CAPSULE Privacy Policy

1. Purpose

1.1 The purpose of the policy on personal data protection is to define how CAPSULE (“we”, “us”, “CAPSULE APS”) processes personal data. Personal data processing covers any use of personal data such as collection, registration, curation, storing, transmission, grouping or pooling, containment, deletion, or destruction. Personal data is to be perceived as any information that may be used to verify the identity of a person including (but not limited to) first-name, surname, address, email address, or other contact information regardless of whether said information relates to the private residence or workplace of the individual in question.

1.2 The processing of personal data must be in accordance with existing laws regarding the protection of personal data, including the EU General Data Protection Regulation and such as the regulations described in this policy.

2. Basic principles

2.1 This policy applies equally to all our units processing personal data. The rules for processing personal data apply both to electronic and physical handling of such information.

2.2 When handling personal data, we are obligated to comply with the following basic principles:

2.2.1 Qualification of use: Personal data is solely collected for the lawful purpose explicitly stated. Be aware that personal data may only be employed for the same purpose to which they have been collected and which has been stated in advance. It is prohibited to reuse personal data for any other purpose.

2.2.2 Legality, reasonableness, and transparency: Personal data must be processed legally, reasonably, and in a transparent manner in relation to the registered party.

2.2.3 Minimization of data: No more personal data may be collected than what is deemed appropriate and necessary in correlation with the purpose to which it is collected.

2.2.4 Accuracy: Personal data collected must be accurate and kept up to date if necessary.

2.2.5 Storage limitation: Personal data must not be stored for a longer period of time than what is necessary to serve the purpose to which the data has been collected for.

2.2.6 Integrity and confidentiality: Personal data must be processed in a manner to secure adequate data security using appropriate technical and organizational precautionary measures to avoid unauthorized or illegal processing, accidental loss of data, or any destruction or damage.

2.2.7 Responsibility: We may at any time be required to demonstrate documentation that the above set of rules are being observed and complied with. This policy forms the basis for company rules to adhere to.

3. Basic policy for the processing of personal data

3.1 As a general rule, personal data may not be processed unless there are valid reasons to do so.

3.2 The most commonly applied grounds for data processing are:

3.2.1 The individual in question has given consent to our handling of the personal data.

3.2.2 Our processing of the personal data is necessary to complete an agreement the individual in question is a part of, or has requested that be done prior to entering into an agreement.

3.2.3 Processing the data is a necessity to comply with a legal obligation.

3.3 As a rule, consent to the storage of personal data will be required in the examples stated under paragraph 3.2 unless a contractual relationship exists.

3.4 Further requirements of the law apply when processing sensitive information. Such include information about race or ethnicity, political persuasion, religious or philosophical persuasion, union membership, and information regarding health or sexual preference. As a rule, processing sensitive information requires consent.

4. Personal Data Processing

4.1 User Behavior Data Collection

CAPSULE collects data regarding user behavior within the app for analysis and marketing purposes. This includes, but is not limited to, interactions, preferences, and usage patterns. This data collection is conducted based on your explicit consent, which you provide by using the app and agreeing to our privacy policy.

4.2 Consent for Moodboards and styling images that include personal data

We will only provide third parties, such as brands, with access to moodboards or styling images that include identifiable facial images if explicit consent is obtained from the user. You have the right to withdraw your consent at any time by contacting us through the designated channels. Upon receipt of your withdrawal, we will cease sharing such images.

5. Your rights

The GDPR Chapter 3 gives you, as the data subject, the following rights in respect of the personal data we hold on you:

5.1 Awareness of and Access to Your Data

You shall have the right to request confirmation on whether CAPSULE processes personal data relating to you, and if so, you have the right to request a copy of the personal data we have processed.

5.2 Request Correction

At any time, you have the right to request correction of any incorrect or incomplete data we may have on you.

5.3 Request Erasure

 You have the right to request the erasure of the personal data we have on you. Certain restrictions apply when requesting erasure. One of the following grounds must apply before personal data can be erased: (i) Personal data is no longer necessary in relation to the purpose for which it was collected (ii) You withdraw your consent (iii) You object to the processing and there is no justified reason for continuing processing (iv) The processing is unlawful (v) The personal data must be erased for compliance with a legal obligation in Union or Member State law.

5.4 Request Restriction of Processing

You have the right to request restriction of processing which means that you can request that CAPSULE restricts the use of your personal data in certain circumstances. This could be if you don’t want us to erase the personal data, but instead restrict the use, or if the accuracy of the personal data is contested by you and needs to be verified by you.

5.5 Data Portability

You have the right to receive the personal data that you have provided to us in a machine-readable format.

