Last updated 2 June 2023
Cutrin Oy
Business ID 2443709-8
Lasikuja 2
FI-02780 Espoo, Finland
(“Cutrin”, “we”, “us” or “our”)
This Privacy Notice describes the processing of personal data of different data subject groups by Cutrin. If you are our customer visiting our website, receiving our newsletter, placing orders in our online shop for hair professionals, interacting with our customer service or with us through other means, such as social media, or if you are a representative of our supplier or other business partner, or a person giving feedback such as making a complaint or claiming skin irritation or other undesirable effects caused by our products and wish to understand how Cutrin processes your personal data, you are in the right place.
If you wish to pursue a career at Cutrin and wish to submit an application, kindly take a look at our Privacy Notice for Recruitment.
Cutrin acts as a controller for the personal data that our customers or their representatives, website visitors, newsletter receivers, representatives of our suppliers or other business partners or persons making a complaint or giving other feedback, share with us or which we collect automatically on our website or online shop.
As a controller, we carry the ultimate responsibility for the processing of personal data we hold of you. Privacy is about trust and protecting your privacy and your personal data is of utmost importance to us. Therefore, we collect your personal data only to the extent we need them to be able to carry out our business as further described in this Privacy Notice.
Please note that our website may include links to contents of third-party service providers, and some of the medias through which you can interact with us, such as social media channels, are in fact services provided by third parties, not by us. Any such links to contents of third parties as well as our presence in services of third-party service providers does not constitute our affiliation with or control over such third parties and thus, to the extent permitted by applicable legislation, we are not responsible for such contents or services, their level of data protection nor the actions of such third parties.
We process your personal data only for the purposes described in this Privacy Notice or as otherwise communicated to you when collecting your personal data, and only to the extent it is necessary for each purpose of processing further described herein.
Depending on the context in which you interact with us, we also process your personal data for multiple different purposes, as further described below.
The provision of your personal data as described in this Privacy Notice is partially a contractual requirement based on the contract between us and the organization you represent or between us and you directly. For example, when you place an order in our online shop, you are required to provide us with certain personal data for purposes of processing and delivering your order, as specified below in this Privacy Notice. Similarly, the creation of a user account to our online shop, for example, is not possible without certain personal data we request from you in the context of user account creation. Failure to provide us personal data requested in the context of these activities may prevent us from performing our contractual obligations, which may lead to you being unable to place an order through or to create a user account to our online shop.
WEBSITE VISITORS
When you visit our website, we process your personal data to offer you the opportunity to use our website and its functionalities. We may also personalise the content of our website and process your personal data for showing you such content on our sites that is most relevant to you, in addition to which we process the personal data for developing our services and products offering, as well as for ensuring the overall security, functionality and stability of the website, including preventing and detecting possible misconduct and attacks towards the security of the website.
The legal basis for the processing described above is Article 6(1)(f) of the GDPR, i.e., our legitimate interest, in which case our legitimate interests are the purposes mentioned above.
The collecting and further processing of your personal data on our website is mostly done by using automated technical means, such as cookies and other similar technologies. For more information on the use of cookies on our website, please take a look at our Cookie Settings and Cookie Declaration Cookie settings
REGISTERING TO AND PLACING ORDERS IN OUR ONLINE SHOP
Please note that our online shop is on our website and therefore, what is stated above on the processing of personal data of our website visitors apply to you too. When you decide to register as our online shop customer or place an order with us though our online shop, we process your personal data primarily to enable your user account registration or to process and deliver the order you have placed with us, including the processing of your payments, any returns or complaints, and to fulfil any possible subsequent warranty measures. We also process your personal data to send you updates about your order and its delivery.
In addition to the foregoing, we process your personal data for the purposes of management, analysis and development of the customer relationship between you or the organisation you represent and us, for example, to provide customer service, to carry out customer communications and to send questionnaires to measure your satisfaction for example with our website and online shop, products and delivery process. We may also process your personal data to alert you on new and interesting products, special offers, and updates on our website or online shop within the limits of applicable legislation and to the extent you have not opted-out from receiving such communications.
