Privacy Policy
Last updated Jun 28, 2019
URB-IT DATA PROTECTION POLICY
INTRODUCTION
At Urb-it AB (publ) (“Urb-it” or “we”), we protect your personal integrity and always strive for a high level of data protection (eg. we would never sell your personal data to another company). This privacy policy explains how, why and for how long we collect, process, store and use your personal information.
It also describes your rights and how you can exercise them. It is important that you understand the privacy policy and feel safe in our treatment of your personal data. You are always welcome to contact us for any questions.
This Data Protection Policy applies to our Services (Urb-it Delivery API, Service First, Urb-it eCheckout), our websites (urbit.com, business.urb-it.com, consumer-portal.urb-it.com, developer.urb-it.com), to our mobile applications (“Apps”) and any other Urb-it services. You should also read and agree to our
Terms of Service.
This policy governs all use of our Services, both for Retailers and Partners who offers our services to their customers, to customers who choses Urb-it and to visitors of our web pages.
By using Urb-it Services, you accept our Data Protection Policy and our processing of your personal information. You also agree that Urb-it uses electronic communication channels to send information to you when receiving or placing a delivery with Urb-it.
WHAT IS PERSONAL DATA AND WHAT IS PROCESSING OF PERSONAL DATA?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person is considered to be personal data. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, or a computer IP address.
Encrypted data and different types of electronic identities (e.g. IP number) are personal data if they can be linked to a person.
Processing of personal data is all that happens with personal data. For instance, each action taken regarding personal data is a treatment, regardless of whether it is performed automated or not. Examples of common processing are collection, editing, registration, organization, structuring, storage, transmission and deletion.
WHO IS RESPONSIBLE FOR THE PERSONAL INFORMATION WE COLLECT?
URB-IT AB (publ), Org.nrcompany number: 556959-9755, Vattugatan 17, 111 52 Stockholm , Sweden, and its subsidiaries, including
Urb-it Paris SAS, company number 350 261 152, 5 Boulevard de la Madeleine, 75001 Paris, France, and
Urb-it London Ltd, company number 0999823, 10 Margaret Street, London W1W 8RL, United Kingdom.
Please contact us at
[email protected] if you have any questions or would like further information about how and why we collect, process and store data and how you can exercise your rights as a data subject.
Urb-it has dedicated professionals that are responsible for handling and architecting all the processes and solutions used by our products, systems and services, providing security of information.
WHAT INFORMATION DO WE COLLECT?
Information you give us in order to successfully carry out our Service. You may directly or indirectly give us information about yourself in a variety of ways, such as when you place an order on a retailer’s site, when choosing Urb-it as a delivery option at a later stage in the delivery flow (for example when using Urb-it to deliver a Click & Collect purchase), when you contact us, use our web page and our Business or Customer portal.
To fulfill our delivery commitments we may collect information about yourself in a variety of ways, such as when you place an order on a retailer’s site, when choosing Urb-it as a delivery option at a later stage (for example when using Urb-it to deliver a Click & Collect purchase), when you contact us, use our web page, our Business or customer portal.
- Personal and contact information – name, delivery address, email address, mobile phone number
- Payment information – status of payment, payment information, “token” to connect you with any saved credit cards in 3rd party payment solution (Credit Card information is not stored)
- Information about your purchase – details about the items you purchase, about the seller and where you want them delivered
- Historical information – your purchase and payment history when using Urb-it as your delivery option
- Communication with customer support and Urber – in case of a customer service errand, we will keep a record of the errand until resolved, with all information you give us regarding the issue, for example device information
Information about interaction between you and Urb-it – how you as a user uses our services, including page response times, errors, entry and exit methods, as well as delivery notices when we contact you.
- Device information – e.g. the IP address, language settings, browser settings, time zone settings, operating system and platform and screen resolution
- Geographical information – we might collect your geographical location if needed when using map related features
The information you give us, as well as the information about your purchase and your payment information, is required to enter into a contractual relationship with us, while the other information we collect is necessary to pursue other purposes, as explained in this document.
HOW URB-IT HANDLES YOUR PERSONAL DATA?
Customer agrees that Urb-it will (taking into account the nature of the processing and the information available to Urb-it) assist the customer in ensuring compliance with any obligations in respect of data protection impact assessments and prior consultation, including if applicable customer’s obligations pursuant to Articles of the GDPR, by providing the Additional Security Controls – Urb-it has a controlled environment, with a access restriction policy and authenticated integrations with processors and sub-processors.
