Privacy policy

(A) This Notice

Summary – This Notice

This Notice explains how we Process Personal Data. This Notice may be amended or updated from time to time, so please check it regularly for updates.

This Notice is issued by the Controller entity listed in Section P below (“Aroma360®”, “we”, “us” and “our”) and is addressed to individuals outside our organization with whom we interact, including customers, visitors to our Sites, users of our Apps, other users of our products or services, personnel of corporate customers and vendors, applicants for employment, and visitors to our premises (together, “you”). Defined terms used in this Notice are explained in Section (X) below.

This Notice may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Notice carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Notice.

This Notice was last updated on January 1, 2024.

(B) Collection of Personal Data

Summary – Collection of Personal Data

We collect or obtain Personal Data: when those data are provided to us (e.g., where you contact us); in the course of our relationship with you (e.g., if you make a purchase); when you make Personal Data public (e.g., if you make a public post about us on social media); when you download, install, or use any of our Apps; when you visit our Sites; when you register to use any of our Sites, Apps, products, or services; or when you interact with any third party content or advertising on a Site or in an App. We may also receive Personal Data about you from third parties (e.g., law enforcement authorities).

 

Collection of Personal Data: We collect or obtain Personal Data about you from the following sources:

  • Data you provide to us: We may obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application) or data provided to us by a distributor through whom you have acquired any Aroma360® products or services.
  • Data we obtain in person: We may obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
  • Collaborations: We may obtain Personal Data when you collaborate with us in research or in an advisory/consultancy capacity.
  • Relationship data: We may collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
  • Data you make public: We may collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
  • App data: We may collect or obtain Personal Data when you download or use any of our Apps.
  • Site data: We may collect or obtain Personal Data when you visit any of our Sites or use any features or resources available on or through a Site.
  • Registration: We may collect or obtain Personal Data when you use, or register to use, any of our Sites, Apps, products, or services.
  • Content and advertising information: If you interact with any third party content or advertising on a Site or in an App (including third party plugins and cookies), we may receive Personal Data from the relevant third party provider of that content or advertising. For more information, please see our Cookie and Pixel Policy.
  • Third party information: We may collect or obtain Personal Data from third parties who provide it to us (e.g., business partners including advertising/marketing partners, data providers such as information/database services and/or data suppliers, information credit reference agencies; law enforcement authorities; etc.). Should you log in to the Sites through a third-party service or platform (e.g., Facebook, Google, etc…) or if you should connect your account on the third-party service or platform to your account through the Sites, we may collect information from that network, service, or platform. You may also be requested to provide us with additional information through the third-party service, such as a list of your contacts and connections, as well as your email address, which you may decline to accept at your own discretion. To learn more about your privacy choices, please refer to Section X below.


(C) Creation of Personal Data


Summary – Creation of Personal Data

We create Personal Data about you (e.g., records of your interactions with us).

 

We also create Personal Data about you in certain circumstances, such as records of your interactions with us. We may also combine Personal Data from any of our Sites, Apps, products, or services, including where those data are collected from different devices or sources.


(D) Categories of Personal Data we Process


Summary – Categories of Personal Data we Process

We Process: your personal details (e.g., your name); your contact details (e.g., your address); records of surveys or testing in which you have participated; demographic data (e.g., your age); visitor logs for our premises; records of your consents; payment details (e.g., your billing address); information about our Sites and Apps (e.g., the type of device you use); details of your employer (where relevant); information about your interactions with our content or advertising; and any views or opinions you provide to us.

 

We Process the following categories of Personal Data about you:

  • Personal details: given name(s); preferred name; and photograph.
  • Contact details: correspondence address; shipping address; telephone number; email address; details of Personal Assistants, where applicable; messenger app details; online messaging details; and social media details.
  • Correspondence: records and copies of your correspondence if you contact us.
  • Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
  • Visitor logs: records of visits to our premises.
  • Consent records: records of any consents you have given, together with the date and time, means of consent, and any related information (e.g., the subject matter of the consent).
  • Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email address.
  • Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
  • Data relating to hardware, Sites, and Apps: operational and diagnostic data relating to Aroma360® hardware; device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a Site; App usage statistics; App settings; dates and times of connecting to an App; location data; and other technical communications information (some of which may constitute Personal Data); registration details; username; password; security login details; usage data; and aggregate statistical information.
  • Employer details: where you interact with us in your capacity as an employee of a third party; and the name, address, telephone number and email address of your employer, to the extent relevant.
  • Content and advertising data: records of your interactions with our online advertising and content, records of advertising and content displayed on pages or App screens displayed to you, and any interaction you may have had with such content or advertising (e.g., mouse hover, mouse clicks, any forms you complete in whole or in part) and any touchscreen interactions.
  • Cookie data: we collect information via cookies and similar technologies. For more information, please see our Cookie and Pixel Policy.
  • Security information: your password(s); login attempt details; security settings; and other security-related information.
  • Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.


(E) Sensitive Personal Data


Summary – Sensitive Personal Data

We do not seek to collect or otherwise Process Sensitive Personal Data. Where we need to Process Sensitive Personal Data for a legitimate purpose, we do so in accordance with applicable law.