In this context, the legal basis for processing your personal data is either our legitimate interest, compliance with the agreement entered into between you and us, or compliance with legal obligations to which we are subject.
Contractual and statutory obligations: Processing of your personal data is to certain extent necessary to enable us to fulfil the agreement we have concluded with you, and so the legal basis of processing is Article 6(1)(b) of the GDPR. For example, when you register as a user to our online shop, it is necessary for us to process your personal data so that we can carry out our contractual obligations and register your user account. Your placing of order also creates certain contractual, but also statutory obligations to us related to for example product safety, quality of our products and product returns, in which case the legal basis of processing is Article 6(1)(c) of the GDPR.
Our legitimate interest: We process your personal data based on our legitimate interest (Article 6(1)(f) of the GDPR), in particular to offer you first-class customer experience in our online shop and to provide you the most relevant online and newsletters content as well as for administrative purposes including the management, analysis and development of the customer relationship between us and the organisation you represent.
ONLINE PRODUCT REVIEWS
Everyone can publish reviews on our products on our website. In the context of publishing product reviews, you are requested to provide certain data which may, either alone or in combination with other data, be personal data.
The legal basis for this processing is our legitimate interest (Article 6(1)(f) of the GDPR), and the legitimate interests include in particular the promotion of our products through reviews, and the improvement and further development of our products though the feedback received. The legal basis for processing of sensitive data you may provide to us in this context (e.g., information on your skin concern or reactions caused by the products) is either your explicit consent (Article 9(2)(a) of the GDPR) or Article 9(2)(e) of the GDPR (processing relates to personal data which you have made public).
CUSTOMER RELATIONSHIP MANAGEMENT
If you are a representative of our current or potential customer, we process your personal data for purposes of business relationship management, such as performing due diligence and any other form of background checks as permitted by applicable law, entering into and performing an agreement between us and you or the organisation you represent, managing and developing the customer relationship, customer communications, and invoice and payment administration and provision.
The legal basis for this processing is our legitimate interest (Article 6(1)(f) of the GDPR) to conduct our business and your relation to the organization with whom we conduct our business.
SUPPLIER AND OTHER BUSINESS PARTNER MANAGEMENT
If you are a representative of our current or potential supplier or other business partner, we process your personal data for purposes of business relationship management, such as performing due diligence and any other form of background checks as permitted by applicable law, entering into and performing an agreement between us and you or the organisation you represent, managing and developing the customer relationship, communications. and invoice and payment administration and provision.
The legal basis for this processing is our legitimate interest (Article 6(1)(f) of the GDPR) to conduct our business and your relation to the organization with whom we conduct our business.
COMPLAINTS AND OTHER FEEDBACK ON OUR PRODUCTS
When you make a complaint or provide to us other feedback on our products, we will generally receive also personal data regarding you. As a manufacturer of cosmetic products, we are obliged to collect data on undesirable effects, such as skin irritation, caused by our products, and in case the undesirable effect caused by the product is serious, to report the effect to the competent authorities. After we have responded to the data subject and otherwise handled the matter so that we have been able to make sure that the data subject is satisfied with the result, we will close the case and anonymise the data. Any reporting of serious undesirable effects to the competent authorities will not identify the data subject. In addition to addressing the data subject’s claim and to reporting the serious undesirable effect to the competent authorities, we may further process the data reported by the data subject for R&D purposes, but only in non-identified form.
To the extent you provide us sensitive data, such as information on allergic reactions you have suffered, or other health-related data, the legal basis of processing is your explicit consent (Article 9(2)(a) of the GDPR). Otherwise, the legal basis for this processing is either a legal obligation to which we are subject (Article 6(1)(c) of the GDPR), or our legitimate interest (Article 6(1)(f) of the GDPR), namely the improvement and development of our products.
