Privacy policy
Latest updated at: 17 July 2023
1. General
1.1. Definitions
BubblyDoo or “we” | Bubbly-Doo BV, with company seat at Sint-Pietersvliet 7, 2000 Antwerpen, Belgium and registered with company number 0727.776.548, RPR Antwerp, department Antwerp. |
---|---|
Customer or “you” | Individual interacting with BubblyDoo through a touchpoint, e.g. our website, or through a 3rd party retailer |
Personalized person | The person used in our personalization process, the person for which a product is made by the customer. |
1.2. Who is the data controller?
Bubbly-Doo BV, with company seat at Sint-Pietersvliet 7, 2000 Antwerpen, Belgium and registered with company number 0727.776.548, RPR Antwerp, department Antwerp.
BubblyDoo is reachable for any data processing-related questions at:
Bubbly-Doo BV
Sint-Pietersvliet 7, 2000 Antwerp
Belgium
hello@bubbly-doo.com
1.3. Introduction
BubblyDoo is dedicated to protecting your personal data and that of the children you personalize in our products. We have done our very best to write this document and configure our consent management to give you full control over what we can do with your personal data. In general, BubblyDoo processes most of its customer’s personal data itself, but we sometimes use third-party tools that are hosted in the EU, like PostHog. We do not simply add analytics integrations to our systems but try to limit their access to your personal data as much as possible. We have only a minimal amount of subprocessors, some of which are discussed in this document.
2. For how long do we store your personal data?
We do not store your data longer than necessary for their purpose. This means the data mentioned above can be stored as long as you are a considered a customer of BubblyDoo.
After your last interaction with BubblyDoo, we can actively use your personal data for maximum 5 years after a purchase, for direct marketing and analytical purposes, if you have provided your consent.
We store strictly necessary personal data for a maximum of 10 years after your last interaction, in order to be able to respond to any requests from law enforcement or if it is needed for our legal defense.
When we consider it appropriate we can also delete your data earlier.
See article 3.2. for more
3. What kind of personal data do we store and use, and on what basis?
3.1. Lawful bases
We need your data to provide you our services, including our order and payment processing, a personalized offering for our customers, etc.
For customers in the EU, the GDPR requires us to list the types of personal data we use and on which lawful base. We use the following bases:
- Consent: The customer has consented to the processing of this data.
- Contractual: We need to process the data to provide our services.
- Legal: We need to process and store data to comply with regulations.
- Legitimate interest: Some data is used in the interest of BubblyDoo. If we use data for this reason, the interests of BubblyDoo and the interests, rights and freedoms of the customer are considered.
- Permitted: We received the explicit confirmation of the customer to process and store data. You have the right to revoke the permission you have given the company. This can be done by contacting us.
The types of personal data we use are listed below (article 3.2.), alongside the lawful bases.
3.2. Types of personal data
Identification, contact and payment data
We store and use the personal data you provide on the website and to third-party providers we integrate with, like our payment provider.
This includes your name, email address, phone number, payment information.
Contractual: This data processing is necessary to fulfill the contract between BubblyDoo and the Customer.
Stored for: 5 years, max 10 years
Product personalization data
We store and use the personal data you have used to personalize our products, like the name of the Personalized person and possibly a picture of the Personalized person.
Contractual: This data processing is necessary to fulfill the contract between BubblyDoo and the Customer.
Stored for: 5 years
Marketing conversion tracking data
In order to run our online advertisements effectively, we need to be able to track which ad you clicked on before you came to the BubblyDoo website. After you made a conversion, we report to the platform that you made a purchase.
This data includes marketing click ids and your IP address.
Legitimate interest: This data processing is necessary for the purposes of the legitimate interest of BubblyDoo. The customer can reject the processing of this data.
Stored for: 5 years
Communication preferences
We store and use your communication preferences, like if you consent to our direct marketing messages. The Customer provides this information directly to us.
Consent: This data processing is consented to by the customer.
Stored for: 5 years
Usage data
If you consented to it, we collect data about how you use our services in order to improve them and to offer you a personalized service.
Consent: This data processing is consented to by the customer.