We do not seek to collect or otherwise Process Sensitive Personal Data in the ordinary course of our business. Where it becomes necessary to Process your Sensitive Personal Data for any reason, we rely on one of the following legal bases:

  • Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
  • Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
  • Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
  • Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).


Unless we specifically request it, we ask that you not provide us with any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) to us.

If you provide Sensitive Personal Data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the Processing of those Sensitive Personal Data.


(F) Purposes of Processing and legal bases for Processing


Summary – Purposes of Processing and legal bases for Processing

We Process Personal Data for the following purposes: providing our Sites, Apps, products, and services to you; operating our business; communicating with you; managing our IT systems; health and safety; financial management; conducting surveys; ensuring the security of our premises and systems; conducting investigations where necessary; compliance with applicable law; improving our Sites, Apps, products, and services; fraud prevention; establishment, exercise and defence of legal claims; and recruitment and job applications.


The purposes for which we Process the categories of Personal Data identified in Section (D) above, subject to applicable law, and the legal bases on which we perform such Processing, are as follows:


Purpose of Processing

Categories of Personal Data

Legal basis for Processing

·  Provision of Sites, Apps, products, and services: providing our Sites, Apps, products, or services; providing promotional items upon request; and communicating with you in relation to those Sites, Apps, products, or services.

· Personal details

· Contact details

· Correspondence

· Demographic information

· Consent records

· Purchase details

· Payment details

· Data relating to hardware, Sites, and Apps

· Employer details

· Content and advertising data

· Cookie data

· Security information

· Views and opinions

· The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or

· We have a legitimate interest in carrying out the Processing for the purpose of providing our Sites, Apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Direct Marketing: If you are an existing client of Aroma360® (e.g., you have previously placed an order with us), we may send marketing communications about Aroma360® services or products, unless prohibited by applicable law (or unless you have opted out).

· Personal details

· Contact details

· Correspondence

· Demographic information

· Consent records

· Purchase details

· Payment details

· Data relating to hardware, Sites, and Apps

· Employer details

· Content and advertising data

· Cookie data

· Security information

· Views and opinions

· The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or

· We have a legitimate interest in carrying out the Processing for the purpose of providing our Sites, Apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Operating our business: operating and managing our Sites, our Apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our Sites, our Apps, our products, or our services; and notifying you of changes to any of our Sites, our Apps, our products, or our services.

· Personal details

· Contact details

· Correspondence

· Consent records

· Payment details

· Data relating to hardware, Sites, and Apps

· Content and advertising data

· Cookie data

· Security information

· Views and opinions

· The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or

· We have a legitimate interest in carrying out the Processing for the purpose of operating our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Planning: organisational planning; succession planning; making changes to the nature and scope of our operations or our business; mergers, acquisitions, dissolutions demergers, liquidations, asset sales, divestitures, reorganisations and similar corporate structuring arrangements.

· Personal details

· Contact details

· Professional details

· Demographic information

· Data relating to hardware, Sites, and Apps

· Employer details

· Content and advertising data

· Views and opinions

· We have a legitimate interest in carrying out the Processing for the purpose of planning the future operation of our operations or our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our Sites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; enabling and recording your choice to opt-out or unsubscribe, where applicable.

· Personal details

· Contact details

· Correspondence

· Survey and testing data

· Demographic information

· Consent records

· Data relating to hardware, Sites, and Apps

· Content and advertising data

· Cookie data

· Views and opinions

· The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or

· We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Product safety communications: communications in relation to product safety, including product recalls and product safety advisory notices.

· Personal details

· Contact details

· Payment details

· The Processing is necessary for compliance with a legal obligation; or

· We have a legitimate interest in carrying out the Processing for the purpose of ensuring the safety, and proper use, of our products (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

· Personal details

· Contact details

· Professional details

· Survey and testing data

· Demographic information

· Consent records

· Payment details

· Data relating to hardware, Sites, and Apps

· Employer details

· Content and advertising data

· Cookie data

· Security information

· Views and opinions

· The Processing is necessary for compliance with a legal obligation; or

· We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Health and safety: health and safety assessments and record keeping; providing a safe and secure environment at our premises; and compliance with related legal obligations.

· Personal details

· Contact details

· Correspondence

· Visitor logs

· The Processing is necessary for compliance with a legal obligation; or

· We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· The Processing is necessary to protect the vital interests of any individual.

·  Financial management: sales; finance; corporate audit; and vendor management.

· Personal details

· Contact details

· Payment details

· We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Surveys: engaging with you for the purposes of obtaining your views on our Sites, our Apps, our products, or our services.

· Personal details

· Contact details

· Correspondence

· Survey and testing data

· Consent records

· Views and opinions

· We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

· Personal details

· Contact details

· Visitor logs

· The Processing is necessary for compliance with a legal obligation; or

· We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

Each category of Personal Data identified in Section (D) above, to the extent necessary in the context of the relevant legal obligation or regulatory requirements or guidance.

· The Processing is necessary for compliance with a legal obligation; or

· We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Legal compliance: compliance with our legal and regulatory obligations under applicable law.

Each category of Personal Data identified in Section (D) above, to the extent necessary in the context of the relevant legal obligation or regulatory requirements or guidance.

