1. Introduction and contact
This privacy notice (hereinafter Privacy Notice) is a description of how your personal data is collected, used and deleted while you visit our website www.fractory.com, register your account and use our products or services.
The personal data is processed and controlled either by Fractory Solutions OÜ, located at Raekoja plats 16, 51104, Tartu, Estonia; or
if you are conducting business or ordering our service from Fractory Ltd, located at Regency House, Chorley New Road, Bolton BL1 4QR, United Kingdom, then your data controller is Fractory Ltd; or
if you are conducting business or ordering our service from Fractory Operations Inc, located at 1209 Orange Street, City of Wilmington, New Castle, Delaware 19801, United States, then your data controller is Fractory Operations Inc.
Fractory Solutions OÜ, Factory Ltd. and Fractory Operations Inc. are hereinafter jointly referred to as Fractory/we/us/our.
If you have questions connected to the processing of personal data please contact us email@example.com.
Personal data related terms have the same meaning here as defined in the EU general data protection regulation 2016/679 (hereinafter GDPR).
2. Principles Fractory adheres to when processing personal data
Our goal is to process personal data responsibly and transparently and to be ready to demonstrate the compliance of the processing of personal data with the stated objectives and applicable data protection regulation.
All our processes, guidelines and processing activities related to the processing of personal data are based on the following principles: lawfulness, fairness, transparency, purposefulness, minimisation, accuracy, storage limitation, integrity, confidentiality, and data protection by default and by design.
3. How we get personal information and processing on linked websites
Most of the personal information we process is provided to us directly by you in order to register yourself as our customer and when using our services.
In addition, we may also collect your personal data indirectly.
When visiting Fractory’s website, we and our service providers acting on our behalf may collect certain data using tracking technologies like cookies, web beacons and similar technologies.
Indirectly collected data may fall under the terms of third party privacy policies while they act as independent data controllers.
Please note that the links shared on the Fractory’s website are governed by the privacy terms and conditions of their respective service providers/persons. As regards the processing of personal data published by the data subject (you) on our social media (e.g. Facebook, Instagram), both the Privacy Notice (for Fractory’s processing) and the terms and conditions of the respective social media platform apply.
4. What kind of data is processed and why?
As a general rule, we collect and process the following types of personal data:
- Personal data disclosed to us by the data subject (e.g. if you contact us, register as a customer, order our service etc.);
- Personal data arising from communication with the data subject (e.g. feedback surveys, communication about the service/products etc.);
- Personal data clearly disclosed by the data subject (e.g. if you comment on our social media);
- Personal data deriving from the use of services (e.g. activity on your account);
- Personal data resulting from visiting and using our website;
- Personal data received from third parties (e.g. payment service providers on payment status);
- Personal data created and combined by us (e.g. list of your order history);
- Personal data of our employees and candidates (e.g. data provided in the recruitment procedure, data needed for employment contract etc.).
More specifically we process among other following data:
About our customers: name, contact details (e-mail, phone nr, address), account information, order history, activity on our website and account, invoice data and other data about usage of service and performance of a contract.
About other data subjects (e.g. website visitors, potential customers): website usage data, data provided to us by the data subject.
Candidates: name, contact information, CV and other data provided in the recruitment.
Employees: data necessary for entering into an employment contract, data deriving from the performance of work duties and employment contract. More specific information about the processing of employees’ data is provided to employees at work.
Our services are not intended for children. We do not knowingly process personal data of children in our service.
5. Newsletter and direct marketing campaigns
We may send our newsletter to customers who have bought/ have searched/inquired about similar products before on the basis of legitimate interest if it is allowed in the relevant jurisdiction. Otherwise, we send newsletters when you have given us your consent. You may opt-out of these messages. Please note that email marketing messages include an opt-out mechanism within the message itself (e.g. an unsubscribe link in the emails we send to you). Clicking on the link in an email will opt you out of further messages. You may also opt-out of your account settings in case this option is available. Please note that in case of opt-out we have to retain the data about your email having opted-out.