WHY DO WE COLLECT, STORE AND PROCESS PERSONAL DATA?
Provide, operate and improve our services. All data is used to provide, operate and improve Urb-it’s services. Urb-it processes personal data for the following purposes and based on the following legal bases:
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU AS A CUSTOMER / DELIVERY RECIPIENT AND FOR WHAT PURPOSE?
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to be able to process orders and deliveries |
To be able to handle informations about delivery address and about the consumer who will receive it.
To be able to identify the consumer and proceed with the delivery process.
To be able to collect informations that could help in solving process of reclamation and warranty errands. |
- First & last name
- Delivery address (street, street number, postcode, city)
- Email
- Phone
- Purchase details (retailer, items, quantity, total value)
- Message to the Urber
|
| LAWFUL BASIS FOR PROCESSING |
| Contractual Necessity
Purchase agreement. This collection of personal data is necessary for us to fulfill our commitments
according to the purchase agreement. If the data is not provided, we will not be able to fulfill our
commitments and therefore reserve the right to decline the consumer purchase. (Rec.30; Art.7(1)(b), Rec.44; Art.6(1)(b)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to be able to process transactions regarding the financial aspects of orders and deliveries |
To administer the consumer payment and the customer relationship.
To provide the consumer with the information, products and services that you request from us. |
- First & last name
- Email
- Delivery address
- Purchase details (retailer, items, quantity, total value)
- Payment status
|
| LAWFUL BASIS FOR PROCESSING |
| Contractual Necessity
Purchase agreement. This collection of personal data is necessary for us to fulfill our commitments
according to the purchase agreement. If the data is not provided, we will not be able to fulfill our
commitments and therefore reserve the right to decline consumer purchase. (Rec.30; Art.7(1)(b), Rec.44; Art.6(1)(b)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to be able to send notifications for the consumers about security breaches that could affect the integrity of their data |
To be able to inform consumers that one or more informations regarding their personal data were susceptible to access as plain text in logs or other type of repository of information. |
|
| LAWFUL BASIS FOR PROCESSING |
| Legal Obligations
The treatment of the informations is necessary to accommodate ours and the consumer legal obligations regarding frauds and incorrect use of personal information, providing when necessary, information for basis in legal investigations. (Rec.30; Art.7(1)(c), Rec.45; Art.6(1)(c), 6(3)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to handle customer service issues |
To be able to have a open channel to communication and response of any questions to customer service (via phone or in digital channels, including Social Media).
To be able to provide identification and examination of possible complaints and support cases (including Tech Support) |
- First & last name
- Delivery address (street, street number, postcode, city)
- Email
- Phone
- Purchase details (retailer, items, quantity, total value)
- Payment status
- Message to the Urber
- Communication history
- Technical data regarding access device (information about screen size and resolution, pixel density, browser, operational system, ip address)
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment is necessary to accommodate ours and the consumer legitimate interest in handling customer service matters. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period as long as the customer support errand is open. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to evaluate, improve and develop our services, products and systems for our customers |
To be able to understand our users behavior and generate statistics for further studies.
To be able to collect informations about technical characteristics of devices used to access our services, in order to generate statistics for further studies.
In order to process and evaluate the statistics collected to plan, project and develop constantly our services, platforms and services in a way that reach the needs of the users. |
- First & last name
- Historical delivery addresses (street, street number, postcode, city)
- Historical purchase details (retailer, items, quantity, total value)
- Correspondence and feedback about our products
- Technical data regarding access device (information about screen size and resolution, pixel density, browser, operational system, ip address)
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment is necessary to accommodate ours and the consumer legitimate interest in
improve our services, platforms and systems to provide a better service to the consumer. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to prevent abuse of our services or to prohibit and handle legal investigations |
To prevent misuse of our services as part of our efforts to keep our services, platforms and systems safe and secure. |
- First & last name
- Delivery address (street, street number, postcode, city)
- Email
- Phone
- Purchase details (retailer, items, quantity, total value)
- Payment status
- Message to the Urber
- Technical data regarding access device (information about screen size and resolution, pixel density, browser, operational system, ip address)
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment of the informations is necessary to accommodate ours and the consumer legitimate interest in avoid frauds, abuse and incorrect use our our services, platforms and systems. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f))Legal Obligations
The treatment of the informations is necessary to accommodate ours and the consumer legal obligations regarding frauds and incorrect use of personal information, providing when necessary, information for basis in legal investigations. (Rec.30; Art.7(1)(c), Rec.45; Art.6(1)(c), 6(3)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU AS A WEB USER AND FOR WHAT PURPOSE?
