Applicable until 1.12.2020

Compensate Privacy Policy – Shopify Plugin

Compensate provides a service which enables your store customers ways to offset the CO2 emissions generated by the shipping of their purchases ("the Service") to merchants who use Shopify to power their stores. The Service is implemented through an app ("the Application”).This Privacy Policy describes how your personal data and the data in relation to your Point of sale (POS) hosted by Shopify (hereinafter referred to as “Your Store” or “Merchant Store”) is collected, used, and shared when you install or use the Application. Your customers visiting Your Store are referred to as “Your Customers”. You must ensure you have the necessary authority to sign the Privacy Policy on behalf of the entity using the Application. You can always find this Privacy Policy right here and in the app in Shopify.

Data controllers

The Application is developed and owned by a non-profit company Compensate Operations Oy (Compensate Operations Oy, Korkeavuorenkatu 34, 00130 Helsinki, Finland

Business ID 2993434-1, hereinafter referred to as “we” or “Compensate”).

Compensate is a subsidiary of a non-profit called Compensate Foundation sr (business ID: 2914937-8, address Korkeavuorenkatu 47, 00130 Helsinki, Finland, hereinafter referred to as the “Foundation”). Because the Foundation receives the Compensation fees and is responsible for purchasing carbon offsets, the Foundation and Compensate are regarded as joint controllers. 

Compensate is responsible for complying with data protection laws and data security as well as ensuring your privacy rights relating to the implementation on the Application. Therefore your information shall be treated in accordance with the Compensate Privacy Statement. If you have any questions regarding the processing of your data or wish to exercise your rights, please contact Compensate through the contact information at the end of this Compensate Privacy Policy. 

Personal data the Application collects

Data relating to you and Your Store

When you install the Application, you give Compensate permission to access certain types of information from you and your Shopify account: 

  • Your Store details you give to us -for example, the name of Your Store, the country, VAT number, address 
  • Your personal details, such as your email address

The logging systems used by the Application automatically log certain analytics data when you use it. We have chosen a privacy-friendly EU-based analytics service provider called Plausible Insights OÜ (hereinafter referred to as the "Plausible"). Plausible does not track nor collect any personal data, and so we neither. More information about Plausible  here

The joint data controllership with Compensate and the Foundation starts from the moment Shopify receives the payment information and ends when you or Compensate suspends or terminates the use of the Application. In practise, the Foundation only receives information required for the invoicing and accounting of Compensation fees. These include the compensation items included on an order and the total sum of those Compensation fees. The Foundation may also have a legitimate interest or a legal obligation to deal with other personal data, such as analytics data. The Foundation does not act as a joint controller relating to the analytics data because the purpose and the means of processing analytics data is defined by Compensate. Therefore Compensate is solely responsible for the lawful processing of any analytics data. 

How do we use your personal data?

We use the personal data we collect from you and Your Store in order to provide the Service and to operate the Application. Additionally, we use this personal data to: communicate with you; optimize or improve the Application; and provide you with information or advertising relating to our products or services. We also may process the data to administer and fulfill our obligations under law and for claims handling and legal processes. 

We process your personal data primarily in order to fulfill our contractual obligations to you as well as to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.

We may also process your personal data in order to comply with our legal obligations.In some parts of the Service, you may be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.

Sharing your personal data

To the extent that third parties need access to the personal data for us to provide the Service, we provide third parties with Your personal data. Such third parties include Google Cloud Platform, which hosts the Service. We also use Google to communicate with you via email (Gmail). Google processes the data in accordance with their  privacy policy.  Furthermore, we receive payments relating to the Service to a Paypal account. Paypal processes the personal data in accordance with their  privacy policy.  Both Compensate and the Foundation can also transfer any personal data to each other if there is a legitimate interest or a legal obligation to do so. 

In addition, we may provide your personal data to our affiliates or to authorized service providers who perform services to us (including, for instance, data storage, accounting, payment, sales, and marketing service providers). 

When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual steps and organizational measures to ensure that the data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures. 

Finally, we may also share your personal data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights, with your explicit consent or for other legitimate reasons.

Your rights

If you are a European resident, you have the right to access personal data we hold about you and to ask that your personal data be corrected, updated, or deleted. You also have a right to object to the use of certain personal data, the right to restrict the processing, the right to receive the data in a structural and common format (so called “right to data portability”) and the right to withdraw your consent. In addition, you can also prohibit us from using your personal data for direct marketing purposes, market research and profiling. If you would like to exercise any of these rights, please contact us through  legal@compensate.com

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. 

Data Transfers outside of the European Economic Area (EEA)

Please note that your information will be transferred outside of the EEA, including to Canada and the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the  Standard Contractual Clauses  or through other appropriate safeguards.

Data retention

We do not store your personal data longer than is legally permitted and necessary for the purposes of this Compensate Privacy Statement. The storage period depends on the nature of the information and the purposes of the processing. The maximum period may, therefore, vary per use. 

When you stop using the Application, we will maintain the most of your personal data for our records for three and a half (3,5) years unless you ask us to delete this information. After your request or if 3,5 years have elapsed, some of the personal data may be still processed by us as long as it is required by law or is reasonably necessary for our legal obligations or legitimate interests, such as claims handling, bookkeeping, internal reporting and reconciliation purposes. All personal data will be anonymized or deleted with a period of ten (10) years after you have placed an order through the Site or you have asked us to delete the data, except for personal data required in certain, rare situations such as legal proceedings. 

Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Information security

We use administrative, organisational, technical, and physical safeguards to protect your personal data. Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities required by applicable data protection laws, about the breach as soon as possible. 

