1. WHO WE ARE
“We”, “us” or “our” means The Vita Coco Company Inc., a Delaware corporation with its principal place of business located at 250 Park Avenue South, Floor 7, New York, NY 10003, and all brands hereunder: Vita Coco, Ever & Ever, Runa, etc. For the purposes of certain data protection laws, including the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively, the “GDPR”), we act as controller for the personal data we gather through your use of our website.
If you have any questions, concerns or complaints regarding this Policy or our processing of your personal data or you wish to submit a request to exercise your rights as set out in Section 5, you can do so by contacting us via e-mail: firstname.lastname@example.org.
3. HOW WE COLLECT, USE AND DISCLOSE YOUR PERSONAL DATA
Personal data is defined as any information relating to an identified or identifiable natural person. Identifiable refers to identifiers (such as name, identification number, location data, etc.), that can be used to directly or indirectly identify a natural person. Personal data also includes the definitions of personal information, personally identifiable information, and comparable terms under any applicable data protection laws or regulations.
(a) The Categories of Personal Information We Collect
We may Process the following categories of personal data:
· Personal Information including Contact data: in the event you make use of the contact form, you will be asked to provide the following information: name, address, e-mail address, phone number, and any personal data that you choose to provide in the designated blank field (please do not provide us with any special/sensitive information, such as health information, information pertaining to criminal convictions, or credit card/account numbers). This is information that is provided directly by you.
· Personal Information including Profile data: If you create an account on our website, we collect the following data: name, telephone number, e-mail address, address, country, company name, job title, industry. This is information that is provided directly by you.
· Identifiers such as name: We collect personal data relating to your access requests to The Vita Coco Company Inc. resources, including sales inquiries, partner inquiries, and subscriptions to our newsletter. This category includes personal data such as name, telephone number, e-mail address, shipping and billing address, country. This is personal data provided directly by you.
· Commercial Information: Information regarding your transactions through our Service, including your “contact data,” as well as Customer Records Information such as credit/debit card number used to pay for goods and information regarding your purchase history. We collect this personal data when you provide it through your interactions with our Service.
· Characteristics of Protected Classifications such as age to determine permitted use of our services, including for permitting payments on our website. This is personal data that is provided directly by you.
· Geolocation data used to determine the applicability of regional legislation permitting the purchase of certain products based on your device’s location and for analytics and marketing purposes. This is personal data that is collected through your use of the website.
· Professional or employment-related information such as employer or workplace to determine any logistical requirements for shipping or delivery. This is personal data that is provided directly by you.
· Inferences such as product flavor or fragrance preference. This is personal data that is collected automatically through your use of our Service.
· Sensitive Personal Information, which may include government issued identification number; account login credentials; financial account, credit, or debit card information in combination with any required security or access code; and precise geolocation information. We process this data only as required to provide our services or process your employment applications. This personal data is provided directly by you.
Note that some of the above categories of personal data will be required in order to provide you with our services. By not providing such categories of personal data, we may not be able to fulfill your order.
(b) The Purposes for which We Collect Personal Data
We collect personal data for the purposes and subject to the lawful bases listed hereunder:
· In the event you use the contact form on our website, we will use your personal data—including any information contained in the communications you send to us—in order to reply to your query, via e-mail or telephone. If the GDPR applies, and (i) your query is related to a service we are providing to you, we process your personal data in order to perform our contract with you or (ii) where your query is general, on our legitimate interests to run a successful business and maintain a relationship with you.
· In the event you create a profile on our website or you provide us with transaction data, we collect your personal information in order to fulfill your requests, to provide you with our services and permit us to contact you. If the GDPR applies, we process your personal data to perform our contract with you and for receiving information and contacting you in this context. Otherwise, we rely on our legitimate interests to run a successful business and maintain a relationship with you.
· In the event you register for our newsletter, your e-mail address will be used in order to send you our newsletters, which may include invites to events, seminars, etc. organized by us. Additionally, we may collect certain analytics information about your interactions with our newsletter through the use of trackers contained within the newsletter. For more information regarding our use of online trackers, please see Section 8, below. Where required under local laws in the EEA/UK, we rely on your consent to do so.
