Updated as of 01/06/2020

Privacy policy

WHO ARE WE AND WHAT IS LABAROMA?

  • We are LabAroma Limited, a company registered in Northern Ireland under company number NI643082 and we have our registered office at 175 Ballygawley Road, Dungannon, Co Tyrone, BT70 1RX (we, us, our).
  • We provide a range of a specialist aromatherapy services designed for aromatherapists and plant workers via our website (currently available at labaroma.com) which includes a subscription based software blending tool and we operate a number of associated business pages on various social media channels (together our Sites).  We also offer a range of bespoke distance learning plant based Courses and associated services which can be purchased and accessed via our dedicated Kajabi online business platform (currently available at labaroma.mykajabi.com) (our Kajabi Platform). Any reference in this notice to our Services means the provision of our Sites and our Kajabi Platform, our Courses and all associated services. 
  • If you have any questions about who we are, what we do, or the provisions set out herein (Privacy Notice), please feel free to contact us at the address above or by email to support@labaroma.com.


WHAT IS THIS NOTICE?

  • In order to provide our Services, we may need to process Personal Data from time to time (that is information from which an individual can be identified). To the extent that we hold this data as a Controller (which means we make decisions about what data to collect and how it should be used), we are required to provide anyone who can be identified from that data (Data Subjects) with a notice explaining how we use Personal Data about them. That is what this document is for – to tell you about how we process Personal Data about our Users.
  • We might need to change this privacy notice from time to time. If we do, we will let you know. So please do keep an eye on our notice before sending us any Personal Data or uploading it on to our Services or Sites.
  • All of the defined terms in this notice are explained in paragraph 12 below. If you have any questions about this notice, feel free to send us an email to support@labaroma.com.


WHO DO WE HOLD PERSONAL DATA ABOUT?

The nature of our Services means that we may obtain and use Personal Data (that is information relating to an individual who can be identified) which we collect about or from our customers, prospective customers or visitors to our Sites or our Kajabi Platform. This can be divided into 3 categories of individuals:

  • Prospective Customers: people who we think might be interested in using our Services. 
  • Customers: people who purchase our online Services via our Sites or our Kajabi Platform. 
  • Visitors to our Sites or our Kajabi Platform: people who visit or browse our Sites or our Kajabi Platform and/or who register interest in our Services from time to time.

In some cases, a User may be required to set up a User Account and to do so will be required to provide us with some information about themselves. This information, along with any data we might collect about how a User interacts with our Services, is what we mean by ‘User Data’. Since we use this data for our own business purposes, we are a Controller in respect of how we use it. This Privacy Notice sets out what User Data we collect and how we use it.



WHAT TYPES OF PERSONAL DATA DO WE COLLECT ABOUT OUR USERS AND WHERE DO WE COLLECT IT FROM?

We may collect or obtain User Data in the following ways:

  • Data which a User uploads on to our Sites or our Kajabi Platform when they set up a User Account to access one or more of our Services. This will include name, contact data and password. If you purchase an online Service this will include your financial details such as your bank account number and credit or debit card information.   
  • Data which a User provides us with if they contact us with a query. This would include details of their communication.
  • Data a User provides us with in respect of their marketing preferences. This is likely to include contact details and marketing preferences.
  • Usage data which is automatically collected by us about how someone interacts with our Site or our Kajabi Platform. This may include IP address, login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform and other technology on the devices used to access our Sites or our Kajabi Platform. This data may be collected through the cookies we use or other technology. If you would like to know more about our cookies policy, please click here.
  • Data which a User provides us with if they communicate with us through third party social medial platforms (e.g. Twitter, Facebook, Instagram). We may retain details of your post or comments as well as your social media account profile details.
  • We may also collect, use and share aggregated data such as statistical or demographic data which we collect from interactions with Users of our Services. Aggregated data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.


HOW DO WE USE THE PERSONAL DATA WE HOLD AND WHAT IS OUR LAWFUL BASIS FOR DOING SO?

