Effective date: June 29th, 2018.
COLLECTION OF PERSONAL DATA
When you engage in a transaction on our Website, we may collect directly from you the following personal data for the reasons set forth. For user accounts, we collect your first name, last name, e-mail address and last login date and time, for purposes of keeping record of our customers. For a sale on our Website, we collect the last four digits of your credit card, the name on the credit card, and the date and time of the transaction, for purposes of troubleshooting sales transactions with the payment processor. For items put in your shopping cart but not purchased, which after deleted after 1 to 2 months, we send you reminders that there are items remaining in your shopping cart, for purposes of studying purchasing behaviors and the reasons why checkouts are abandoned. With respect to contact messages sent by you to us through the form on our Website, we collect your e-mail and the time of your message. Anonymous session keys are collected through cookies for the purpose of providing users to our Website with a consistent visit. For the purchase of gift cards, we collect the name of the sender, the e-mail address of the sender, the message from the sender to the recipient, the name of the recipient, the e-mail address of the recipient, and the date and time of the transaction, for purposes of completing the transaction. With respect to your clicking on out of stock items, we collect your user account, the item in question, and the date and time of the attempted transaction, for purposes of studying the demand for items not in our inventory. With respect to requests for out of stock reminders, we collect your user account and your e-mail address, for purposes of sending you a reminder when an item is back in stock. For orders, we collect your full mailing address for purposes of billing and shipping, and other related data such as your organization for purposes of delivery. For personal profiles, we collect only from those customers who wish to share such data, your age, size for clothes, location and interests. With respect to professionals, in addition to personal data that we may collect from all of our customers, we also collect your description of your job and documents proving your professional identity. With respect to reviews, we keep and publish reviews of our products by our customers. The aforementioned personal data is also collected for purposes of making sales, improving after sale support, attracting new customers or motivating existing customers to place new orders, and checking the functionality of all of our mechanisms. We also collect your IP address on a country level for purposes of regulating traffic for the EU to the proper language version of our Website and, in the future, intend on doing so to a city level for purposes of greater personalization by customizing what you see on the homepage of our Website.
The first layer of storage of the data is our database. Some of the data is stored temporarily in a log file to assist with troubleshooting bugs. These log files are deleted after 1 to 2 months. The second layer of storage is by our hosting provider, Amazon Web Services (AWS). For our US website (www.kuhl.com), we use AWS servers in the US-West-1 region located in California, and for our EU websites (eu.kuhl.com and en.kuhl.com) we use AWS servers in the EU-Central-1 region located in Frankfurt. We keep monthly backups of our databases for up to one (1) year. We keep weekly backups of our databases which are retained for four (4) weeks. We keep daily backups of our databases which are retained for thirty one (31) days.
We are processing this information based upon your consent to our doing so, our legitimate interests such as marketing and, with respect to the data necessary to process your purchases and payments, because it is necessary for the performance of your contract with us. With respect to data that may transferred from the EU to the United States, such transfer would only occur so long as it was necessary for the purpose of carrying out our contractual obligations to you or based upon the fact that you have granted us your consent to do so. The only people who may have access to your personal data, in addition to parties acting as data processors or data controllers disclosed elsewhere herein, are our e-commerce officer, our head developers, our system administrator, the management of KÜHL (only upon request), employees of Full Circle (the software company that handles our ERP software) with respect to data that is transferred to ERP, and other KÜHL employees who are required to have access to the data in order to perform their jobs.
In order for us to be able to provide the services available on our Website, and to meet any of our related business obligations, you must provide the personal data that is required to do so. Without that data, we are not in a position to do so.
Security of all personal data of our users is a primary concern of ours. Thus, we have adopted reasonable security measures to protect the security of our users' information. We use, where appropriate, industry standard encryption technology, multiple computer server firewalls, entry point VPN, and deep resource segmentation when transferring and receiving consumer data exchanged with this Website. Credit card information is sent to Authorize.Net, which processes the payments. Nevertheless, we cannot guarantee complete security of your information inasmuch as no security systems are foolproof. It is also important for you to protect against the unauthorized access to your information as well as to your computer.
PROMOTIONAL AND E-MAIL NOTIFICATIONS
When you sign up to our Website, you agree to receive promotional e-mails and e-mail notifications including, but not limited to, customer service related e-mails pertaining to sales such as order confirmations, notifications that an item has shipped, returns and requests for reviews. If you change your mind and no longer wish to receive our promotional e-mails, you may opt out at any time simply by sending us an e-mail or by clicking on the unsubscribe link.
PROMOTIONS AND CONTESTS
We may, from time to time, host a promotion or contest on this Website or on another website that is sponsored or co-sponsored by a third party. In connection therewith, you may be asked to provide personal information or permit the transfer to a third party of your personal information. KÜHL has no control over the third party's use of this information. Depending on the situation, you will be informed as to who is collecting or transferring the information and whose privacy statement applies, and it will be your discretion as to whether or not you want to permit the collection or transfer of your personal information to a third party.