· We Process your personal data for the purpose of supporting the website, mobile applications, advertising experience, and enhancing your user experience, which includes ensuring the security, availability, performance, capacity and health of these systems. If the GDPR applies, we rely on our legitimate interests in running a successful business and, where required by law, on your consent.
· We Process your personal data to enforce or exercise any rights that are available to us based on the applicable law, such as use for the establishment, exercise or defense of legal claims, to enforce any applicable terms and conditions and to protect or defend our rights, the rights of our users and others.
(c) How We May Disclose Personal Data
We will disclose your personal data to third party service providers for our legitimate business purposes or to perform our contract with you, as noted below:
· Identifiers such as name, shipping address, or billing address. For example, if we use a 3rdparty carrier to deliver your order.
· Customer Records Information such as credit/debit card number used to pay for goods. For example, if we use a 3rd party payment processor.
· Commercial Information. For example, your order detail will be required for a 3rd party logistics provider to fulfill your order.
· Internet or other Electronic Network activity information such as your use of our website in terms of browsing and search history. 3rd party monitoring services may be used to ensure operational effectiveness of our services and website as well as for analytics and marketing purposes. For example, we may disclose your information to service providers, including but not limited to:
o Candyspace as a website builder
o Lunar Solar Group as website builder
o Interesting Development as website builder;
o Amazon Web Services (AWS) as website host;
o Shopify as website host and eCommerce transactor;
o Wordpress as website host; and
o Google as a marketing and analytics provider.
· Professional or employment-related information. For example, if you place a subscription order for your work, office, etc., your employment-related information, such as work address, will be required by a 3rd party delivery and logistics provider, including, but not limited to Resurge LLC, Ingram Micro, United States Postal Service, United Parcel Service, and Federal Express.
· We may disclose your personal data to professional advisors functioning as service providers that assist us in operating our business, such as auditors, law firms, or accounting firms.
· We may disclose your personal data to regulators, law enforcement agencies, public authorities, or any other relevant organizations: (i) in response to a legal obligation; (ii) if we have determined that it is necessary to disclose your personal data to comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries; (iii) to protect the interests of, and ensure the safety and security, of us, our users, a third party or the public; (iv) to exercise or defend legal claims; and (v) to enforce our terms and conditions, other applicable terms of service, or other agreements.
· We may disclose your personal data to companies within our corporate family.
· We may disclose your personal data to a prospective buyer, seller, new owner, or other relevant third party as necessary while negotiating or in relation to a change of corporate control such as a restructuring, merger, assets or shares sale or purchase, other business transaction or re-organization or in connection with bankruptcy.
4. RETENTION OF YOUR DATA AND DELETION
Your personal information will not be kept for longer than is necessary for fulfilling the processing purposes listed in this Policy. Generally, we retain your information for as long as we have a relationship with you and, after our relationship with you has ended, if there is an ongoing business need to retain it. This includes retention to comply with our legal, regulatory, tax, accounting and/or billing and collection obligations, to resolve disputes, enforce our policies and establish, exercise and defend our rights and any claims. We broadly retain information for approximately 3 years after our relationship with you has ended, but this term may differ, based on our data retention policies and applicable laws.
If you stop using our services or if you delete your account with us, we will store your information in an aggregated and anonymized format; we may use this information indefinitely without further notice to you.
5. CALIFORNIA RESIDENTS
If you are a resident of California, you have certain rights with respect to the collection, use, transfer, and processing of your personal data provided by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act. We reserve the right to limit these rights where permitted under applicable law, including where your identity cannot be reasonably verified or to the extent your rights adversely affect the rights and freedoms of others. To exercise any of the rights below, please contact us via the contact information below. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.
In the past 12 months, we have collected personal information from the categories identified in Section 3(a), which are described using the terms identified under the CCPA. We process these categories of personal information for the purposes identified in Section 3(b). Finally, we may disclose your personal information as described under section 3(c).