· The Processing is necessary for compliance with a legal obligation, where applicable; or

· We have a legitimate interest in carrying out the Processing for the purpose of compliance with regulatory requirements or guidance (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Improving our Sites, Apps, products, and services: identifying issues with our Sites, our Apps, our products, or our services; planning improvements to our Sites, our Apps, our products, or our services; and creating new Sites, Apps, products, or services.

· Personal details

· Contact details

· Correspondence

· Survey and testing data

· Demographic information

· Consent records

· Data relating to hardware, Sites, and Apps

· Content and advertising data

· Views and opinions

· We have a legitimate interest in carrying out the Processing for the purpose of improving our Sites, our Apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

·  Fraud prevention: Detecting, preventing and investigating fraud.

Each category of Personal Data identified in Section (D) above, to the extent necessary in the context of the relevant fraud detection, prevention or investigation activities.

· The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or

· We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, fraud (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

·  Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; exercise and defence of legal rights and claims, including formal legal proceedings.

Each category of Personal Data identified in Section (D) above, to the extent necessary in the context of the relevant legal obligation or regulatory requirements or guidance.

· The Processing is necessary for compliance with a legal obligation;

· We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· The Processing is necessary for the establishment, exercise or defence of legal claims.

·  Recruitment and job applications: recruitment activities; advertising of positions; interview activities; analysis of suitability for the relevant position; records of hiring decisions; offer details; and acceptance details.

· Personal details

· Contact details

· Correspondence

· Professional details

· Survey and testing data

· Demographic information

· Visitor logs

· Consent records

· Data relating to hardware, Sites, and Apps

· Employer details

· Content and advertising data

· Views and opinions

· The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or

· We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or

· We have obtained your prior consent to the Processing (e.g., where this is necessary for the purposes of criminal records checks, in accordace with applicable law).


(G) Disclosure of Personal Data to third parties


Summary – Disclosure of Personal Data to third parties

We may disclose Personal Data to: our subsidiaries and affiliates; third-party service providers; third-party platforms; legal and regulatory authorities; our external advisors; our Processors; any party as necessary in connection with legal proceedings; any party as necessary for investigating, detecting or preventing criminal offences; any purchaser of our business; the public (when you disclose information for public use, e.g., via a product review); and any third party providers of advertising, plugins or content used on our Sites or our Apps.


We disclose Personal Data to other entities within the Aroma360® group, for legitimate business purposes and the operation of our Sites, Apps, products, or services to you, in accordance with applicable law. In addition, we disclose Personal Data to:

  • you and, where appropriate, your appointed representatives;
  • third party distributors through whom you acquire any of our products or services;
  • accountants, auditors, consultants, lawyers and other outside professional advisors to Aroma360®, subject to binding contractual obligations of confidentiality;
  • third party Processors (such as payment services providers; shipping companies; etc.), located anywhere in the world, subject to the requirements noted below in this Section (G);
  • the public, when you disclose personal information for public use (e.g., your username may be displayed along with a product review);
  • any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
  • any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
  • any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); and
  • any relevant third party provider, where our Sites use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.

 

If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under applicable law.


(H) Automated Decision-Making and Profiling

                                                        

Summary – Profiling

Personal Data are subject to automated decision-making and Profiling.

 

We Process Personal Data for the purposes of automated decision-making and Profiling, which is carried out for the following purposes:




Activity

Logic of the activity

Consequences for you

Personalized Advertising

We use platforms like Google Ads and Facebook Ads to deliver personalized ads. These platforms employ aggregated and anonymized data, such as browsing history and purchase patterns, to customize advertising.

This activity may affect what ads you see.

Retargeting Campaigns

We deploy anonymized cookies that track site interactions, enabling us to deliver pertinent ads across advertising networks.

This activity may mean that you see ads that are more relevant to you.

Email Marketing Automation

We use a third-party platform to automate email marketing, enabling us to send personalized content and offers based on user interactions like product views or cart activities.

This activity may mean that you receive more relevant emails from us based on your on-site activities.

Special Offers

We use anonymized data concerning user behaviors and preferences to make personalized offers, such as targeted discounts and promotions.

This Profiling activity may mean that you receive special offers and promotions that are not available to others, and that others may receive special offers and promotions that are not available to you.


(I) International transfer of Personal Data


Summary – International transfer of Personal Data

We transfer Personal Data to recipients in other countries. Where we transfer Personal Data from the UK or the EEA to a recipient outside the UK or the EEA (as applicable) that is not in an Adequate Jurisdiction, we do so on the basis of Standard Contractual Clauses or the UK equivalent (i.e., the UK International Data Transfer Agreement / UK addendum to the Standard Contractual Clauses).


Because of the international nature of our business, we may transfer Personal Data within the Aroma360® group, and to third parties as noted in Section (G) above, in connection with the purposes set out in this Notice. For this reason, we may transfer Personal Data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located.


Please note that when you transfer any Personal Data directly to any Aroma360® entity established outside the UK or the EEA (as applicable), we are not responsible for that transfer of your Personal Data. We will nevertheless Process your Personal Data, from the point at which we receive those data, in accordance with the provisions of this Notice.


(J) Data security

                                                        

Summary – Data security

We implement appropriate technical and organisational security measures to protect your Personal Data. Please ensure that any Personal Data that you send to us are sent securely.


We have implemented appropriate technical and organisational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, in accordance with applicable law.


Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk and you are responsible for ensuring that any Personal Data that you send to us are sent securely.


(K) Data accuracy

                                                        

Summary – Data accuracy

We take every reasonable step to ensure that your Personal Data are kept accurate and up-to-date and are erased or rectified if we become aware of inaccuracies.


We take every reasonable step to ensure that:

  • your Personal Data that we Process are accurate and, where necessary, kept up-to-date; and
  • any of your Personal Data that we Process that are inaccurate (having regard to the purposes for which they are Processed) are erased or rectified without delay.


From time to time we may ask you to confirm the accuracy of your Personal Data.


(L) Data minimisation

                                                        

Summary – Data minimisation

We take every reasonable step to limit the volume of your Personal Data that we Process to what is necessary.


We take every reasonable step to ensure that your Personal Data that we Process are limited to the Personal Data reasonably necessary in connection with the purposes set out in this Notice.


(M) Data retention


Summary – Data retention

We take every reasonable step to ensure that your Personal Data are only retained for as long as they are needed in connection with a lawful purpose.


We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, establishing or defending legal claims, or for fraud prevention purposes. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.


(N) Your legal rights


Summary – Your legal rights

Subject to applicable law, you may have a number of rights, including: the right not to provide your Personal Data to us; the right of access to your Personal Data; the right to request rectification of inaccuracies; the right to request the erasure, or restriction of Processing, of your Personal Data; the right to object to the Processing of your Personal Data; the right to have your Personal Data transferred to another Controller; the right to withdraw consent; and the right to lodge complaints with Data Protection Authorities. In some cases it will be necessary to provide evidence of your identity before we can give effect to these rights.


Subject to applicable law, you may have the following rights regarding the Processing of your Relevant Personal Data:

  • the right not to provide your Personal Data to us (however, please note that we will be unable to provide you with the full benefit of our Sites, Apps, products, or services, if you do not provide us with your Personal Data – e.g., we might not be able to process your requests without the necessary details);
  • the right to request access to, or copies of, your Relevant Personal Data, together with information regarding the nature, Processing and disclosure of those Relevant Personal Data;
  • the right to request rectification of any inaccuracies in your Relevant Personal Data;
  • the right to request, on legitimate grounds:
    • erasure of your Relevant Personal Data; or
    • restriction of Processing of your Relevant Personal Data;
  • the right to have certain Relevant Personal Data transferred to another Controller, in a structured, commonly used and machine-readable format, to the extent applicable;
  • where we Process your Relevant Personal Data on the basis of your consent, the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
  • the right to lodge complaints regarding the Processing of your Relevant Personal Data with a Data Protection Authority (i.e., in relation to the UK, the Information Commissioner’s Office (https://ico.org.uk/) or in relation to the EU, the Data Protection Authority for EU Member State in which you live, or in which you work, or in which the alleged infringement occurred (see the list here: https://edpb.europa.eu/about-edpb/about-edpb/members_en)).


[W&C: Please note that Article 21(4) of the GDPR / UK GDPR requires that the grounds in the box below must be “explicitly brought to the attention of the data subject and … presented clearly and separately from any other information”.]

 

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Relevant Personal Data:

·       the right to object, on grounds relating to your particular situation, to the Processing of your Relevant Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and

·       the right to object to the Processing of your Relevant Personal Data by us or on our behalf for direct marketing purposes.


This does not affect your statutory rights.


To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Notice, or about our Processing of your Personal Data, please use the contact details provided in Section (P) below. Please note that:

  • in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
  • where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.


(O) Direct marketing



Summary – Direct marketing

We Process Personal Data to contact you with information regarding Sites, Apps, products, or services that may be of interest to you. You may unsubscribe for free at any time.


If you are an existing client of Aroma360® (e.g., you have previously placed an order with us), we may Process certain Personal Data to send marketing communications about Aroma360® services or products, unless prohibited by applicable law (or unless you have opted out). In some instances, we may request your consent to send you promotional and/or marketing information. We also may use the information that you provide to us, as well as information from other Aroma360® products or services, such as your use of Aroma360®’s website and/or apps, to customize advertisements or other communications pertaining to our services and products that may be of interest to you. Such information for registered users may include data collected from your interactions with our websites or apps that are linked to your account.


(P) Details of Controllers


Summary – Details of Controllers

There are several Aroma360 entities that act as Controllers for the purposes of this Privacy Notice.


For the purposes of this Notice, the relevant Controller is:

 

Controller entity

Contact details

Aroma360®, LLC

2058 Miami Ct, Miami, Florida 33127 USA

Please direct any questions or comments about this Policy or privacy practices to support@Aroma360.com. You may also write to us via postal mail at the address provided above.


(Q) Representatives

                                                        

Summary – Representatives

We have appointed a Representative in accordance with the GDPR / Representatives in accordance with the GDPR and the UK GDPR.

Each of the controllers established outside the EEA and listed in Section (P) above has appointed support@Aroma360.com to be its representative for the purposes of Article 27 of the GDPR.

Each of the controllers established outside the UK and listed in Section (P) above has appointed support@Aroma360.com to be its representative for the purposes of Article 27 of the UK GDPR.


(R)  Information for California Residents


Summary – Information for California Residents

This section provides additional disclosures required by the California Consumer Privacy Act, as amended (the “CCPA”).


