1. Collected Customer Data

You may visit our site anonymously. If you choose to register on our website, four categories of data to and on behalf of you will be processed:

1.1. ACCOUNT DATA

When you register for an account on our site, place an order, subscribe to our newsletter or respond to a survey, basic contact details are collected such as the e-mail address and name of your contact person, company name, address, phone number, VAT number, preferred language and currency, any purchase order number, any e-mail address of invoice receivers and masked credit card or bank account details.

1.2. CONFIGURATION DATA

We collect your direct input to our cloud service after login, like the domain name(s) of the website(s) where you implement the Service and configuration of the content, looks and behavior towards website visitors (“End Users”).

1.3. END USER DATA

Data generated by End Users browsing your website(s) using the Service. When an End User submits a consent from your website(s), the following data are automatically logged at HaloFresh:

  • The End User’s IP number in anonymized form (last three digits are set to ‘0’).
  • The date and time of the consent.
  • User agent of the End User’s browser.
  • The URL from which the consent was submitted.
  • An anonymous, random and encrypted key value.
  • The End User’s consent state, serving as proof of consent.

The key and consent state are also saved in the End User’s browser in the first party cookie “CookieConsent” so that the website can automatically read and respect the End User’s consent on all subsequent page requests and future End User sessions for up to 12 months. The key is used for proof of consent and an option to verify that the consent state stored in the End User’s browser is unaltered compared to the original consent submitted to HALO Fresh.

If you activate the Service feature “bulk consent” to enable consent for multiple websites by a single End User submission, the Service will also store a separate random, unique ID with the End User’s consent. If all of the following criteria are met, this key will be stored in an encrypted form in the third party cookie “CookieConsentBulkTicket” on the End User’s browser:

  • You enable the bulk consent feature in the Service configuration.
  • The End User allows third party cookies through browser settings.
  • The End User has disabled “Do Not Track” through browser settings.
  • The End User accepts all or at least “preferences” types of cookies when consenting.
1.4. SYSTEM GENERATED DATA

Data generated by End Users browsing your website(s) using the Service. When an End User submits a consent from your website(s), the following data are automatically logged at HaloFresh:

  • The End User’s IP number in anonymized form (last three digits are set to ‘0’).
  • The date and time of the consent.
  • User agent of the End User’s browser.
  • The URL from which the consent was submitted.
  • An anonymous, random and encrypted key value.
  • The End User’s consent state, serving as proof of consent.

The key and consent state are also saved in the End User’s browser in the first party cookie “CookieConsent” so that the website can automatically read and respect the End User’s consent on all subsequent page requests and future End User sessions for up to 12 months. The key is used for proof of consent and an option to verify that the consent state stored in the End User’s browser is unaltered compared to the original consent submitted to HaloFresh.

If you activate the Service feature “bulk consent” to enable consent for multiple websites by a single End User submission, the Service will also store a separate random, unique ID with the End User’s consent. If all of the following criteria are met, this key will be stored in an encrypted form in the third party cookie “CookieConsentBulkTicket” on the End User’s browser:

  • You enable the bulk consent feature in the Service configuration.
  • The End User allows third party cookies through browser settings.
  • The End User has disabled “Do Not Track” through browser settings.
  • The End User accepts all or at least “preferences” types of cookies when consenting.

2. Customer Data Usage

Any of the information we collect from you may be used for one or more of the following purposes::

2.1. TO PERSONALIZE YOUR EXPERIENCE

The information will help HaloFresh better respond to your individual needs.

2.2. TO ENABLE YOU TO CONTROL

Allow you to control the user experience towards End Users and enable the Service to automatically apply the End User’s consent to other websites of yours.

2.3. TO IMPROVE OUR WEBSITE

HaloFresh continually strives to improve our website offerings based on the information and feedback we receive from our customers.

2.4. TO IDENTIFY YOU

HaloFresh will identify whether you ‘re already registered on our platform.

2.5. TO ENABLE SECURE LOGIN

HaloFresh will use your data for secure login.

2.6. TO ESTABLISH A PRIMARY CHANNEL

Establish a primary channel of communication with you.

2.7. TO ISSUE VALID VAT INVOICES

To issue valid VAT invoices and transactions (your information will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the service requested).

2.8. TO ENABLE AUTOMATED HANDLING

To handling the subscription automatically.

2.9. TO PROVIDE AGGREGATED INFORMATION

To provide aggregated information on the choices of the End Users regarding accepted cookie types and generate a graphical representation in the Service Manager.

2.10. TO SEND PERIODIC E-MAILS

The e-mail address you provide for order processing, may be used to send you information and updates pertaining to your order, in addition to receiving occasional company news (if accepted), updates, related product or service information, etc.)If at any time you would like to unsubscribe from receiving future e-mails, you can cancel your account after login by clicking on “Delete My Account”.

3. Customer Data Protection

HaloFresh implements the following technical, physical and organizational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized use, unauthorized modification, disclosure or access and against all other unlawful forms of processing.

3.1. AVAILABILITY

The Service utilizes the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacenter level disasters. All failover mechanisms are fully automated.

No personal data is stored permanently outside HaloFresh’s cloud platforms. The physical security is thereby maintained by HaloFresh’s platform for physical security and availability.

3.2. INTEGRITY

To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. E.g. all supplied credit card information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider’s database only to be accessible by those who are authorized to access such systems and who are required to keep the information confidential.

