Privacy statement

Last modified on Sep 25, 2024

Introduction

This Privacy Statement is issued by Company (“we”, “us”, “our”) and applies to information collected and processed about individuals (“you”, “your”) who interact with our services. We are committed to protecting and respecting your privacy in compliance with the (UK) General Data Protection Regulation and other relevant EU privacy laws (hereinafter collectively referred to as “GDPR”).

Our Privacy Statement explains how we collect, use, share, and protect your personal information when you use our services, visit our website, or interact with us. It also describes your rights regarding your personal information and how you can exercise them.

Identity and Contact Details of the Data Controller

In accordance with the GDPR, the Data Controller responsible for the processing of personal data under this Privacy Statement is Charmiqa Limited (“Data Controller”). The Data Controller can be contacted via the following means:

  • Email: [email protected]
  • Physical Address: 13 Southgate, WS11 1PS, Cannock, United Kingdom
  • Phone Number: +44 330 818 3981

Data Subjects, as defined under GDPR, have the right to contact the Data Controller for any inquiries or concerns regarding the processing of their personal data.

Definitions

For the purposes of these Terms & Conditions, the following terms shall have the meanings ascribed to them below:

  • “Agreement” means the contract formed between the Company and the Consumer upon the Consumer’s acceptance of these Terms & Conditions by accessing or using the Platform.
  • “Consumer” means any individual who accesses, uses, or makes a purchase through the Company’s platform.
  • “Company” means https://sugarsupportnow.com, a platform for the sale of dietary supplements and related products.
  • https://sugarsupportnow.com” means Charmiqa Limited, with a registered office at 13 Southgate, WS11 1PS, Cannock, United Kingdom.
  • “Order” means any request by a Consumer to purchase one or more Products through the Platform.
  • “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • “Platform” means the online environment accessible at https://sugarsupportnow.com where the Company offers and sells Products to Consumers.
  • “Products” means the dietary supplements and related products offered for sale on the Company’s platform.
  • “Services” means all functionalities and features provided by the Company through the Platform, including but not limited to browsing and purchasing Products, accessing product information, and receiving customer support.
  • “Terms & Conditions” means this document, which outlines the agreement between the Company and the Consumer regarding the use of the Company’s platform and the purchase of Products.
  • “User” means any individual who accesses or uses the Platform, including but not limited to Consumers, browsers, vendors, and contributors of content.

Purposes of Processing

The Data Controller processes personal data of the Data Subject for the following purposes:

  1. To fulfil contractual obligations between the Data Controller and the Data Subject, including but not limited to the provision of products or services requested by the Data Subject.
  2. To comply with legal requirements applicable to the Data Controller under the laws of England and Wales, including but not limited to tax and reporting obligations.
  3. To communicate with the Data Subject regarding transactions, security, privacy, and administrative issues related to their use of the Data Controller’s services.
  4. To improve and personalize the experience of the Data Subject on the Data Controller’s platforms, including the use of data analytics to better understand the preferences and behavior of the Data Subject.
  5. To protect the rights, property, or safety of the Data Controller, the Data Subject, or others, including the prevention and investigation of fraud and other illegal activities.
  6. To market and advertise the Data Controller’s products or services to the Data Subject, subject to obtaining explicit consent from the Data Subject where required by applicable law.

This processing is carried out on the legal bases of contract performance, legal obligation, legitimate interests pursued by the Data Controller, and consent of the Data Subject, as applicable and in accordance with the GDPR.

Legal Basis for Processing

The Data Controller processes the personal data of the Data Subject based on the following legal bases, in accordance with the GDPR:

  1. Consent: The Data Subject has given clear consent for the Data Controller to process their personal data for a specific purpose.
  2. Contract: The processing is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into a contract.
  3. Legal Obligation: The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
  4. Vital Interests: The processing is necessary to protect the vital interests of the Data Subject or of another natural person.
  5. Public Task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  6. Legitimate Interests: The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, particularly where the Data Subject is a child.