Under the California Consumer Privacy Act (the “CCPA”), we must disclose our practices regarding the collection, use, and disclosure of the Personal Information of California Residents. California Residents are also afforded certain rights with regard to the Personal Information we collect about them that include the rights of access, deletion, correction, and to be free from discrimination. This section includes the disclosures required by the CCPA, and describes the rights afforded to California Residents. We also describe the methods by which a California Resident may exercise these rights and some of the statutory exceptions that may apply.


The disclosures required by the CCPA are as follows:


  • Categories of Sources of Personal Information: Please refer to Section (B) (Collection of Personal Data) for details on the sources from which we may collect or obtain Personal Information of California Residents.
  • Collection of Personal Information: Please refer to Section (D) (Categories of Personal Data we Process) for details on the categories of Personal Information we may collect about California Residents.
  • Use of Personal Information: Please refer to Section (F) (Purposes of Processing and legal bases for Processing) for details on how we may use the Personal Information of California Residents.
  • Collection and Use of Sensitive Personal Information: Subject to the limited exceptions detailed in Section (E) (Sensitive Personal Data), we do not seek to collect or otherwise Process Sensitive Personal Information about California Residents, and we do not use or disclose Sensitive Personal Information about California Residents.
  • Selling or Sharing of Personal Information: We do not sell any Personal Information to third parties, as that term is defined in the CCPA. In addition, we do not sell the Personal Information of minors under 16 years of age. Additionally, we do not share any Personal Information with third parties, as that term is defined in the CCPA (i.e., for purposes of cross-context behavioral advertising).
  • Retention of Personal Information: Please refer to Section (M) (Data retention) for details on our criteria for determining the duration for which we will retain Personal Information collected about California Residents.

Please see the chart below for a list of the categories of Personal Information we may have collected about California Residents in the last twelve (12) months, along with our business and commercial Processing purposes and categories of third parties to whom this Personal Information may be disclosed.

Categories of Personal Information we collect

Business or commercial purposes for which we may use your Personal Information

Parties to whom Personal Information may be disclosed

Personal details: given name(s); preferred name; and photograph.


Contact details: correspondence address; shipping address; telephone number; email address; details of Personal Assistants, where applicable; messenger app details; online messaging details; and social media details.

 

Correspondence: records and copies of your correspondence if you contact us.

 

Professional details: your CV; records of your expertise; professional history; practising details and qualification details; information about your experience; participation in meetings, seminars, advisory boards and conferences; information about your professional relationship with other individuals or institutions; language abilities; and other professional skills.

 

Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.

 

Visitor logs: records of visits to our premises.

 

Consent records: records of any consents you have given, together with the date and time, means of consent, and any related information (e.g., the subject matter of the consent).

 

Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email address.

 

Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.

 

Data relating to hardware, Sites, and Apps: operational and diagnostic data relating to Aroma360® hardware; device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a Site; App usage statistics; App settings; dates and times of connecting to an App; location data; and other technical communications information (some of which may constitute Personal Data); registration details; username; password; security login details; usage data; and aggregate statistical information.

 

Employer details: where you interact with us in your capacity as an employee of a third party; and the name, address, telephone number and email address of your employer, to the extent relevant.

 

Content and advertising data: records of your interactions with our online advertising and content, records of advertising and content displayed on pages or App screens displayed to you, and any interaction you may have had with such content or advertising (e.g., mouse hover, mouse clicks, any forms you complete in whole or in part) and any touchscreen interactions.

 

Cookie data: we collect information via cookies and similar technologies.

 

Security information: your password(s); login attempt details; security settings; and other security-related information.

 

Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.

Inferences: Inferences drawn from the above, such as product interests and purchasing insights.

Provision of Sites, Apps, products, and services: providing our Sites, Apps, products, or services; providing promotional items upon request; and communicating with you in relation to those Sites, Apps, products, or services.

Operating our business: operating and managing our Sites, our Apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our Sites, our Apps, our products, or our services; and notifying you of changes to any of our Sites, our Apps, our products, or our services.

Planning: organisational planning; succession planning; making changes to the nature and scope of our operations or our business; mergers, acquisitions, dissolutions demergers, liquidations, asset sales, divestitures, reorganisations and similar corporate structuring arrangements. 

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our Sites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; enabling and recording your choice to opt-out or unsubscribe, where applicable. 

Product safety communications: communications in relation to product safety, including product recalls and product safety advisory notices.

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems. 

Health and safety: health and safety assessments and record keeping; providing a safe and secure environment at our premises; and compliance with related legal obligations.

Financial management: sales; finance; corporate audit; and vendor management.

Surveys: engaging with you for the purposes of obtaining your views on our Sites, our Apps, our products, or our services.

Security: physical security of our premises (including records of visits to our premises) and electronic security (including login records and access details).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

Improving our Sites, Apps, products, and services: identifying issues with our Sites, our Apps, our products, or our services; planning improvements to our Sites, our Apps, our products, or our services; and creating new Sites, Apps, products, or services.

Fraud prevention: Detecting, preventing and investigating fraud.

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; exercise and defence of legal rights and claims, including formal legal proceedings.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; analysis of suitability for the relevant position; records of hiring decisions; offer details; and acceptance details.

You and, where appropriate, your appointed representatives.