Contact us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at legal@compensate.com or by mail using the details provided below:

Compensate

Emmi Simonen

Korkeavuorenkatu 47 

00130 Helsinki

Finland

__________________________________________________________________________________________

Applicable until 25.9.2020

Compensate Privacy Policy – Shopify Plugin

Compensate provides a service which enables your store customers ways to offset the CO2 emissions generated by the shipping of their purchases ("the Service") to merchants who use Shopify to power their stores. The Service is implemented through an app ("the Application”).This Privacy Policy describes how your personal data and the data in relation to your Point of sale (POS) hosted by Shopify (hereinafter referred to as “Your Store” or “Merchant Store”) is collected, used, and shared when you install or use the Application. Your customers visiting Your Store are referred to as “Your Customers”. You must ensure you have the necessary authority to sign the Privacy Policy on behalf of the entity using the Application. You can always find this Privacy Policy right here and in the app in Shopify.

Data controllers

The Application is developed and owned by a non-profit company Compensate Operations Oy (Compensate Operations Oy, Korkeavuorenkatu 34, 00130 Helsinki, Finland

Business ID 2993434-1, hereinafter referred to as “we” or “Compensate”).

Compensate is a subsidiary of a non-profit called Compensate Foundation sr (business ID: 2914937-8, address Korkeavuorenkatu 47, 00130 Helsinki, Finland, hereinafter referred to as the “Foundation”). Because the Foundation receives the Compensation fees and is responsible for purchasing carbon offsets, the Foundation and Compensate are regarded as joint controllers. 

Compensate is responsible for complying with data protection laws and data security as well as ensuring your privacy rights relating to the implementation on the Application. Therefore your information shall be treated in accordance with the Compensate Privacy Statement. If you have any questions regarding the processing of your data or wish to exercise your rights, please contact Compensate through the contact information at the end of this Compensate Privacy Policy. 

Personal data the Application collects

Data relating to you and Your Store

When you install the Application, you give Compensate permission to access certain types of information from you and your Shopify account: 

  • Your Store details you give to us -for example, the name of Your Store, the country, VAT number, address 
  • Your personal details, such as your email address

The joint data controllership with Compensate and the Foundation starts from the moment Shopify receives the payment information and ends when you or Compensate suspends or terminates the use of the Application. In practise, the Foundation only receives information required for the invoicing and accounting of Compensation fees. These include the compensation items included on an order and the total sum of those Compensation fees. The Foundation may also have a legitimate interest or a legal obligation to deal with other personal data, such as analytics data. The Foundation does not act as a joint controller relating to the analytics data because the purpose and the means of processing analytics data is defined by Compensate. Therefore Compensate is solely responsible for the lawful processing of any analytics data. 

How do we use your personal data?

We use the personal data we collect from you and Your Store in order to provide the Service and to operate the Application. Additionally, we use this personal data to: communicate with you; optimize or improve the Application; and provide you with information or advertising relating to our products or services. We also may process the data to administer and fulfil our obligations under law and for claims handling and legal processes. 

We process your personal data primarily in order to fulfil our contractual obligations to you as well as to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.

We may also process your personal data in order to comply with our legal obligations.In some parts of the Service, you may be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.

Sharing your personal data

To the extent that third parties need access to the personal data for us to provide the Service, we provide third parties with Your personal data. Such third parties include Google Cloud Platform, which hosts the Service. We also use Google to communicate with you via email (Gmail). Google processes the data in accordance with their  privacy policy.  Furthermore, we receive payments relating to the Service to a Paypal account. Paypal processes the personal data in accordance with their  privacy policy.  Both Compensate and the Foundation can also transfer any personal data to each other if there is a legitimate interest or a legal obligation to do so. 

In addition, we may provide your personal data to our affiliates or to authorized service providers who perform services to us (including, for instance, data storage, accounting, payment, sales, and marketing service providers). 

When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual steps and organizational measures to ensure that the data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures. 

Finally, we may also share your personal data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights, with your explicit consent or for other legitimate reasons.

Your rights

If you are a European resident, you have the right to access personal data we hold about you and to ask that your personal data be corrected, updated, or deleted. You also have a right to object to the use of certain personal data, the right to restrict the processing, the right to receive the data in a structural and common format (so called “right to data portability”) and the right to withdraw your consent. In addition, you can also prohibit us from using your personal data for direct marketing purposes, market research and profiling. If you would like to exercise any of these rights, please contact us through  legal@compensate.com

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. 

Data Transfers outside of the European Economic Area (EEA)

Please note that your information will be transferred outside of the EEA, including to Canada and the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the  Standard Contractual Clauses  or through other appropriate safeguards.

Data retention

We do not store your personal data longer than is legally permitted and necessary for the purposes of this Compensate Privacy Statement. The storage period depends on the nature of the information and the purposes of the processing. The maximum period may, therefore, vary per use. 

When you stop using the Application, we will maintain the most of your personal data for our records for three and a half (3,5) years unless you ask us to delete this information. After your request or if five years have elapsed, some of the personal data may be still processed by us as long as it is required by law or is reasonably necessary for our legal obligations or legitimate interests, such as claims handling, bookkeeping, internal reporting and reconciliation purposes. All personal data will be anonymized or deleted with a period of ten (10) years after you have placed an order through the Site or you have asked us to delete the data, except for personal data required in certain, rare situations such as legal proceedings. 

Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Information security

We use administrative, organisational, technical, and physical safeguards to protect your personal data. Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities required by applicable data protection laws, about the breach as soon as possible. 

Contact us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at legal@compensate.com or by mail using the details provided below:

Compensate

Emmi Simonen

Korkeavuorenkatu 47 

00130 Helsinki

Finland

DATE 27.7.2020