  • We process data about Users for the following purposes:
  • To provide our Users with our Services. This may include storing log in details on behalf of a User as well as facilitating payment if you have opted to purchase a Service offered via our Sites or our Kajabi Platform which requires payment (e.g. an online course). Any such use would be to the extent necessary for the performance of our contract with you. We will ensure that when we are collecting financial information such as debit cards and credit cards, that this is done so securely. We and are partners use TLS (Transport Level Security) to encrypt data send between the customer and us or pour partners. 
  • To manage our relationship with our Users. This may include notifying Users of updates to our services, terms or updates to this privacy notice. This is necessary to protect our legitimate interests of running our business.
  • For administration and dispute resolution purposes. This may include processing Personal Data to meet our internal administration requirements and for matters such as dispute resolution.  This is necessary to protect our legitimate interests of running our business.
  • For marketing purposes. From time to time we might contact our Users by telephone or email about updates to our services, new features or functions or new products we are bringing out. Our marketing may be tailored on the basis of what we think your interests are (from looking at past transactions and interactions). We will always include the right to opt out in any such correspondence. Generally we will rely on the fact that this is necessary to protect our legitimate interests of running our business, however where required by law we will obtain your consent.
  • We may use usage data to monitor account usage and manage disputes. Such use is necessary for us to achieve our legitimate interest of protecting the integrity of our software. If a User does not use our Services in accordance with our terms of use, we may cease allowing them to access our Services and we may pass on the User’s details if such activities are or are likely to be in breach of someone else’s rights of privacy, intellectual property rights or any other lawful rights.


WILL WE DISCLOSE PERSONAL DATA TO ANYONE ELSE?

Data Processors

  • We may disclose any Personal Data that we hold to our employees as well as other third parties who we engage to help us provide our Services (e.g. Mailchimp and our Courses are hosted on an online business platform provided by Kajabi, LLC). Any such parties contracted by us will be acting as our Processors and will be subject to strict contractual requirements only to use Personal Data in accordance with our privacy notice. If you would like more information about third party processors used by us, please contact us at: support@labaroma.com
  • We will not rent or sell your Personal Data to other organisations for use by them in any way, including in their direct marketing activities.

Information published on our Sites or our Kajabi Platform

  • The nature of our Services means that if you accept a request to join a Facebook Group set up for one of our Courses which you are participating or have participated in, all other members of the group will be able to see your user profile and posts. For this reason, you should only upload content which you are happy to share (or have shared) with other people and you should never contribute any content which you want to keep confidential or which includes the Personal Data of any other living person unless you have first obtained their explicit, informed and unambiguous consent to do so.


This Privacy Notice only deals with how we handle Personal Data. Please refer to Facebook’s Privacy Notice to find out how it handles Personal Data. Please note that other Users of our Services are not bound by this Privacy Notice. You should only upload information on social media channels that you are comfortable to share (or have shared) with other people. 


Other Disclosures

We may also disclose Personal Data if:

  • we are under a duty to do so in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements or to protect the operation of our Sites or our Kajabi Platform, or the rights, property, or safety of us, our Users, or others; or
  • to any buyer if we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use Personal Data in accordance with the provisions set out in this privacy notice.



WHAT SECURITY PROCEDURES DO WE HAVE IN PLACE? 

It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.

There are some steps you can take to help make sure that your data is protected. For example:

(a)     make sure that you use devices running supported operating systems that are regularly patched and incorporate some form of malware protection. Only connect your device to networks that you trust; 

(b) make sure that you keep any passwords associated with your User Account secure and do not share them with anyone else; and

(b) make sure you understand who can access the data you contribute to a public forum before you add any information which might be shared. For more information on this, please have a look at paragraph 6.2 above

WHERE DO WE STORE THE PERSONAL DATA WE COLLECT?

