Privacy Notice – Bluewater Sweden AB

Controller

Bluewater Sweden AB, company No. 556901-2866, is the controller under the EU Data Protection Regulation (”GDPR”) for the personal data processing for which we determine the purposes and means. In accordance with the GDPR, we must provide information on how we as controller process personal data in our business.

If you have any questions concerning our processing of your personal data, you can contact us at:

hello@bluewatergroup.com (mailto:hello@bluewatergroup.com) or by calling us on +46 856 473 800, or

Danderydsgatan 11

114 26 Stockholm

Sweden

Personal data and personal data processing

Personal data is any kind of information that can directly (for example name or social security number) or indirectly identify or be linked to a living person. Examples of information that can be indirectly attributed to a living person are images and audio recordings that are processed in a computer without any names being mentioned.

All types of actions taken with personal data constitute personal data processing. Examples of usual processing are collection, registration, organisation, structuring, storage, processing, transmission, and deletion.

Joint controllership

When we collect and process personal data together with TAPP Water SL © C/Muntaner, 340, 1-1, 08021 Barcelona, Spain and Flowater, Inc. 4045 Pecos St Denver, CO 80211, United States of America. Bluewater Sweden AB, TAPP Water SL ©, and Flowater, Inc. are joint controllers for the personal data processing.

The joint processing is relevant when we process personal data for the purpose of sending out newsletters.

The joint controllership means for example that you can contact any of Bluewater Sweden AB, TAPP Water SL ©, and Flowater, Inc. to exercise your rights under the GDPR in relation to the personal data that we process jointly.

This is how we process your personal data

Personal data processed when you make a purchase in our webshop

Categories of personal data:

Name

Contact details (postal address, email address, phone number)

●Nature of the purchase

Purpose:

The personal data is processed for the purposes of:

confirming your identity as well as your contact details;

sending order and delivery confirmations;

processing your orders and any returns;

●handling your purchase and deliver the products you bought via our webshop.

Legal basis:

Contract

The personal data is collected from:

The data subject

Retention period:

The personal data will be deleted or anonymised 3 years after the date of the last purchase, unless we are obliged by law to retain the data longer

Recipients or categories of recipients of the personal data:

Your personal data will be shared with our employees who need access to it in order to perform their duties.

We share your personal data with the following processors:

Shopify Payments (USA) Inc.

The processors who are engaged may only process personal data in accordance with the purposes and instructions on processing and security that we have provided for the processing in a data processing agreement.

Is there any automated decision-making, including profiling?

No

Is personal data transferred to a third country?

Yes

Is there a legal obligation to provide personal data to us?

No

Is it necessary to provide personal data to enter into or to fulfill an agreement?

Yes

Personal data processed for website analytics purposes

Categories of personal data:

Web traffic

User behaviour

Purpose:

The personal data is collected for analytics purposes via cookies, to track and examine the use of the website by the user, and to prepare reports on its activities. The purpose is to improve the customer experience by developing the web shop and its functions.

Legal basis:

Consent

The personal data is collected from:

The data subject

Retention period:

The personal data will be deleted or anonymised after 2 year.

Recipients or categories of recipients of the personal data:

Your personal data will be shared with our employees who need access to it in order to perform their duties.

We share your personal data with the following processors:

●Google Ireland Ltd

●Microsoft Corp.

The processors who are engaged may only process personal data in accordance with the purposes and instructions on processing and security that we have provided for the processing in a data processing agreement.

Is there any automated decision-making, including profiling?

No

Is personal data transferred to a third country?

Yes

Is there a legal obligation to provide personal data to us?

No

Is it necessary to provide personal data to enter into or to fulfill an agreement?

No

Personal data processed for communication purposes

Categories of personal data:

Name

Contact details (shipping address, email address, phone number)

Content of the message

●Nature of the purchase

Purpose:

The personal data is processed for the purposes of:

providing support in connection with your purchase via our web shop;

provide you with relevant information;

●send you marketing communications.