We may also use social media tools to market our products and services; there might be consent or opt-out requirements also on their side
6. Processing under legitimate interest
In addition, to above mentioned main processing activities Fractory may process data subject’s personal data on the basis of legitimate interest. If Fractory has previously assessed data subject’s and its own interests and concluded that processing under legitimate interest is allowed. Fractory may process personal data on the basis of legitimate interest for the following purposes:
- independent development of our services to further improve Fractory’s services and make our services safe and efficient;
- managing and analysing customer (also potential customer) database and for marketing activities in order to improve the availability, selection and quality of services;
- ensuring a better user experience, higher quality services, and operation of various channels; Fractory may analyse identifiers and personal data collected when our website, our social media pages and other sales channels and services are used, and we may collect statistics about visitors of Fractory website and customers;
- organising campaigns, incl. organising personalised campaigns. The terms and conditions of campaigns are set out separately (if any);
- sending marketing offers to the customers or potential customer if the respective person has previously purchased/inquired about a similar product and if it is allowed in respective jurisdiction. In this case, the person is always guaranteed to have a simple opportunity to resign from the communication, and we have considered our and the customer’s interests;
- conducting satisfaction, incl. customer satisfaction surveys and measuring the effectiveness of marketing activities performed;
- making recordings; Fractory may record messages and orders given both in our premises and using means of communication (e-mail, phone, etc.) as well as information and other activities we have performed, inter alia, calls to landline numbers. If necessary, we use these recordings to prove orders or other activities;
- network, information and cyber security reasons, for example measures for combating piracy and fraud, and ensuring the security of the website as well as for making and storing back-up copies;
- processing for organisational purposes, foremost for financial management and transfer of personal data within the group/connected companies for internal management purposes (but also audits and other potential supervision), including processing personal data of customers and/or employees;
- establishing, exercising or defending legal claims;
- protecting health and property of us, our employees and customers, for example, we may use cameras that may also record sound to ensure safety and security on our territory and our premises. In that case usage of cameras is marked and relevant notices are made visible.
7. Sharing your personal data
Data you provide will not be publicly displayed or shared with other users/customers. Certain employees of Fractory have access to personal data to the extent necessary for the performance of their work duties.
We use third-party processors to help provide our service. They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.
Personal data may be shared if we have legitimate interest to do so between our group companies.
8. Why and with whom we share your personal data?
|Categories of Recipients||Reason for sharing|
|Service providers||We work with service providers that work on our behalf which may need access to certain personal data to provide their services to us. These companies include those we have hired to operate the technical infrastructure that we need to provide service, assist in protecting and securing our systems and services, manage customer relations and help market our service.|
|Payment processors||Your personal data is processed by our payment processors as necessary to enable them to process your payments, and for anti-fraud purposes. Certain necessary data is also shared with us e.g. status of payment (successful/failed).|
|Companies providing logistics service||Delivery of customer orders to their selected addresses using logistics service providers.|
|Advertising partners||We work with advertising partners to enable us to customize the advertising content you may receive. These partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising, contextual advertising, and generic advertising. We and our advertising partners process certain personal data to help us understand your interests or preferences so that we can deliver advertisements that are more relevant to you.|
|Customer communication||When using our Chatbot which is provided as third-party service, your conversations with us are not personalised until you sign-up account on our platform. Access to customer conversations is only provided to us.|
8.1 Buy Now Pay Later / Extended Payment Terms
Who we share your data with
If you use our buy now, pay later function or we otherwise provide extended payment terms to you
(“BNPL Service”), the personal data you provide will be processed by our third party credit and
payment service provider, Kriya Finance Limited ( the “BNPL Service Provider”) to assess your
eligibility for the BNPL Service and for other purposes including fraud prevention and identity
The BNPL Service Provider may share your personal data with credit reference agencies (“CRA”)
they work with such as Experian, and may use data about you, and anyone with a financial
association to you (a financial association is a link that’s created when you apply for a financial
agreement with someone else); the BNPL Service Provider may also collect this information from
other credit reference agencies in order to assist in assessing your eligibility for credit and payment
services in connection with the BNPL Service. The data accessed contains publicly held data
including the electoral roll, and shared credit performance data.