Third party distributors through whom you acquire any of our products or services.


Accountants, auditors, consultants, lawyers and other outside professional advisors to Aroma360®, subject to binding contractual obligations of confidentiality.


Third party Processors (such as payment services providers; shipping companies; etc.), located anywhere in the world, subject to the requirements noted in Section (G).


Any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims.


Any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.


Any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); and any relevant third party provider, where our Sites use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.


Third parties with whom you consent to sharing your information, such as with social media services or academic researchers. 


Government entities or other third parties for legal reasons, such as to comply with law or for other legal reasons.


If you are a California Resident, the CCPA grants you the following rights regarding your Personal Information:

  • Right to Know: California Residents have the right to request that we disclose the categories of Personal Information that we collect, use, disclose or sell about you. You may also request the specific pieces of Personal Information that we have collected about you.
  • Right to Request Deletion of Personal Information: California Residents have the right to request that we delete any Personal Information that we have collected from or about you. However, we may retain Personal Information as authorized under the CCPA or other applicable law, such as Personal Information required to provide our services, to protect our business and systems from fraudulent activity, to debug and identify errors that impair existing functionality, to comply with legal obligations, to comply with law enforcement requests pursuant to lawful process, for scientific or historical research, for us or others to exercise free speech or other rights, or for our own internal purposes reasonably related to your relationship with us.
  • Right to Correct: California Residents have the right to request that we correct inaccurate Personal Information that we maintain about you, taking into account the nature of Personal Information and the nature of Processing. However, we are not required to comply with a request to correct where we have a good-faith, reasonable, and documented belief that a request is fraudulent or abusive, or if we have determined based on the totality of the circumstances, that the contested Personal Information held by us is more likely than not accurate and therefore does not require correction.
  • Right to Opt-Out: California Residents have the right to opt-out of the sale or sharing of their Personal Information for cross-context behavioral advertising. We do not sell or share for cross-context behavioral advertising any of the categories of Personal Information that we collect about California Residents via our Sites, Apps, products, or services – so there is no need to exercise these opt-out rights.
  • Right to Non-Discrimination. California Residents have the right to not be discriminated against for exercising their CCPA rights. We will not “discriminate” against you for exercising your CCPA rights as we understand that term to be defined by the CCPA and its implementing regulations.
  • Authorized Agent. Under the CCPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.

To exercise your rights under the CCPA, please submit your request through email at: support@Aroma360.com. Generally, in order to verify your requests to exercise your rights, we will compare the personal information we have about you to pieces of personal information we will request in the course of processing your request. The personal information required for verification may include your name, email address, phone number, or postal address. We will deliver a response to you within 45 days of receiving your verifiable California Resident request.

Notice of Financial Incentives: We may offer various financial incentives. For example, we may provide incentives to customers who participate in a survey or provide testimonials. When you participate in a financial incentive, we collect Personal Information from you, such as identifiers (like your name and email address) and information about your experiences using our products or services. You can opt into a financial incentive by following the sign-up or participation instructions provided, and, for any ongoing benefits, you can opt-out at any time, such as by following the unsubscribe instructions in the applicable program’s terms or by contacting us. In some cases, we may provide additional terms and conditions for a financial incentive, which we will provide to you when you sign up. The value of your Personal Information is reasonably related to the value of the offer or discount presented to you.

California’s “Shine the Light” Law: Under California’s “Shine the Light” law, California Residents are entitled to ask us for a notice describing what categories of Personal Information Aroma360® shares with third parties or corporate affiliates for those third parties or corporate affiliates’ direct marketing purposes. However, we do not “share” your Personal Information as we understand that term to be defined by “Shine the Light” law, so there is no need to exercise these rights.

Metrics On Your Rights: The CCPA requires us to track and publish the below metrics for the previous calendar year. The below metrics are our calculations from [X] to [X], and include requests from all individuals in the U.S.


Right to Know

Received: [X]

Complied with: [X]

Denied: [X]

Average response time: [X] days

 

Right to Delete

Received: [X]

Complied with: [X]

Denied: [X]

Average response time: [X] days

 

Right to Opt-out of Sale

We don’t sell or share your Personal Information as those terms are used in the CCPA.


  • Information for Virginia Residents


Under the Virginia Consumer Data Protection Act (“VCDPA”), we must disclose our practices regarding the collection, use, and disclosure of the personal information of Virginia Residents (“Virginia Consumers”). Virginia Consumers are also afforded additional rights with regard to the personal data we collect about them that include the rights of access, deletion, and correction. This section of our Privacy Policy directs you to the disclosures required by the VCDPA and describes the rights afforded to Virginia Consumers. We also describe the methods by which a Virginia Consumer may exercise these rights.

Required VCDPA Disclosures

  • For the categories of personal data we (the controller) process, please see Section D of this Privacy Policy.
  • For a description of the purposes for processing personal data, please see Section F of this Privacy Policy.
  • For the categories of personal data that we share with third parties, please see Section G of this Privacy Policy.
  • For categories of third parties with whom we share personal data, please see Section R of this Privacy Policy.