Legal basis:

Legitimate interest, when we contact you in connection with your purchase and when we send you marketing communications related to your purchase

Consent, when you contact us through our web form or through our chatbot and when you sign up for the newsletter

The personal data is collected from:

The data subject

Retention period:

Personal data collected for the purpose of replying to a message sent by the data subject will be deleted after 1 year

●Personal data collected for the purpose of sending marketing communications will be kept as long as the data subject has not unsubscribed from marketing communications.

Recipients or categories of recipients of the personal data:

Your personal data will be shared with our employees who need access to it in order to perform their duties.

We share your personal data with the following processors:

HubSpot, Inc.

Shopify Payments (USA) Inc.

The processors who are engaged may only process personal data in accordance with the purposes and instructions on processing and security that we have provided for the processing in a data processing agreement.

Is there any automated decision-making, including profiling?

No

Is personal data transferred to a third country?

Yes

Is there a legal obligation to provide personal data to us?

No

Is it necessary to provide personal data to enter into or to fulfill an agreement?

No

Personal data processed to conduct customer and market analyses

Categories of personal data:

Name

Contact details (postal address, email address, phone number)

Content of the message

Nature of the purchase

Purpose:

The personal data is processed for the purpose of conducting customer and market analyses, including profiling

Legal basis:

Legitimate interest

The personal data is collected from:

The data subject

Retention period:

The personal data will be deleted or anonymised after 1 year.

Recipients or categories of recipients of the personal data:

Your personal data will be shared with our employees who need access to it in order to perform their duties.

We share your personal data with the following processors:

HubSpot, Inc.

●Shopify Payments (USA) Inc.

Google Ireland Ltd

The processors who are engaged may only process personal data in accordance with the purposes and instructions on processing and security that we have provided for the processing in a data processing agreement.

Is there any automated decision-making, including profiling?

Yes, profiling

Is personal data transferred to a third country?

Yes

Is there a legal obligation to provide personal data to us?

No

Is it necessary to provide personal data to enter into or to fulfill an agreement?

No


Personal data processed so that you can take part in our competitions on social media and events

Categories of personal data:

Name

Contact details (postal address, email address, phone number)

Purpose:

The personal data is processed for the purpose of allowing you to participate in our competitions

Legal basis:

Consent

The personal data is collected from:

The data subject

Retention period:

The personal data will be deleted or anonymised after 1 year

Recipients or categories of recipients of the personal data:

Your personal data will be shared with our employees who need access to it in order to perform their duties.

We share your personal data with the following processors:

Hubspot, Inc.

Google Ireland Ltd

The processors who are engaged may only process personal data in accordance with the purposes and instructions on processing and security that we have provided for the processing in a data processing agreement.

We share your personal data with the following independent data controllers:

Meta Platforms Technologies Ireland Ltd

Tiktok, Inc.

LinkedIn Corp.

Is there any automated decision-making, including profiling?

No

Is personal data transferred to a third country?

Yes

Is there a legal obligation to provide personal data to us?

No

Is it necessary to provide personal data to enter into or to fulfill an agreement?

No

Recipientsof the personal data

Employees at Bluewater Sweden AB

Your personal data will be shared with our employees who need access to them to perform their work duties.

Processors

We use suppliers to provide the following services:

●Shopify Payments (USA) Inc.: management of our web shop and email communications

●Microsoft Corp.: provision of analytics services (Microsoft Clarity)

●Google Ireland Ltd: provision of analytics services, customer and market analyses (Google Analytics 4)

Hubspot, Inc.: management of email newsletters and other communications

Processors who are engaged may only process personal data in accordance with the purposes of the processing defined in a data processing agreement and the instructions that we have issued concerning the processing.

Independent controllers

We also share your personal data with certain companies that are independent controllers. The fact that the company is an independent controller means that we are not the ones who determine how the personal data disclosed to the company will be processed. Independent controllers with whom we share your personal data are:

●Shopify Payments (USA) Inc.

Meta Platforms Technologies Ireland Ltd: handling competitions on social media and events

Tiktok, Inc.: handling competitions on social media and events

LinkedIn Corp..: handling competitions on social media and events

When your personal data is shared with a company who is an independent controller, it is that company's privacy policy and personal data management that apply to the processing of your personal data by that company.

