Applicable until 25.9.2020
Compensate Privacy Policy – WooCommerce Plugin
Compensate provides a service which enables your store customers ways to offset the CO2 emissions generated by the shipping of their purchases ("the Service") to store owners who use WooCommerce to power their stores. The Service is implemented through an App (“the Application”). This Privacy Policy describes how your personal data and the data in relation to your online store powered by WooCommerce (“Your Store”) is collected, used, and shared when you install or use the Application in connection with Your Store. Your customers visiting Your Store are referred to as “Your Customers”. You must ensure you have the necessary authority to sign the Privacy Policy on behalf of the entity using the Application.
Data Controllers
The Application is developed and owned by a non-profit company Compensate Operations Oy (Compensate Operations Oy, Korkeavuorenkatu 34, 00130 Helsinki, Finland, Business ID 2993434-1, hereinafter referred to as “we” or “Compensate”).
Compensate is a subsidiary of a non-profit called Compensate Foundation sr (business ID: 2914937-8, address Korkeavuorenkatu 47, 00130 Helsinki, Finland, hereinafter referred to as the “Foundation”). Because the Foundation receives the Compensation fees and is responsible for purchasing carbon offsets, the Foundation and Compensate are regarded as joint controllers.
Compensate is responsible for complying with data protection laws and data security as well as ensuring your privacy rights relating to the implementation on the Application. Therefore your information shall be treated in accordance with the Compensate Privacy Statement. If you have any questions regarding the processing of your data or wish to exercise your rights, please contact Compensate through the contact information at the end of the Compensate Privacy Policy.
Personal Data the Application Collects
When you install the Application, you give Compensate permission to access certain types of information from your WooCommerce account:
Data relating to You and Your Store
- Your Store details - such as the email address you have listed in your WooCommerce account, billing details such as the name of Your Store, country of registration, address, business and VAT ID, billing information.
- In addition, we collect information about you and others who may access the Application on behalf of Your Store, such as your email address.
Analytics data relating to Your Store
Although we do not use Analytics data to identify you as an individual, you may sometimes be recognised from it, either alone or when combined with other data. In such situations, Analytics data can also be considered personal data under applicable laws and we will treat such data as personal data. We collect the following data by detecting the browser user agent.
- Information on how often Your Customers are interacting with the Application (such as how often they have clicked the checkbox or read more - icons), device type (mobile/desktop), geolocation from the IP address, and browser information.
The joint data controllership with Compensate and the Foundation starts from the moment we receive the payment information and ends when you or Compensate suspends or terminates the use of the Application. In practise, the Foundation only receives information required for the invoicing and accounting of Compensation fees. These include the compensation items included on an order and the total sum of those compensation items. The Foundation may also have a legitimate interest or a legal obligation to deal with other personal information, such as Analytics data. The Foundation does not act as a joint controller relating to the Analytics data because the purpose and the means of processing Analytics data is defined by Compensate. Therefore Compensate is solely responsible for the lawful processing of any Analytics data.
How Do We Use Your Personal Information?
We use the personal information we collect from you or Your Store in order to provide the Service and to operate the Application. Additionally, we use this personal information to: communicate with you; optimize or improve the Application; and provide you with information or advertising relating to our products or services. We also may process the data to administer and fulfil our obligations under law and for claims handling and legal processes.
Legal grounds for processing
We process your personal data primarily in order to fulfill our contractual obligations to you as well as to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.
We may also process your personal data in order to comply with our legal obligations.In some parts of the Service, you may be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.
Sharing Your Personal Information
To the extent that third parties need access to the personal data for us to provide the Service, we provide third parties with Your personal data. Such third parties include Google Cloud Platform, which hosts the Service. We also use Google to communicate with you via email (Gmail). Google processes the data in accordance with their
In addition, we may provide your personal data to our affiliates or to authorized service providers who perform services to us (including, for instance, data storage, accounting, payment, sales, and marketing service providers).
When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual steps and organizational measures to ensure that the data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures.
We may also share your personal data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights, with your explicit consent or for other legitimate reasons.
Finally, both Compensate and the Foundation can transfer any personal information to each other if there is a legitimate interest or a legal obligation to do so. Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights, with your explicit consent or for other legitimate reasons.
Your Rights
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. You also have a right to object to the use of certain personal data, the right to restrict the processing, the right to receive the data in a structural and common format (so called “right to data portability”) and the right to withdraw your consent. If you would like to exercise any of these rights,, please contact us through the contact information below.
Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.
Data Transfers outside of the European Economic Area (EEA)
Please note that your information will be transferred outside of the EEA, including to Canada and the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the
Data Retention
We do not store your personal data longer than is legally permitted and necessary for the purposes of this Compensate Privacy Statement. The storage period depends on the nature of the information and the purposes of the processing. The maximum period may, therefore, vary per use.
When you place an order through the Site, we will maintain the most of the Order Information for our records for three and a half (3,5) years unless you ask us to delete this information. After your request or if five years have elapsed, some of the personal data may be still processed by us as long as it is required by law or is reasonably necessary for our legal obligations or legitimate interests, such as claims handling, bookkeeping, internal reporting and reconciliation purposes. All personal data will be anonymized or deleted with a period of ten (10) years after you have placed an order through the Site or you have asked us to delete the data, except for personal data required in certain, rare situations such as legal proceedings.
Changes
We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.
Information security
We use administrative, organisational, technical, and physical safeguards to protect your personal data. Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities required by applicable data protection laws, about the breach as soon as possible.
Contact Us
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at
Compensate
Emmi Simonen
Data protection officer
Korkeavuorenkatu 47 00130 Helsinki, Finland
Applicable from 17.8.2020