 

Consumer Requests: Under the VCPDA, we are a controller of your personal data. If you are a Virginia Consumer, the VCDPA grants you the following rights regarding your personal data. If we are unable to authenticate your request to exercise one or more of these rights using commercially reasonable efforts, we may request that you provide additional information, such as name, email address, phone number, or postal address, to authenticate your request. We will deliver a response to you within 45 days of receiving your verifiable consumer request.

Process to Appeal Declined Requests: If we decline to take action on your request, we will notify you within 45 days of receipt of your request. In the event we decline to take action on your request, you may submit an appeal within 30 days of receiving such notice. You may submit an appeal through email at: support@Aroma360.com. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason(s) for the decision(s). If your appeal is denied, we will provide you with an online mechanism, if available, or other method through which you may contact the Virginia Attorney General to submit a complaint.

To exercise your rights under the VCDPA, please follow the instructions described in this section:

  • Right to Access Personal Data: Virginia Consumers have the right to confirm whether or not we are processing their personal data and to access such personal data. Verifiable consumer requests to confirm and access may be submitted through email at support@Aroma360.com.
  • Right to Correct Personal Data: Virginia Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. Verifiable consumer requests to correct may be submitted through email at: support@Aroma360.com.
  • Right to Delete Personal Data: Virginia Consumers have the right to delete personal data provided by or obtained about the consumer. Verifiable consumer requests to delete may be submitted through email at support@Aroma360.com.
  • Right to Data Portability: Virginia Consumers have the right to obtain a copy of their personal data that the consumer previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Verifiable consumer requests for data portability may be submitted through email at: support@Aroma360.com.

Right to Opt-Out: Virginia Consumers have the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer. Verifiable consumer opt-out requests may be submitted through email at: support@Aroma360.com.


(T)   Information for Colorado Residents


Under the Colorado Privacy Act (“CPA”), we, the data controller, must disclose our practices regarding the collection, use, and disclosure of the personal information of Colorado Residents (“Colorado Consumers”). Colorado Consumers are also afforded additional rights with regard to the personal data we collect about them that include the rights of access, deletion, and correction. This section of our Privacy Policy directs you to the disclosures required by the CPA and describes the rights afforded to Colorado Consumers. We also describe the methods by which a Colorado Consumer may exercise these rights.

Required CPA Disclosures

  • For the categories of personal data we (the controller) process, please see Section D of this Privacy Policy.
  • For a description of the purposes for processing personal data, please see Section F of this Privacy Policy.
  • For the categories of personal data that we share with third parties, please see Section G of this Privacy Policy.
  • For categories of third parties with whom we share personal data, please see Section R of this Privacy Policy.


Consumer Requests: Under the CPA, we are a controller of your personal data. If you are a Colorado Consumer, the CPA grants you the following rights regarding your personal data. If we are unable to authenticate your request to exercise one or more of these rights using commercially reasonable efforts, we may request that you provide additional information, such as name, email address, phone number, or postal address, to authenticate your request. We will deliver a response to you within 45 days of receiving your verifiable consumer request.

Process to Appeal Declined Requests: If we decline to take action on your request, we will notify you within 45 days of receipt of your request. In the event we decline to take action on your request, you may submit an appeal within 30 days of receiving such notice. You may submit an appeal through email at: support@Aroma360.com. Within 45 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reason(s) for the decision(s). If your appeal is denied, we will provide you with an online mechanism, if available, or other method through which you may contact the Colorado Attorney General to submit a complaint.

To exercise your rights under the CPA, please follow the instructions described in this section:

  • Right to Access Personal Data: Colorado Consumers have the right to confirm whether or not we are processing their personal data and to access such personal data. Verifiable consumer requests to confirm and access may be submitted through email at support@Aroma360.com.
  • Right to Correct Personal Data: Colorado Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. Verifiable consumer requests to correct may be submitted through email at: support@Aroma360.com
  • Right to Delete Personal Data: Colorado Consumers have the right to delete personal data provided by or obtained about the consumer. Verifiable consumer requests to delete may be submitted through email at: support@Aroma360.com.
  • Right to Data Portability: Colorado Consumers have the right to obtain a copy of their personal data that the consumer previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Verifiable consumer requests for data portability may be submitted through email at: support@Aroma360.com.
  • Right to Opt-Out: Colorado Consumers have the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer. Verifiable consumer opt-out requests may be submitted through email at: support@Aroma360.com.


Authorized Agent. Under the CPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.


(U)   Information for Connecticut Residents


Under the Connecticut Data Privacy Act (“CTDPA”), we, the data controller, must disclose our practices regarding the collection, use, and disclosure of the personal information of Connecticut Residents (“Connecticut Consumers”). Connecticut Consumers are also afforded additional rights with regard to the personal data we collect about them that include the rights of access, deletion, and correction. This section of our Privacy Policy directs you to the disclosures required by the CTDPA and describes the rights afforded to Connecticut Consumers. We also describe the methods by which a Connecticut Consumer may exercise these rights.

Required CTDPA Disclosures

  • For the categories of personal data we (the controller) process, please see Section D of this Privacy Policy.
  • For a description of the purposes for processing personal data, please see Section F of this Privacy Policy.
  • For the categories of personal data that we share with third parties, please see Section G of this Privacy Policy.
  • For categories of third parties with whom we share personal data, please see Section R of this Privacy Policy.