When a CRA receives a search from us or a BNPL Service Provider to assess your eligibility for the
BNPL Service, the CRA will place a soft quotation search footprint on your credit report, regardless of
whether you progress any application. This search will not affect your ability to gain credit.
If you choose to pursue an application for the BNPL Service, any data that you provide will be shared
with our BNPL Service Provider. Upon you making a purchase for goods or services using the BNPL
Service, the BNPL Service Provider may undertake a search with a CRA which will leave a hard
search footprint on your credit report. The BNPL Service Provider may also continue to exchange
information about your business with CRAs on an ongoing basis, including about your settled
accounts and any debts not fully repaid on time. CRAs may share your information with other
Further information about each CRA and what it does with personal data is available at the following
- Experian: www.experian.co.uk/legal/crain
- Equifax: www.equifax.co.uk/crain
- TransUnion: www.transunion.co.uk/crain
You can contact any of the CRAs if you wish to obtain a copy of your personal or business credit
9. International transfers
Some of our services are cloud-based so your personal information may be sent outside the European Economic Area. In such instances, we will ensure that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organisational measures are in place. (e.g. EU’s standard contractual clauses may be used).
Please contact us firstname.lastname@example.org if you would like to get more detailed information about partners we may share your data with.
10. Ensuring the security of personal data
We have taken necessary technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of applicable law.
11. Retention and deletion of personal data
The storage period of personal data depends on whether we have legal obligations to store data (i.e. accounting regulations), contractual obligations, legitimate interest or your explicit consent.
|Data type||Purpose||Retention Time|
|Personal Identification Information, Consumption habits||Delivering product-related messages||45 days since sending of the message|
|Customer marketing campaigns||90 days since pixel event tracking|
|Customer marketing campaigns||Maximum 180 days|
|Quality evaluation of the sold product or provided service||1 year|
|Enablement of service||3 years after termination of the agreement|
|Delivery of purchased goods||3 years since the delivery date|
|Customer invoicing||7 years after the end of the financial year when the transaction took place|
|Customer marketing campaigns||Data is deleted after campaign ends|
|Communication with customers||3 years after termination of the agreement|
|Electronic identification data||Advertising||90 days since the last visit|
|Identification details, issued by the government||Business operations||7 years after the end of the business year when the invoice was sent|
|Job application data||Recruitment||The application data shall be stored for one year after the decision not to hire is made.|
|Service call recordings||Quality assurance||6 months|
12. Your rights and dispute resolution
Under data protection law, you have rights including:
- Right to be informed and to access. You may get information regarding your personal data processed by us.
- Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party.
- Right to erasure. You have the right to have personal data we process about you erased from our systems if the personal data are no longer necessary for related purposes.
- Right to object and restrict. You have the right to object to the processing of your personal data and restrict it in certain cases.
- Right to rectification. You have the right to make corrections to your personal data.
- Right to withdraw consent. When you have given us consent to process your personal data, you may withdraw said consent at any time.
- Right related to automated processing and profiling. The data subject, on grounds relating to their particular situation, has the right to object at any time to the processing of personal data concerning them based on automated decisions/profiling and to require human intervention. The data subject may also require an explanation regarding the logic of making an automated decision. Automated processing/profiling may also be partially based on data collected from public sources. We do not use automated processing or profiling that has a significant effect on the data subject or their rights.
- Right to an assessment by a supervisory authority as to whether the processing of the personal data of the data subject is lawful.
- Right to compensation for damages where the processing of personal data has caused damages to the data subject.
To exercise any of the abovementioned rights, please contact email@example.com. We will respond to your requests within 30 days.
13. Dispute resolution
If you have questions or concerns about our use of your personal information, please feel free to contact us at firstname.lastname@example.org.
Depending on your location and controller of your personal data, you may lodge a complaint to the supervisory authority, the Estonian Data Protection Inspectorate email@example.com or the UK’s Information Commissioners Office, https://ico.org.uk/make-a-complaint/.
This Privacy Notice was updated in February 2022.