For data in transit, the Service uses industry-standard transport protocols between devices and Microsoft datacenters and within datacenters themselves.

3.3. CONFIDENTIALITY

All personnel are subject to full confidentiality and any subcontractors and subprocessors are required to sign a confidentiality agreement if not full confidentiality is part of the main agreement between the parties.

Whenever personal data is accessed by authorized personnel the access is only possible over an encrypted connection. When accessing the data in a database, the IP number of the person accessing the data must also be pre-authorized to obtain access.

Any device being used to access personal data is login protected by HaloFresh’s platform identity and access management service, and has HaloFresh’s corporate antivirus solution installed. If any personal data are temporarily stored on a device, the storage unit on the device must also be strongly encrypted.

On premise devices storing personal data temporarily is at all times, except when not being actively used or relocated under uninterrupted supervision, locked in a safe. Personal data are never stored on mobile media like USB sticks.

3.4. TRANSPARENCY

HaloFresh will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. HaloFresh will also provide the summaries of any independent audits of the Service.

3.5. ISOLATION

All access to personal data is blocked by default, using a zero privileges policy. Access to personal data is restricted to individually authorized personnel. HaloFresh’s Security and Privacy Officer issues authorizations and maintains a log of granted authorizations. Authorized personnel are granted a minimum access on a need-to-have basis through our AAD.

3.6. THE ABILITY TO INTERVENE

HaloFresh enables your rights of access, rectification, erasure, blocking and objection mainly by providing built-in functions for data handling in the Service Manager, by offering the option to send instructions through HaloFresh’s helpdesk and also by informing about and offering the customer the possibility of objection when LeGlittz is planning to implement changes to relevant practices and policies.

The overall responsibility for data security lies with HaloFresh’s Data Protection Officer who educates and updates all personnel on the data security measures outlined in HaloFresh’s security handbook and this Privacy Policy.

3.7. MONITORING

HaloFresh uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.

System performance and availability is monitored from both internal and external monitoring services.

3.8. PERSONAL DATA BREACH NOTIFICATION

In the event that your data is compromised, HaloFresh will notify you and competent Supervisory Authority(ies) within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and HaloFresh’s action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.

4. Third Party Links

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked websites. Nonetheless, we seek to protect the integrity of our website and welcome any feedback about these websites

5. Stored Information

No stored data will be transferred, backed up and/or recovered by HaloFresh inside/outside Indonesia.

5.1. PERSONAL DATA LOCATION

All data are stored in databases and file repositories hosted in a cloud data center at HaloFresh’s cloud vendor in Indonesia. All data are automatically replicated in real time to secondary hot failover databases and file repositories.

Databases are continuously backed up to enable restore to any point in time within a retention period of 35 days. Backups are stored on file storage at the same geographical location as the database.

A copy of the Account Data is also stored in HaloFresh’s cloud accounting and economic system.

5.2. INSTALLATION ON CUSTOMER’S SYSTEM

No installation of software is required to use the Service. The login-protected Service Manager is accessible through a standard web browser, automatically using an encrypted https-connection for all communications between your browser and HaloFresh’s server to protect any data from being intercepted during network transfers.

6. Data Rectification & Erasure Request

Request for rectification, restriction or erasure of the personal data.

6.1. RECTIFICATION

You may at any time obtain without undue delay rectification of inaccurate personal data concerning you.

6.2. RESTRICTION OF PROCESSING PERSONAL DATA

You may at any time request HaloFresh to restrict the processing of personal data when one of the following applies:

  • if you contest the accuracy of the personal data, for a period enabling HaloFresh to verify the accuracy of the personal data;
  • if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or

if HaloFresh no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims.

6.3. ERASURE

You may without undue delay request the erasure of personal data concerning you, and HaloFresh shall erase the personal data without undue delay when one of the following applies:

  • if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing;
  • if you object to the processing in case the processing is for direct marketing purposes;
  • if the personal data have been unlawfully processed; or

if the personal data have to be erased for compliance with a legal obligatio or national law.

6.4. DATA RETENTION POLICY

Account Data will due to tax regulations be retained for up to five full fiscal years from your cancellation of your Service account.

Configuration Data and System Generated Data will be erased immediately when you cancel the Service account.

End User Data will be erased on an ongoing basis after 12 months from registration, and immediately when you cancel the Service account.

6.5. DATA RETENTION FOR COMPLIANCE WITH LEGAL REQUIREMENTS

You cannot require HaloFresh to change any of the default retention periods, except for the reasons for erasure pursuant to clause 6.3, but may suggest changes for compliance with specific sector laws and regulations.

6.6. DATA RESTITUTION AND/OR DELETION

No data except Account Data will be retained after the unregistration. You may request a data copy before termination. You must not cancel your account until the data copy has been delivered, as HaloFresh otherwise will not be able to deliver the data copy.

7. Accountability

HaloFresh uses the extensive range of built-in logging features and audits trails provided by built in system on the server.

HaloFresh also logs all system updates, configuration changes and access to provide an audit-trail if unauthorized or accidental changes are made.

You may request a data protection audit performed by an independent third party who is also accepted by HaloFresh.

8. Cooperation

HaloFresh will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.

9. Term of Service

Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of our website at TERMS AND CONDITIONS.

10. Complaint

You may at any time lodge a complaint with a supervisory authority regarding HaloFresh’s collection and processing of your personal data.