Consumer Requests: Under the CTDPA, we are a controller of your personal data. If you are a Connecticut Consumer, the CTDPA grants you the following rights regarding your personal data. If we are unable to authenticate your request to exercise one or more of these rights using commercially reasonable efforts, we may request that you provide additional information, such as name, email address, phone number, or postal address, to authenticate your request. We will deliver a response to you within 45 days of receiving your verifiable request.

Process to Appeal Declined Requests: If we decline to take action on your request, we will notify you within 45 days of receipt of your request. In the event we decline to take action on your request, you may submit an appeal within 30 days of receiving such notice. You may submit an appeal through email at: support@Aroma360.com. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, we will provide you with an online mechanism, if available, or other method through which you may contact the Connecticut Attorney General to submit a complaint.

To exercise your rights under the CTDPA, please follow the instructions described in this section:

  • Right to Access Personal Data: Connecticut Consumers have the right to confirm whether or not we are processing their personal data and to access such personal data. Verifiable consumer requests to confirm and access may be submitted through email at: support@Aroma360.com.
  • Right to Correct Personal Data: Connecticut Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. Verifiable consumer requests to correct may be submitted through email at: support@Aroma360.com.
  • Right to Delete Personal Data: Connecticut Consumers have the right to delete personal data provided by or obtained about the consumer. Verifiable consumer requests to delete may be submitted through email at: support@Aroma360.com.
  • Right to Data Portability: Connecticut Consumers have the right to obtain a copy of their personal data that the consumer previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Verifiable consumer requests for data portability may be submitted through email at: support@Aroma360.com.
  • Right to Opt-Out: Connecticut Consumers have the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data or (iii) profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer. Verifiable consumer opt-out requests may be submitted through email at: support@Aroma360.com.


Authorized Agent. Under the CTDPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.


(V)  Information for Utah Residents


Under the Utah Consumer Privacy Act (“UCPA”), we, the data controller, must disclose our practices regarding the collection, use, and disclosure of the personal information of Utah Residents (“Utah Consumers”). Utah Consumers are also afforded additional rights with regard to the personal data we collect about them that include the rights of access, deletion, and correction. This section of our Privacy Policy directs you to the disclosures required by the UCPA and describes the rights afforded to Utah Consumers. We also describe the methods by which a Utah Consumer may exercise these rights.

Required UCPA Disclosures

  • For the categories of personal data we (the controller) process, please see Section D of this Privacy Policy.
  • For a description of the purposes for processing personal data, please see Section F of this Privacy Policy.
  • For the categories of personal data that we share with third parties, please see Section G of this Privacy Policy.
  • For categories of third parties with whom we share personal data, please see Section R of this Privacy Policy.


Consumer Requests: Under the UCPA, we are a controller of your personal data. If you are a Utah Consumer, the UCPA grants you the following rights regarding your personal data. If we are unable to authenticate your request to exercise one or more of these rights using commercially reasonable efforts, we may request that you provide additional information, such as name, email address, phone number, or postal address, to authenticate your request. We will deliver a response to you within 45 days of receiving your verifiable request.

To exercise your rights under the UCPA, please follow the instructions described in this section:

  • Right to Access Personal Data: Utah Consumers have the right to confirm whether or not we are processing their personal data and to access such personal data. Verifiable consumer requests to confirm and access may be submitted through email at support@Aroma360.com.
  • Right to Correct Personal Data: Utah Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. Verifiable consumer requests to correct may be submitted through email at: support@Aroma360.com.
  • Right to Delete Personal Data: Utah Consumers have the right to delete personal data provided by or obtained about the consumer. Verifiable consumer requests to delete may be submitted through email at: support@Aroma360.com.
  • Right to Data Portability: Utah Consumers have the right to obtain a copy of their personal data that the consumer previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. Verifiable consumer requests for data portability may be submitted through email at: support@Aroma360.com.
  • Right to Opt-Out: Utah Consumers have the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data or (iii) profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer. Verifiable consumer opt-out requests may be submitted through email at: support@Aroma360.com.


Authorized Agent. Under the UCPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.


(W)  Nevada Privacy Rights


We do not currently conduct sales of personal information as defined by applicable law in Nevada.


(X)  Definitions


  • App” means any application made available by us (including where we make such applications available via third party stores or marketplaces, or by any other means).


  • Adequate Jurisdiction” means a jurisdiction that has been formally designated by the European Commission as providing an adequate level of protection for Personal Data.


  • CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.


  • Cookie” means a small file that is placed on your device when you visit a website (including our Sites). In this Notice, a reference to a “cookie” includes analogous technologies such as pixels, web beacons, and clear GIFs. For more information on cookies and similar tools, see our Cookie and Pixel Policy.


  • Controller” means the entity that decides how and why Personal Data are Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.


  • Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.


  • EEA” means the European Economic Area.


  • GDPR” means the General Data Protection Regulation (EU) 2016/679.


  • Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.


  • Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.


  • Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


  • Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).

 

  • Profiling” means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.


  • Relevant Personal Data” means Personal Data in respect of which we are the Controller.


  • Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law.


  • Sensitive Personal Information” is a specific subset of Personal Information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information Processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.


  • Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission.


 

  • UK GDPR” means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified from time to time.


  • UK International Data Transfer Agreement” means the template transfer agreement adopted by the UK Information Commissioner’s Office on 21 March 2022.