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to evaluate, improve and develop our websites for our users |
To be able to understand our users behavior and generate statistics for further studies.
To be able to collect informations about technical characteristics of devices used to access our services, in order to generate statistics for further studies.
In order to process and evaluate the statistics collected to plan, project and develop constantly our services, platforms and services in a way that reach the needs of the users. |
- Technical data regarding access device (information about screen size and resolution, pixel density, browser, operational system, ip address)
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment is necessary to accommodate ours and the user legitimate interest in improve our services, platforms and systems to provide a better service to the consumer. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data for a period of 36 months from when the purchase has been processed (including delivery and payment) to comply with booking laws, customer protection laws, directive on distance selling etc. |
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU AS A RETAILER AND PARTNER AND FOR WHAT PURPOSE?
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to be able to process transactions regarding the financial aspects of orders and deliveries |
To be able to invoice for our services.
To be able to pay transfer payments when the checkout is handled by Urb-it through Stripe |
- First & last name
- Address (street, street number, postcode, city)
- Email
- Phone
- Document valid as personal identification
- Bank/Payment details (for invoice)
|
| LAWFUL BASIS FOR PROCESSING |
| Contractual Necessity
The treatment of the informations is necessary to accommodate ours and the retailer obligations regarding the contract when referencing to financial agreements, possibility to pay or to invoice. (Rec.30; Art.7(1)(b), Rec.44; Art.6(1)(b))Legal Obligations
The treatment of the informations is necessary to accommodate ours and the consumer legal obligations regarding frauds and incorrect use of personal information, providing when necessary, information for basis in legal investigations. (Rec.30; Art.7(1)(c), Rec.45; Art.6(1)(c), 6(3)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data during the full length of the retailer/partner agreement and for an additional period of 36 months from when the purchase has been processed (including delivery and payment) to be able to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to be able to send notifications for the retailers about security breaches that could affect the integrity of their data |
To be able to inform retailers that one or more informations regarding their personal data were susceptible to access as plain text in logs or other type of repository of information. |
|
| LAWFUL BASIS FOR PROCESSING |
| Legal Obligations
The treatment of the informations is necessary to accommodate ours and the consumer legal obligations regarding frauds and incorrect use of personal information, providing when necessary, information for basis in legal investigations. (Rec.30; Art.7(1)(c), Rec.45; Art.6(1)(c), 6(3)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data during the full length of the retailer/partner agreement and for an additional period of 36 months from when the purchase has been processed (including delivery and payment) to be able to comply with booking laws, customer protection laws, directive on distance selling etc. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to evaluate, improve and develop our services, products and systems for our consumers and partners |
To be able to understand our users behavior and generate statistics for further studies.
To be able to collect informations about technical characteristics of devices used to access our services, in order to generate statistics for further studies.
In order to process and evaluate the statistics collected to plan, project and develop constantly our services, platforms and services in a way that reach the needs of the users. |
- Correspondence and feedback about our products
- Technical data regarding access device (information about screen size and resolution, pixel density, browser, operational system, ip address)
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment is necessary to accommodate ours and the retailer legitimate interest in improve our services, platforms and systems to provide a better service to the consumer and retailer experience. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data during the full length of the retailer/partner agreement. |
| PURPOSE |
DATA COLLECTION PROCESSES |
CATEGORIES OF PERSONAL DATA |
| In order to enable conversations, negotiation and to be able to enter into a retailer/partner agreement |
To have an open dialog regarding negotiations, a contact information can be saved during the period.
To have the possibility to prospect new clients, a contact information can be saved until the answer regarding the negotiation. |
- Correspondence and feedback about our products
- Email
- Phone
- Role / Position
|
| LAWFUL BASIS FOR PROCESSING |
| Legitimate Interests
The treatment of the informations is necessary to enable the capacity of prospect and negotiation of the company as well the retailers. (Rec.30; Art.7(1)(f), Rec.47, 48; Art.6(1)(f))Consent
By contacting and discussing with us, some personal information can be saved during the process of negotiation to enable business contacts. (Rec.30, 33; Art.7(1)(a), Rec.32, 42, 43; Art.6(1)(a)) |
| DATA MINIMIZATION (LIFETIME FOR THE COLLECTED INFORMATION) |
| We store the data before and during a conversation between you and Urb-it and during the full length of the retailer/partner agreement if such exists. |
WILL URB-IT SHARE OR TRANSFER MY PERSONAL DATA?