Categories of Personal Data

The Data Controller may collect and process the following categories of personal data about the Data Subject:

  • Identification data, such as names, addresses, and date of birth;
  • Contact information, including email addresses and telephone numbers;
  • Financial information, like bank account numbers and transaction history;
  • Technical data, which may include IP addresses, browser types, and log information;
  • Usage data, detailing how the Data Subject interacts with services provided by the Data Controller;
  • Medical history, weight, and height, if relevant and with explicit consent from the Data Subject;
  • Any other personal data that the Data Subject chooses to share with the Data Controller.

This personal data is collected for the purposes outlined in the Privacy Statement and is processed in accordance with applicable laws and regulations of England and Wales.

Recipients of Personal Data

In accordance with this Privacy Statement, the Data Controller may share the Data Subject’s personal data with the following categories of recipients:

  1. Service providers and subcontractors who perform services on behalf of the Data Controller, including but not limited to payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
  2. Partners and affiliates of the Data Controller for the purposes of providing products, services, or offers that may be of interest to the Data Subject, subject to the Data Subject’s consent where required by applicable law.
  3. Regulatory authorities, law enforcement agencies, and other governmental bodies when required by law or in response to a valid request related to a criminal investigation or alleged illegal activity.
  4. Third parties in connection with a merger, sale of company assets, financing, or acquisition of all or a portion of the Data Controller’s business by another company, where the Data Subject’s personal data may be among the assets transferred.

The Data Controller ensures that all recipients of personal data are bound by confidentiality obligations and applicable data protection laws to protect the Data Subject’s personal data.

Transfer of Data Outside the European Union

In compliance with the GDPR, the Data Controller may transfer personal data collected from the Data Subject to countries outside the European Union (EU) or the European Economic Area (EEA) only if adequate protection measures are in place. These measures include, but are not limited to:

  • the use of standard contractual clauses approved by the European Commission,
  • adherence to an approved code of conduct or certification mechanism, or
  • ensuring the recipient is under an adequacy decision by the European Commission.

Before any transfer takes place, the Data Controller will assess the level of protection provided by the receiving country, territory, or specified sector, including the security measures applied by the data recipient. The Data Controller will provide the Data Subject with information regarding the transfer, including the legal basis for the transfer and the protective measures in place, upon request.

The Data Subject has the right to obtain a copy of the documents evidencing the protection measures by contacting the Data Controller directly. The Data Controller will take all necessary steps to ensure that the personal data of the Data Subject is treated securely and in accordance with this Privacy Statement and the GDPR, irrespective of the geographical location of the data processing.

Data Retention Period

In compliance with the GDPR, the Data Controller will retain the personal data of the Data Subject only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. The retention period may vary depending on the nature of the data and the purposes for which it is processed. Specific retention periods are determined based on the following criteria:

  1. The necessity to retain the personal data for the fulfilment of the contractual and pre-contractual obligations between the Data Controller and the Data Subject.
  2. The need to comply with legal obligations and regulatory requirements, including but not limited to tax and commercial laws.
  3. The importance of retaining the data for the establishment, exercise, or defence of legal claims.
  4. Any consent provided by the Data Subject for a longer retention period.

Upon the expiration of the retention period, the personal data will be securely deleted or anonymized, so it can no longer be associated with the Data Subject. The Data Controller will also take appropriate measures to ensure that any third parties acting on its behalf adhere to similar data retention practices.

 

Here’s the formatted content for the Data Subject’s Rights section:

Data Subject’s Rights

In compliance with the GDPR, the Data Subject is granted the following rights concerning their personal data processed by the Data Controller:

Right to Access

The Data Subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

  • The purposes of the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.

Right to Rectification

The Data Subject has the right to obtain the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure (‘Right to be Forgotten’)

The Data Subject has the right to obtain the erasure of personal data concerning them without undue delay under certain conditions, such as:

  • When the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • If the Data Subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
  • If the Data Subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21(2) GDPR.

Right to Restriction of Processing

The Data Subject has the right to obtain restriction of processing under certain conditions, such as:

  • When the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
  • If the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • If the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
  • If the Data Subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

Right to Data Portability

The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format. They have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) or point (b) of Article 6(1) or point (a) of Article 9(2) GDPR, or on a contract pursuant to point (b) of Article 6(1), and the processing is carried out by automated means.