Stored for: 3 years
Non-personal data
We also store aggregated analytics data, but this doesn’t qualify as personal data.
4. With which parties can my personal data be shared?
4.1. General
We do not sell your personal data to other companies or third parties, and we do not allow third parties to use your data for their own purposes, unless your consent is given. More concretely, your data can be shared with parties of the following kinds:
-
Service providers
We use third parties to provide services to you in our name. For example, we use third parties to print the products you can order on our website. We also use third parties to send our direct marketing emails, as our payment provider, to manage our cloud and to help us with customer support. We make sure this data is only used to the extent for which it is necessary.
-
Governments
When necessary and in order to comply with the law, we can share your personal data with governmental institutions.
-
Business-related transfers
BubblyDoo retains the right to transfer your data in case of a merger, acquisition, reorganization, sale or other transfer of BubblyDoo assets, as long as the receiving party agrees to use your personal data in compliance with this privacy policy. We will inform you upfront in this case.
4.2. Under the GDPR, which entity acts as data processor?
Under the GDPR, BubblyDoo acts both as data controller and data processor. When necessary we transfer your data to subprocessors, listed below. This list is non-exhaustive and subprocessors might be added at any time.
When third parties process your personal data outside the European Economic Area (EEA), we make sure to protect your data by making sure our agreements contain so-called “Standard Contractual Clauses”, unless the European Commission has provided an “adequacy decision” for the country where your data would be processed.
4.3. Categories of recipients of personal data
As is required, we list categories of recipients of personal data below.
- Software service providers
- Suppliers (our printing partners and other suppliers)
- Developers (our employees and freelancers)
- Marketing agencies
See article 4.4 for some of the actual companies that handle your personal data.
4.4. Most important subprocessors
BubblyDoo is not obliged to list its subprocessors, but we list our most important ones out of transparency to the customer.
As mentioned in article 4.2, we do sometimes store personal data outside of the EU. In that case, we will mention the parties and guarantees for the protection of your personal data.
As long as this privacy policy is followed and the protections of the customer’s personal data are taken into account, BubblyDoo retains the right to add and remove subprocessors at any time.
- Amazon Web Services
- Our main cloud provider is AWS. Our main database is an AWS database. It contains our customer data.
- Hosting: Hosted in EU (Frankfurt, Germany)
- More information: https://aws.amazon.com/privacy/
- Customer.io
- Customer.io is our Customer Data Platform. It stores all customers, their orders and communication preferences. We use it to send transactional emails and newsletters, as well as to generate audiences for remarketing purposes (when opted in).
- Hosting: Hosted in EU
- More information: https://customer.io/legal/privacy-policy/
- PostHog
- PostHog is our main analytics platform. It stores identified and unidentified customers, as well as the events they have executed on our website. It only stores personal data when opted in.
- Hosting: Hosted in EU
- More information: https://posthog.com/docs/privacy/gdpr-compliance
- Google Cloud
- We replicate our AWS database to Google BigQuery for analytical purposes, alongside Google Data Studio.
- Hosting: Hosted in EU
- More information: https://business.safety.google/gdpr/
- Google Analytics
- We use Google Analytics to process anonymized data used in aggregation, as well as to link to Google Ads.
- Hosting: Likely not hosted in EU
- Guarantees: BubblyDoo has signed a standard contractual clause with Google.
- More information: https://business.safety.google/gdprcontrollerterms/sccs/eu-c2c/
- Freshdesk
- Freshdesk is our customer service platform. It stores personal data when a customer opens a customer support ticket, through mail or a connected social media channel.
- Hosting: Hosted in EU
- More information: https://www.freshworks.com/privacy/
- Mollie
- Mollie is our payment provider. It stores personal data when a customer creates an order and when they fill in payment details. It is used to process payments, refunds and fraud detection.
- Hosting: Hosted in EU
- More information: https://www.mollie.com/privacy
- Stripe
- Stripe is our payment provider. It stores personal data when a customer creates an order and when they fill in payment details. It is used to process payments, refunds and fraud detection.