To successfully carry out our Service we may transfer or share your information with selected third parties, i.e.
- Urbers The personal information and the information about your purchase will be shared with the assigned Urber, our delivery courier. This information is necessary to fulfill the delivery. Urb-it’s recruitment process for the Urbers places high requirements on liability and Urb-it have a legal agreement with the Urber to ensure the safe keeping of your information. Your information will be accessible only during the time needed to complete the delivery.
- Suppliers and Subcontractors. This is related to our infrastructure, for example a cloud database or a payment provider. We take all reasonable legal, technical, and organisational measures to ensure that your data is treated securely and with an adequate level of protection when transferred to or shared with such selected third parties, and only if it’s necessary to fulfil the purpose. Se further info about under Urb-it Subprocessors
- Retailers and Partners. Urb-it might share your information with the retailer at which you made your purchase when the personal data is necessary for the retailers/partners performance and administration of your order, including disputes. The personal data shared with the retailer/partner will be subject to the retailers/partners privacy policies and practices.
- Authorities. Urb-it may disclose necessary information to authorities such as the police or other authorities if we are required by law or you agreed to it.
WHAT RIGHTS DO YOU, AS A DATA SUBJECT, HAVE?
- Right to access your data. You may request a transcript of records if you would like to know and verify the information we have on you. The transcript of records may be requested free of charge. However, this does not apply if requested multiple times in a short time, i.e. spamming.
- Right to rectification. You have the right to correct inaccurate or incomplete information about yourself.
- Right to be forgotten (Right to erasure). You have the right to request the deletion of your personal data insofar as this personal data is no longer necessary for the purpose it was collected. However, certain legal obligations prevent us from immediately deleting parts of your data. These obligations derive from accounting and tax laws and consumer rights laws. What we will do is block the data that we must keep from being used for any other purposes than meeting such legal requirements.
HOW CAN YOU EXERCISE YOUR RIGHTS PROVIDED UNDER THE GDPR?
Please contact us at
[email protected] if you want to exercise any of your rights mentioned above.
HOW WE WILL NOTIFY YOU ABOUT CHANGES IN THIS POLICY OR SECURITY BREACHES?
We’ll notify you before we make changes to this policy and give you the opportunity to review the revised policy before you choose to continue using our Services.
We’ll notify you in case of any security breach that we identify as hurtful for the personal data that we hold from you.
The notification process will be done via email or SMS.
WHAT ABOUT COOKIES AND OTHER TRACKING TECHNOLOGIES?
We use cookies and similar technologies to deliver a tailored and smooth online experience. For detailed information about how Urb-it uses cookies and similar, please read our
cookie policy. We also use geotracking when using map functionality on your device.
Speaking of cookies, we also deliver them from
Ladurée Paris and
Ladurée London.
If you read all the way here, you deserve a cookie.
Urb-it Subprocessors
OVERVIEW
Urb-it (“us”, “we”, or “our”) uses certain sub-processors to assist it in providing to its customers the Services as described in the
Terms of Service. Defined terms used herein shall have the same meaning as defined in the Agreement or the Data Processing Addendum (“DPA”).
A sub-processor is a third party data processor engaged by Urb-it that has or potentially will have access to or process Customer Data (which may contain Personal Data). Urb-it engages different types of sub-processors to perform various functions as explained in the tables below.
INFRASTRUCTURE
We use the following sub-processors to provide our cloud infrastructure environment and storage of our Customer Data:
| Subprocessor |
Geographic Location |
| Amazon Web Services, Inc. |
USA, Ireland and Germany |
| Microsoft Azure (Reg Only) |
USA and Ireland |
PROCESSING OF USER CONTENT
We work with various sub-processors that monitor, maintain and otherwise support the Services. In order to provide this functionality these sub-processors may, but not necessarily will, have access to Customer Data:
| Subprocessor |
Country of Processing |
Purpose |
| Stripe Inc. (Reg Only) |
USA |
Registration Payments |
| Twilio Inc. |
USA |
SMS Notifications |
| Sendgrid (Reg Only) |
USA |
Email Delivery |
| Urbers |
Sweden, UK & France |
In order to fulfill our commitments according to the purchase agreement. Information regarding Customer, Retailer, Purchase and Delivery Information. |