Right to Object

The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

Right to Not be Subject to a Decision Based Solely on Automated Processing, Including Profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless:

  • Such decision is necessary for entering into, or performance of, a contract between the Data Subject and a data controller;
  • Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests;
  • Or is based on the Data Subject’s explicit consent.

Right to Withdraw Consent

Where the processing of personal data is based on consent, the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint with a Supervisory Authority

The Data Subject has the right to lodge a complaint with a supervisory authority, particularly in the country of their habitual residence, place of work, or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to them infringes the GDPR.

Right to Withdraw Consent

In accordance with the GDPR, the Data Subject has the right to withdraw their consent at any time where the Data Controller relies on their consent to process personal data. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw consent, the Data Subject may contact the Data Controller using the contact information provided in this Privacy Statement. Upon receipt of a withdrawal request, the Data Controller will cease processing the personal data for the purposes for which consent was given, unless another legal basis for processing exists.

The Data Subject is informed that the withdrawal of consent may affect the ability of the Data Controller to provide certain services for which the processing of personal data is necessary.

Automated Decision Making and Profiling

In accordance with the GDPR, the Data Controller informs the Data Subject that it does not engage in automated decision-making processes, including profiling, that would have a legal or similarly significant effect on the Data Subject. The Data Controller is committed to ensuring transparency and fairness in all its data processing activities.

Should the Data Controller decide to introduce such automated decision-making processes in the future, it will provide the Data Subject with information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject. Prior to implementing such processes, the Data Controller will also seek explicit consent from the Data Subject, in compliance with the GDPR requirements.

Data Security Measures

In compliance with the GDPR, the Data Controller commits to implementing and maintaining comprehensive data security measures to protect the personal data of the Data Subject against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Such measures include, but are not limited to:

  • Ensuring that personal data is encrypted during transmission and storage.
  • Implementing access control measures to ensure that only authorized personnel have access to personal data.
  • Maintaining up-to-date cybersecurity protocols to protect against hacking, viruses, and other malicious software attacks.
  • Conducting regular security assessments and audits to ensure the effectiveness of the data security measures.
  • Providing training to employees and contractors on data protection and privacy to ensure compliance with GDPR.

The Data Controller shall promptly notify the Data Subject in the event of a data breach that is likely to result in a risk to the rights and freedoms of the Data Subject. Such notification will be made in accordance with GDPR requirements.

Data Subject’s Rights

Under the GDPR, Data Subjects have the following rights regarding their personal data:

  1. Right to Access: Obtain confirmation of processing and access to personal data.
  2. Right to Rectification: Correct inaccurate or incomplete personal data.
  3. Right to Erasure: Request deletion of personal data under specific conditions.
  4. Right to Restriction of Processing: Limit processing under certain circumstances.
  5. Right to Data Portability: Receive personal data in a machine-readable format.
  6. Right to Object: Object to processing based on specific grounds.
  7. Right to Not be Subject to Automated Decisions: Protection against automated decision-making without consent.
  8. Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.
  9. Right to Lodge a Complaint: File complaints with a supervisory authority regarding GDPR violations.

Changes to the Privacy Statement

The Data Controller will notify Data Subjects of any amendments to the Privacy Statement, which will be available on the website and communicated directly. Regular review of the statement is advised, and continued use of services signifies acceptance of changes.

Complaints Procedure

Data Subjects are encouraged to contact the Data Controller for any complaints regarding personal data processing. If unresolved, they may lodge a complaint with the Data Protection Authority in their home country.

Contacts

For questions regarding the Privacy Policy, contact:

  • Email: [email protected]
  • Company Name: Charmiqa Limited
  • Company Registration Number: 15643440
  • Legal Address: 13 Southgate, WS11 1PS, Cannock, United Kingdom
  • Phone Number: +44 330 818 3981
  • Website: https://sugarsupportnow.com
  • Date of Policy: 2024-06-04