OTHER PROCESSING CONTEXTS: MEDIA BANK USER REGISTRATION AND SOCIAL MEDIA CHANNELS
Processing context or purpose | Description | Legal basis |
Media Bank user registration | When you wish to use our material bank at https://cutrin.emmi.fi/, you are requested to create a user account to the Media Bank. The use of our Media Bank is not possible without registration as a user and creation of a user account. | Our legitimate interest (Article 6(1)(f) of the GDPR) to conduct our business and your relation to the organization with whom we conduct our business. |
Social media channels | We are present in social media platforms such as Meta, TikTok and YouTube, through which you can interact with us. We consider these platforms as extended customer service.
Please note that also the relevant social media platform provider processes your personal data when you use those platforms, and Cutrin cannot control the way these service providers process your personal data. You should therefore familiarise yourself with the privacy and data protection related notices of these parties. |
Our legitimate interest (Article 6(1)(f) of the GDPR), namely carrying out activities in the ordinary course of our business to respond to requests or enquiries from e.g., potential or existing customers and to further address the issue internally. The legal basis for processing of sensitive data you may provide to us in this context is your explicit consent (Article 9(2)(a) of the GDPR). |
ALL PROCESSING CONTEXTS: LIMITED PROCESSING FOR OTHER LEGITIMATE INTERESTS
In addition to the primary purposes of processing elaborated above, we may process the personal data collected in each identified processing context for a limited number of other legitimate interests, such as protecting our property; preventing and investigating suspected malpractices; defending against or prosecuting a legal claim; analysing and compiling statistics for business purposes, developing our products and business, reorganisation of our business and for scientific research purposes, but only to the extent the processing is proportionate to the interests of the data subjects and the processing can be considered to be in line with the reasonable expectations of them. To the extent identification of a data subject for these processing purposes is not necessary, we will use the data for these purposes in non-identified form.
In the context you provide us product feedback, you may voluntarily share with us sensitive personal data, such as, information on allergic reactions you have suffered after using our products, or other health related data.
You may also provide your personal data to us in other contexts, such as, when you communicate with us through our customer service channels or through social media, which leads us to processing the contents of the communications between you and us, as well as other personal data you provide to us in these contexts.
WEBSITE VISITORS
When you visit our website, we automatically collect certain data on your terminal device as well as details on your visit, such as your IP address, information on your operating system and interface, your web browser type, version and language, the time of your visit, referral page and the amount of data transferred. The collecting and further processing of your personal data on our website is mostly done by using automated technical means, such as cookies and other similar technologies. For more information on the use of cookies on our website, please take a look at our Cookie Settings and Cookie Declaration Cookie settings
REGISTERING TO AND PLACING ORDERS IN OUR ONLINE SHOP
When you create a user account to our online shop, you will be asked to provide certain personal data, including the following: your name, email address, phone number, log-in credentials, name and business ID of the salon you represent as well as billing and delivery details, such as billing and delivery address. Your user account information is constantly updated (for example by your purchase history).
When you place orders in our online shop, we process certain personal data and information relating to you and the order you have placed, such as: user account details (or your name, delivery and billing address(es) and phone number), type and amount of products you ordered, purchase price, date of placing the order, status of your order, method of payment and specifics related to your payment, product returns and related customer service requests.
ONLINE PRODUCT REVIEWS
In the context of product reviews, you may publish on our online shop, you are requested to provide certain data, including your name or a pseudonym and email address which may, either alone or in combination with other data, be personal data. In addition, your review itself may be or contain personal data, also sensitive data, such as information on an allergic reaction you decide to share in your review or question.
CUSTOMER RELATIONSHIP MANAGEMENT
In connection with your business relationship with us, we process the following categories of personal data:
SUPPLIER OR OTHER BUSINESS PARTNER MANAGEMENT
In connection with your business relationship with us, we process the following categories of personal data:
COMPLAINTS AND OTHER FEEDBACK ON OUR PRODUCTS
Data subjects that make complaints or give us other feedback, for example due to having suffered skin irritation or other undesirable effects can report to us various information. We normally receive the data subject’s complaint, feedback, or report on undesirable effects through email sent by the data subject or through a free-text form on our website and accordingly cannot control the contents of the communications sent to us. The data received generally contains identifying information, such as name, contact information, and the actual feedback, which may contain also personal data, such as symptoms caused, and information on possible treatment required, such as a visit to a dermatologist. Sometimes in cases of undesirable effects claims, we will have to request more information in order to be able to assess whether the undesirable effect was caused by our product or its ingredients, or whether the cause of the effect was something else.
