info@eatholypop.com.

5. Who Do We Share Your Personal Data With?

We share your personal data with the service we use to make the various mailings. We do not share your personal data with any other third party unless we are required to do so by law. We will never sell your personal data to third parties for direct marketing, and we will not transfer your personal data to countries outside the EU/EES or the USA.

Processing of Personal Data When You Use Our Website

1. What Personal Data Do We Process?

We use various technologies (through so-called cookies) that collect information about you when you visit our website. In some cases, the information constitutes personal data (e.g., IP address, marital status, age, whether you have children, etc.). Cookies are a small text file sent from a web server to a browser. Through the text file, the website can collect both personal data and non-personal data. This policy addresses the use of cookies that collect personal data about you. Holy Pop’s other use of cookies is described here. If you do not want cookies to be saved, you can turn off the function in your browser.

2. Purpose and Legal Basis

We process your personal data (through cookies) to tailor our communication and make it more relevant to you, to analyze and follow up on statistics, campaign statistics, and analyze interaction on our website to streamline and improve our business. We base this processing on a balance of interests, assessing that we have a legitimate interest in conducting market and customer analysis, method and business development, and collecting statistical data and making our marketing as relevant as possible for you. As you have visited our website and accepted the use of cookies, we assess that your interest in protecting your personal data in this context does not outweigh our legitimate interest.

3. How Long Do We Process Your Personal Data?

Your personal data is processed for up to 12 months from the date of collection, after which the data is deleted.

4. Who Do We Share Your Personal Data With?

Your personal data is shared with the data processor agreements we use to host our website. The data is also shared with various entities that provide marketing tools, such as Facebook and Google.