- Hosting: Hosted in EU
- More information: https://www.stripe.com/privacy
- Trustpilot
- Trustpilot is our customer reviews platform. After your order has been delivered, your feedback is asked by email. Data sent by BubblyDoo includes name, email address, locale and which products have been bought (non-personalized information)
- Hosting: Hosted in EU
- More information: https://support.trustpilot.com/hc/en-us/articles/360000306528-The-GDPR-and-data-protection-requirements-for-businesses
- Auth0
- We use Auth0 to manage user authentication. It stores your login data, which includes your email address.
- Hosting: Hosted in EU
- More information: https://auth0.com/docs/secure/data-privacy-and-compliance/gdpr
- Slack
- Slack is our internal communication tool. We sometimes share personal data on Slack as for customer support or analytical purposes.
- Hosting: Hosted in US
- Guarantees: BubblyDoo has signed a standard contractual clause with Slack
- More information: https://slack.com/terms-of-service/data-processing
- Suppliers
- When an order is submitted to a partnering printing facility, minimal data will be transferred to them in order to fulfill the order. The data sent by BubblyDoo includes the customer’s name, address and full product data.
- Hosting: Hosted in country of the fulfillment partner.
- Guarantees: We make sure the order is fulfilled in a country for which an adequacy decision has been made.
5. Do we use cookies?
Yes, BubblyDoo uses cookies for various purposes. See our cookie policy for more details.
6. What are my data protection rights?
BubblyDoo would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access– You have the right to request BubblyDoo for copies of your personal data. We may charge you a small fee for this service.
The right to rectification– You have the right to request that BubblyDoo correct any information you believe is inaccurate. You also have the right to request BubblyDoo to complete the information you believe is incomplete.
The right to erasure– You have the right to request that BubblyDoo erase your personal data, under certain conditions.
The right to restrict processing– You have the right to request that BubblyDoo restrict the processing of your personal data, under certain conditions.
The right to object to processing– You have the right to object to BubblyDoo’s processing of your personal data, under certain conditions.
The right to data portability– You have the right to request that BubblyDoo transfer the data that we have collected to another organization, or directly to you, under certain conditions.
The right not to be subject to a decision based solely on automated processing - You have the right to avoid decisions based solely on automated processing, including profiling, that lead to legal effects or significantly affect you, unless certain conditions are met. This right does not apply if the decision is necessary for a contract, is authorized by applicable law with measures in place to protect your rights and interests, or is based on your explicit consent.
The right to lodge a complaint with a supervisory authority - If you believe your data protection rights have been breached, you can file a complaint with the supervisory authority in your jurisdiction. See this link to find your supervisory authority.
To contact BubblyDoo, see article 1.2.
7. Note about children’s data
We collect data about children in order to personalize our products and because this data is voluntarily given to BubblyDoo.
Our website and services are meant to be used by adults.
By using our website, it is implied that you have the right to use and upload the data of the person that is used for personalization of our products (”Personalized person”). This implies that when you are a minor, you have received parental consent.
If you believe that BubblyDoo has collected personal data of a minor without parental consent, please contact us via the details provided in article 1.2. This way, we can remove the data as quickly as possible.
We do not sell personal data of “personalized persons” to any third party.
8. Direct marketing
Your personal data can be used for marketing purposes, depending on your consent. Using your data, we can inform you about new offers, promotions, new products, and other information, possibly personalized for you.
You can always use your right to unsubscribe by contacting us via the details in article 1.2 or by updating your consent.
9. Your right to change consent
You have the right to change your consent at all time, however this does not affect the lawfulness of BubblyDoo’s processing of your personal data before you have changed your consent.
10. How do you manage my consent?
BubblyDoo has built its own system to manage your consent.
Our consent manager stores values to determine which cookies can be set, which 3rd-party scripts can be loaded, and which data processing can be done.
These values are stored in a text file that we call the “Consent Record”.
This record is saved together with an order, user or other stored information.
We use this record to determine your consent for future actions, like if we can send you marketing emails and if we can use your personal data for analytical purposes.
In the footer of our website, you can find a button to view and change your consent at all time.
BubblyDoo does not respond to Do Not Track (DNT) signals due to insufficient and varied browser support.