OTHER PROCESSING CONTEXTS: NEWSLETTER SUBSCRIPTIONS, MEDIA BANK USER REGISTRATION AND SOCIAL MEDIA CHANNELS
Processing context or purpose | Personal data | Sensitive data |
Media Bank user registration | If you are a user of our Media Bank at https://cutrin.emmi.fi/, we process the data you provide to us in the context of your registration to the Media Bank, i.e., name, email address, the name and contact details of the organization you represent and, if you choose to provide it, your phone number. | N/A |
Social media channels | Personal data you choose to provide, generally containing at least identifying information such as name; and contents of the communications between you and us. | Data subject choosing to interact with us though social media may voluntarily provide to us sensitive data of their own choosing, e.g., information on an allergic reaction suffered. |
Why we transfer or disclose your personal data
Cutrin is a part of Lumene group. We may to transfer or disclose your personal data to other companies within the worldwide Lumene group or to external service providers as follows.
We use external service providers to provide us services, for example, services related to the technical maintenance or hosting of our website and online shop, in the context of which these service providers process personal data as processors on our behalf, and we require that these parties agree to process personal data based on our instructions and in compliance with this Privacy Notice.
We may also disclose personal data to our partners within the limits permitted by law, e.g., for purposes of carrying out deliveries, billing or marketing. For example, to execute your orders, we use services of our partners (such as shipping and delivery services offered by dispatching companies). We will only provide these partners the information they need to deliver the services agreed, such as, to deliver your order. If we advertise through social networks (e.g., Facebook), we may provide information about the data subjects (e.g., device and usage information, ad and cookie IDs, email addresses) in encrypted form to the respective social network service provider.
In addition, we may disclose your personal data if we are required to do so by law (e.g., serious undesirable effects or skin irritation reports to the competent authorities) or if we in good faith believe that such action is necessary to conform to the provisions of the law or comply with legal process served on Cutrin or to protect and defend the rights or property of Cutrin.
We may share limited amounts of personal data within Lumene group of companies for legitimate business purposes, such as to develop and improve our business or products and analyse and enhance customer experience. In case we sell our business or part of it or otherwise reorganize our business we may disclose and transfer personal data to buyers and their advisors in accordance with the limits of applicable legislation.
International transfers of personal data
We use partners in business activities requiring the processing of personal data, and in this context, we or our partners may, in accordance with applicable legislation, process personal data anywhere in the world and thus transfer the personal data also outside EU or EEA area. Regarding transfers of personal data to countries where the local data protection legislation does not provide adequate level of data protection, the transfers are based on appropriate safeguards, such as standard contractual clauses approved by the European Commission or a competent supervisory authority.
To learn more about the appropriate safeguards we use, please send us an email at cutrintilaukset (at) cutrin.com or cutrinorders (at) cutrin.com.
We have taken appropriate technical and organizational measures to protect the security of your personal data and to ensure that your choices for its intended use are honoured. We protect your data from loss, misuse, unauthorized access or disclosure, alteration, or destruction by appropriate technical measures such as firewalls.
We do not share your personal data outside Cutrin, except under conditions and for purposes explained in this Privacy Notice, or unless otherwise required under mandatory applicable law. Within Cutrin, personal data is stored in password-controlled environments with limited access granted only to such persons whose work requires the processing or personal data.
The retention time of the collected personal data is subject to the legal basis and processing purpose for which the data were collected. We will retain your personal data for as long as they are necessary for carrying out the processing purposes for which it was collected, as specified in this Privacy Notice, in particular for the fulfilment of our contractual and statutory obligations. Where the processing is based on our legitimate interest, we will retain your personal data for as long as our legitimate interest can be deemed valid, or until you request the deletion of your personal data.
For more information on the retention periods, please click the section heading below.