DATA PROCESSORS AND JOINT DATA CONTROLLERS
We do not own or control any servers or databases. We use Amazon Web Services (AWS). For our US website, we use AWS servers in the US-West-1 region located in California, and for our EU website we use AWS servers in the EU-Central-1 region located in Frankfurt. We keep monthly backups of our databases for up to one year. We keep weekly backups of our databases which are retained for four (4) weeks. We keep daily backups of our databases which are retained for thirty one (31) days.
Email-Checker acts as a data processor with respect to verifying our e-mails, but no personal data is stored with them. Gender API is a Germany based company that acts as a data processor with respect to determining the gender of our customers, but no personal data is stored with them. GlockApps acts as a data processor with respect to our using their seed list to track delivery of our e-mail marketing campaigns, but no personal data is stored with them.
TERMINATION OF CONSENT
You have the right, at any time, to withdraw your consent to the processing of your personal data. The withdrawal of your consent will not affect or invalidate the lawfulness of any data processing based upon your original consent that occurred prior to your withdrawal of that consent.
CORRECTION, AMENDMENT OR DELETION OF INFORMATION
You have the right, in certain situations, to have your personal data corrected, erased, to terminate the further dissemination of your personal data, or to have third parties cease processing your personal data. In the event that you desire to revoke your previously granted consent to our Website collecting any personal data, and/or wish to have such information corrected, amended or deleted, and/or to terminate the further dissemination of your personal data or to have third parties cease processing your personal data, you can do so by contacting the following: firstname.lastname@example.org.
RIGHT TO YOUR PERSONAL DATA
You are entitled to receive a copy of your personal data free of charge so long as your request is not manifestly unfounded or excessive. We must provide the requested information within one month of our receipt of your request, which time period can be extended by two additional months if necessary, so long as we inform you of the extension within one month of receiving your request and of the reasons for the delay.
RIGHT TO OBJECT TO PROFILING AND DIRECT MARKETING
To the extent that we may collect your personal data for the purposes of conducting profiling or direct marketing, you have the right to object to the processing of your personal data for those purposes. In the event that you object to processing for those purposes, we will no longer process your personal data for those purposes.
You have the right to receive your personal data in a commonly used and machine-readable format and to have your personal data transmitted to another information technology environment if it is technically feasible to do so.
RESPONSE TO "DO NOT TRACK" REQUESTS
We do not respond to web browser "do not track" signals. As a result thereof, any navigation of our Website may be tracked as part of the gathering of quantitative user information described above. If you arrive at our Website through the use of a link originating from a third party site that responds to "do not track" requests, the recognition of any "do not track" request you may have initiated will end upon your reaching our Website.
NOTIFICATION OF DATA BREACH
In the event of a data breach that is likely to result in a risk to your rights and freedom, within 72 hours of our becoming aware of the breach we are required to report it to you and the appropriate authorities.
CHILDREN'S PERSONAL DATA
Our Website is not directed to children under the age of 13, or 16 if located in the EU, and we do not have actual knowledge that we have collected personal data from children under those ages. However, in the event that we learn that we do collect personal data from children under the age of 13 in the U.S., under the age of 18 in California or Delaware, or under the age of 16 if located in the EU, we will endeavor to comply with the Children's Online Privacy Protection Act (COPPA), California's Online Eraser Law, and the Delaware Online Privacy and Protection Act (DOPPA) as well as the GDPR. In the event that we discover that we have unknowingly collected such personal data, we will either immediately attempt to utilize that information in order to obtain parental consent or destroy all of the data collected.
Parents have the right to review the personal data that we may have collected about their children. Parents can, at any time, refuse to permit us to collect any more personal data about their children, and can request that we delete from our records all of the personal data that we have collected about their children. Parents should keep in mind that a request to delete such information about their children means that their children will not be able to utilize our Website. In order to request access to, change or delete their child's personal data, parents can send an e-mail to us at email@example.com. It will be necessary for you to authenticate yourself as the child's parent in order to receive any information about that child. A valid request to delete personal data will be undertaken within a reasonable period of time. We will also delete, within a reasonable time period, any personal data collected from a child under the age of 13 when the service that the child was using becomes inactive, or a subscription lapses or is cancelled, or when their account with us is closed.
Minors under the age of 18 residing in California and Delaware may remove, or may request the removal of, any information that they have posted on our Website. This can be accomplished by contacting us as follows: firstname.lastname@example.org. Any removal of posted information does not ensure the complete or comprehensive removal of the information posted on our Website.
You have the right to lodge a complaint with the appropriate supervisory authority (Data Protection Authority) of a member state of the EU that is your habitual residence, your place of work, or the place of the alleged infringement of your rights.