5.6 Withdraw Consent at Any Time

At any time, you shall have the right to withdraw your consent, provided the processing of your personal data is based on your consent.

6. Marketing

6.1 Based on your consent, we process your personal data to inform you about CAPSULE’s business operations, products, and services. For this purpose, we create marketing tailored to your preferences and profile. Additionally, CAPSULE collects user behavior data from the application, including interactions and preferences, for the purpose of conducting analysis and improving our marketing efforts. This data collection is done only with your explicit consent.

6.2 If you do not wish to receive any further information, you can easily and free of charge unsubscribe from our marketing communication at any time. You will find ways to unsubscribe in connection with subscribing to or receiving marketing communication from us. You can also contact us by e-mail or post to unsubscribe.

7. Storage Period

7.1 Personal data collected may be stored only as long as it serves the stated purpose. Specifically, this means that personal data may be stored as long as a relationship to the registered customer or business partner still exists. Personal data must be deleted within a reasonable time from the termination of this relationship.

7.2 At the expiration of the storage period allowed, all relevant information must be deleted or destroyed without undue delay.

7.3 We are obligated to ensure that our personal data is correct and continuously brought up to date. Incorrect, inadequate, or antiquated personal data must be corrected.

8. Use of Data Processors

8.1 Access to personal data is given to third parties only if it is guaranteed that the information is handled legally and following the necessary precautions.

8.2 A third party may not be labeled as a data processor or given access to personal data until a Data Processing Agreement is signed. A data processor may be a physical person or a legal entity, a public authority, an institution, or other type of public body processing personal data on our direction.

8.3 The Data Processing Agreement imposes the data processor with appropriate technical and organizational precautionary measures to protect our personal data as well as conditions that the processing of personal data may only be done on our direction.

8.4 If services are provided by a third party (such as Cloud Computing Services), it must be investigated whether any personal data is being processed by an additional third party on behalf of the third party providing the service for us, and if this additional cooperative relationship could entail the transfer of our personal data to a non-EU country. In both the above instances, it must be secured in the contract that the necessary precautionary measures for data protection are taken.

9. Transfer of Personal Data to Non-EU Countries

9.1 In some cases, we may also transfer personal data to organizations in countries outside the EU, so-called third countries. When transferring personal data outside the EU, we ensure that all necessary safeguards are in place for such transfer.

10. Precautionary Measures

10.1 We have introduced a number of physical, technical, and organizational precautionary measures to ensure our personal data from loss or damage, unauthorized alterations, and unauthorized access and misuse.

10.2 As an employee, some examples of precautionary measures to be aware of are:

10.2.1 To prevent unauthorized individuals from gaining access to our IT systems through the use of passwords and other types of access control.

10.2.2 Ensure that individuals with access to our IT systems do not gain access to any personal data outside the sphere of their granted area of responsibility.

10.2.3 Ensure that the transfer of personal data through the internet cannot be read, copied, modified, or deleted without authorization.

10.2.4 Ensure appropriate logging of user access and attempted access into IT systems.

10.2.5 Ensure that data processors are used only in accordance with the directions stated by us.

10.2.6 Ensure that personal data is protected from unwanted destruction or loss.

10.2.7 Ensure that personal data is not stored any longer than necessary.

10.3 The collected data is stored in Azure in Azure Cosmos Db which is located in Sweden.

11. Enquiries from Registered Parties and Insight to Own Personal Data

11.1 All inquiries from registered parties, including requests for data access, demands for correcting information, or demands to have data deleted, must be passed on to the IT systems administration with the responsibility to register any inquiry immediately.

11.2 Registered individuals are entitled to have access and insight into the data registered if such an inquiry is made in writing.

11.3 Written inquiries from registered individuals must be replied to within 30 days. The IT systems administration is responsible for accommodating such requests but everyone is obliged to help make sure that inquiries and deadlines are observed.

12. Reporting Data Breach

12.1 If a breach of personal data is suspected, the IT systems administration must be alerted and briefed of the incident immediately. The incident can be reported by email to es@capsuleapp.io, or by telephone at 31 33 45 01.

12.2 The IT systems administration investigates all reported events to verify whether a breach of personal data security has taken place. If a breach is confirmed, the IT systems administration will follow a set procedure depending on the type of information and the extent of the breach.

13. Policy Updates

13.1 We may update this privacy policy from time to time. Any changes will be posted on this page, and we will notify you of significant changes by email or through a notification on the app. We encourage you to review this policy periodically for any changes.

14. Contact Information

14.1 For any inquiries related to your personal data, including requests to access, correct, or delete your information, or to withdraw consent, please contact us at: Email: es@capsuleapp.io

Updated on September 6, 2024