The personal information collected from you may be transferred to, and stored at, a destination outside the EEA.  It may also be processed by individuals operating outside the EEA who work for us or who work on our behalf.  This includes staff engaged in, among other things, the processing of your payment details and the provision of support services.

By submitting your personal data, you consent to this transfer, storing and processing at a location outside the EEA.  Where data is transferred outside the EEA, we have gone through a full due diligence process to help ensure the data is afforded the same levels of security. We will only use Processors who ensure that they have adequate safeguards in place to protect Personal Data relating to you. Our software platform provider who hosts our online Courses (Kajabi, LLC) has registered with the Privacy Shield. A copy of its privacy shield notice can be accessed here

Unfortunately, the transmission of information via the internet is never 100% secure and we cannot guarantee the security of your data transmitted to our Sites or our Kajabi Platform.  This means any such transmission is at your own risk.


If you are based outside the EEA and would like further information about where we hold your data, please contact us by email: to support@labaroma.com.


FOR HOW LONG DO WE STORE PERSONAL DATA?

We will not retain your Personal Data for any longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. 

Our retention policies for Personal Data are as follows:

  • we may store data related to financial transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective;
  • we may archive data relating to negotiations, contracts agreed, payments made, disputes raised for up to 6 years to protect ourselves in the event of a dispute arising between you and us;
  • we may retain data which is held for marketing purposes for up to 5 years from the date you opt in – this is subject to your right to opt out at any time;
  • we may store aggregate data without limitation (on the basis that no individual can be identified from the data); and
  • we may retain usage data for a period of up to 6 years after expiry of the relevant User contract in case of any disputes arising.


WHAT RIGHTS DO YOU HAVE IN RELATION TO THE PERSONAL DATA WE HOLD?

Users have the following rights in respect of any User Data we hold about them:

  • Right to be informed: the right to be informed about what Personal Data we collect and store and how it’s used.
  • Right of access: the right to request a copy of the Personal Data we hold, as well as confirmation of:
  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients to whom the personal data has/will be disclosed;
  4. for how long it will be stored; and
  5. if data wasn’t collected directly from you, information about the source.
  • Right of rectification: the right to require us to correct any Personal Data we hold which is inaccurate or incomplete.
  • Right to be forgotten: in certain circumstances, the right to have the Personal Data we hold erased from our records. 
  • Right to restriction of processing: the right to request us to restrict the processing we carry out. You might want to do this, for instance, if you think the data we hold is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.
  • Right of portability: the right to have the Personal Data we hold transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
  • Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).
  • Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you.

If you want to avail of any of these rights, you should contact us immediately at support@labaroma.com. 


WHO DO YOU COMPLAIN TO IF YOU’RE NOT HAPPY WITH HOW WE PROCESS PERSONAL DATA ABOUT YOU?

If you have any questions or concerns about how we are using Personal Data about you, please contact our data protection officer immediately at our address (see paragraph 1.1 above) or by email to support@labaroma.com. If we are processing Personal Data about you on behalf of our User, we will need to pass your complaint to our User – we will only do so with your consent.

If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/



WHAT DO ALL OF THE DEFINED TERMS IN THIS PRIVACY NOTICE MEAN?

Throughout this notice you’ll see a lot of defined terms (which you can recognise because the first letter is capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary as well. Anywhere in this notice you see the following terms, they’ll have the following meanings:

Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;

Data Subject means the individual who can be identified from the Personal Data;

EEA means the European Union, Iceland, Liechtenstein and Norway;

Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes any information about the identifiable individual;

Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller and in accordance with their instructions;

User means a user of our Services;

User Account means the account set up by a User so they can use our Services; and

User Data means Personal Data about Users of our Services. Users of some of our paid-for Services are required to set up a User Account and to do so will be required to provide us with some information about themselves. This information, along with any data we might collect about how a User interacts with our Sites or our Kajabi Platform, is what we mean by ‘User Data’.



Last updated: 01/06/2020