RETENTION PERIODS
The general retention periods for personal data processed by us in different contexts is as follows:
Data subject group | Retention period |
Website visitors | As set out in our Cookie Settings and Declaration tool. |
Registered online shop users | If you decide to delete your user account, we will delete all related personal data, unless the data falls also to another category which is subject to longer statutory or other compelling retention periods (such as information on your purchases and/or contractual obligations between us and you or the organisation you represent).
We reserve the right to delete your user account and most of the personal data connected with it after two years of inactivity by you. |
Orders placed in our online shop | We will retain the information on product orders and the related payment details as per the requirements of the Finnish accounting legislation, i.e., current year and six years. |
Online products reviews | Until the product delisting or until deletion request or withdrawal of consent by the data subject. |
Customer relationship management | The general minimum retention period for the personal data of our customers or their representatives is until the end of the calendar year in which the contract with the customer has expired + 2 years. |
Supplier or other business partner relationship management | The general minimum retention period for the personal data of suppliers or their representatives is until the end of the calendar year in which the contract with the supplier has expired + 2 years. |
Complaints, other feedback and skin irritation claims | We will retain the collected data in identified form only as long as we have responded to the data subject and otherwise handled the matter so that we have been able to make sure that the data subject is satisfied with the result, after which we will close the case.
After the case has been closed, we will remove direct identifiers from the data. The non-identified feedback data will be retained for a minimum of 10 years. |
Newsletter subscribers | Until the recipient unsubscribes. |
Data subjects contacting us through social media platforms | In accordance with the terms of use of the social media platform in question. |
When we no longer need the collected personal data, the data will be safely destroyed or irrevocably anonymized. If you delete your user account, we will delete all data stored about you, unless contractual or statutory retention periods apply. If the complete deletion of your data immediately after you have deleted your user account is not possible or necessary for legal reasons, access to your data for further processing will be prevented.
We may also retain certain personal data after the termination of the initial processing purpose, should such retention of personal data be necessary to comply with other applicable laws or should we need the personal data to establish, exercise or defend a legal claim, on a need-to-know basis only.
Below we have summarized the rights that you as a data subject have under the European data protection legislation. The “data subject” refers to natural persons whose personal data is processed by us, i.e., the representatives of our customers, supplies and other business partners, as well as other persons the personal data of whom we process as specified in this Privacy Notice. Some of the rights are complex and are subject to certain exceptions, and to keep this Privacy Notice concise, not all of the details have been included in the below summaries.
The data subjects have the right to access the data processed by us as a controller and to get incorrect personal data related to them rectified. If you wish to use your right of access or rectification, please proceed as follows.
Your request on the right of access or rectification must be in written or in electronic form and be signed and sent using the contact details mentioned in this Privacy Notice. The request shall contain the basic information needed for finding the requested data. After receiving and processing the request, we will send you a copy of the personal data by mail or electronically. We reserve the right not to complete your request if the request is manifestly unfounded. Should you request for multiple copies, or should you wish to submit more than one request per year, we may charge you a reasonable fee based on administrative costs for the execution of your request.
You also have the right at any time to request us to erase the personal data concerning you and processed by us and we are obliged to erase the data if there is no longer a legal ground for processing the data. Please note that certain data processed by us are subject to e.g. statutory retention requirements, and regardless of a request of erasure, such data we cannot erase until the end of the statutory retention period. You also have the right to object to the processing of your personal data if the data has been processed on the basis of our legitimate interest, and we are obliged to stop processing such personal data unless we can demonstrate compelling legitimate grounds for further processing of such personal data. You also may have the right to obtain from us restriction of our processing of your personal data.
If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
To exercise the above rights, reach out to us using the contact details mentioned in the beginning of this Privacy Notice.
If you consider that our processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
We reserve the right to update and modify this Privacy Notice. Unless otherwise provided by mandatory applicable legislation, we may not personally post changes to this Privacy Notice to the data subjects in person, and therefore we prompt you to check this Privacy Notice from time to time for possible changes.
If for some reason you believe that we have not adhered to the foregoing, please notify us by email at cutrintilaukset (at) cutrin.com or cutrinorders (at) cutrin.com, and we will do our best to determine and correct the problem promptly.