Transfer of personal data to a third country

In connection with our processing of your personal data, there will be a transfer to a third country.

Transfer will take place to the following countries for which there is an adequacy decision from the European Commission:

UNITED STATES OF AMERICA

The following processors/independent controllers are certified under the EU-U.S. DPF:

  • Microsoft Corp.

  • LinkedIn Corp.

  • Google Ireland Ltd

  • HubSpot, Inc.

  • Meta Platforms Technologies Ireland Ltd

Transfer will take place to the following countries for which there is no adequacy decision from the European Commission:

UNITED STATES OF AMERICA, CHINA

Transfers to the following processor relies on standard contractual clauses:

Shopify Payments (USA) Inc.

TikTok, Inc.

Risks and security measures

Bluewater Sweden AB takes technical and organisational security measures to protect your personal data against loss and unauthorised access. This includes, for example, secure and private connections (such as VPN), encryption, and that access to your personal data is always limited to those employees who must have access to your personal data to perform their work duties. We continuously evaluate our systems and routines as well as our policies to ensure that they are safe and protected.

For more information, please contact us. Use the contact details at the top of this privacy notice.

Which rights do you have in relation to our processing of your personal data?

You have several rights under the GDPR. If you wish to exercise any of your rights or have any questions, you can contact us. Contact details can be found at the top of this privacy notice.

Right to be informed

You have the right to receive information about how we process your personal data, which we provide you through this privacy notice.

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right of access

You can request information as to whether we process personal data relating to you and, if so, receive a copy of the personal data processed - a so-called register extract - together with certain more detailed information

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right of rectification

We have a responsibility to ensure that the personal data we process is correct, but if you consider that personal data relating to you is incorrect or incomplete, you have the right to request that the information be corrected.

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right to object

When we process your personal data within the framework of our legitimate interest, you have the right to object to the processing at any time. If we cannot show that there are legitimate grounds for continuing to process the personal data, we must cease the processing. You have always the right to object at any time to your personal data being processed for direct marketing purposes. If an objection to direct marketing is made, your personal data may no longer be processed for such purposes. You can unsubscribe from direct marketing communications at any time by contacting us. Contact details can be found at the top of this privacy notice

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right to withdraw consent

If our processing of your personal data is based on your consent, you can withdraw consent at any time by contacting us. Contact details can be found at the top of this privacy notice. Withdrawal of consent does not affect the legality of the processing of your personal data that took place before the withdrawal.

More information about consent as legal basis for processing personal data can be found on the website of the Swedish Authority for Privacy Protection at Lawful grounds for personal data processing (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/lawful-grounds-for-personal-data-processing/).

Right to limitation of processing

In certain cases, for example if you have objected to the processing, you have the possibility to request a limitation of the processing of your personal data. By requesting a limitation, you have, at least for a certain period of time, the possibility to stop us from using the data other than to, for example, defend legal claims. You can also prevent us from erasing the data, for example if you need the data to claim damages.

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right to erasure

In certain cases, you can obtain the erasure of your personal data. When your personal data is necessary for the purposes for which it was collected, is needed to fulfill a legal obligation or when we need to establish, to assert or defend legal claims, we cannot erase the data.

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Right to data portability

If we process personal data relating to you to fulfill an agreement, you have the possibility in certain cases to obtain your personal data to use it somewhere else, for example transferring the data to another personal data controller.

More information about this right can be found on the website of the Swedish Authority for Privacy Protection at The data subject’s rights (https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/).

Comments about our processing?

If you have any comments about our processing of your personal data, please contact us. You can find our contact details on top of this Privacy Notice.

You can also file a complaint at the Swedish Authority for Privacy Protection. Information about filing complaints is found on their website at Complain about incorrect processing of your personal data (https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/).

If you have suffered damages because your personal data has been processed in violation of applicable law, you may be entitled to compensation. You can then request damages from us or file a claim for damages in a general court. You can find our contact details on top of this Privacy Notice.