The terms ‘sell’ and ‘share’ have expanded definitions under the CCPA. For example, although we do not sell your information to third parties for monetary consideration, our use of tracking and analytics cookies may qualify as the sale or sharing of personal information for purposes of California law. In light of these expanded definitions, our use of tracking and analytics services may constitute the sale of the following categories of personal data as defined by California law and this Policy: identifiers; personal information, commercial information; and internet or similar networking activity. The categories of third parties to whom this information is sold or shared under the CCPA includes data analytics providers and advertising and marketing providers.
In the preceding 12 months, we have not collected or processed sensitive personal information, as defined under California law, for purposes not specifically authorized under California law.
In the preceding 12 months, we have not knowingly collected or processed personal information pertaining to children under the age of 18.
Individual Rights under California Law
If you are a California resident, you may be able to exercise certain rights in relation to your personal information:
You have the right to request that we disclose the personal information we collect, use, and disclose about you to third parties. There are two types of Rights to Know requests that you can make:
2. Right to Know (Abbreviated Request): If you make a Right to Know (Abbreviated Request), you will receive the following information about you:
This information will be provided to you free of charge, unless we determine that your request is manifestly unfounded or excessive. You may request this information twice in a 12-month period.
There are certain exceptions to a consumer’s Right to Know. We will state in our response if an exception applies.
You have the right to request that we and our service providers delete any personal information about you that we have collected from you upon receipt of a verifiable request. This right is subject to certain exceptions. We will state in our response if an exception applies.
You have the right to opt-out of the sale or sharing of your personal information. You may opt-out of the sale or sharing of your personal information by clicking here.
We recognize the Global Privacy Control. Your browser must be able to support the Global Privacy Control for us to recognize your opt-out preference signal.
Please note that opt-out choices may be stored via cookies. If you clear cookies, if your browser blocks cookies, or if you view the page from a different browser or device, your opt-out choice may no longer be logged or recognized.
For more information, please visit our Do Not Sell or Share My Information page.
If we maintain inaccurate personal information about you, you have the right to request that we correct the inaccurate personal information upon receipt of a verifiable request. This right is subject to certain exemptions. We will state in our response to your request if an exemption applies.
You have the right to request that we limit the processing of your sensitive personal information, as defined by California law and this Policy, to those purposes specifically authorized by California law. At this time, we only process sensitive personal information for purposes specifically authorized by California law.
You have the right not to receive discriminatory treatment for exercising the privacy rights conferred by California law. We will not discriminate against you because you exercised any of your privacy rights, including, but not limited to, by: denying goods or services to you; charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; providing a different level of quality of goods or services to you; or suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services. We will also not retaliate against any employee, applicant for employment, or independent contractor for exercising their rights under the CCPA.
g. Exercising Your California Privacy Rights.
To submit a request, please contact us using one of the following methods:
· Email us at email@example.com. Please include your full name, email address and phone number associated with your use of the Service.
· Send us a letter to The Vita Coco Company, Inc., Attn: Privacy, 250 Park Ave. S., 7th Floor, New York, NY 10003 with your full name, email address and phone number associated with your use of the Service.
h. Verifying Requests
To ensure the protection of your personal information, we must verify that the individual submitting a request to know, request to delete, or request to correct is the consumer to whom the request relates prior to processing the request. To verify a California consumer’s identity, we may request up to three pieces of personal information about you when you make a request to compare against our records. We may also request that you sign a declaration under the penalty of perjury from the consumer whose personal information is the subject of the request.
Making a verifiable consumer request does not require you to create an account with us. However, we may require that you access a previously existing account where necessary to submit the request.
We will only use personal information provided in your request to verify your identity and will delete any information you provide after processing the request. We reserve the right to take additional steps as necessary to verify the identity of California consumers where we have reason to believe a request is fraudulent.
i. Authorized Agents
You may choose a person or a business registered with the California Secretary of State that you authorize to act on your behalf to submit your requests (“Authorized Agent”). If you choose to use an Authorized Agent, we require that you provide the Authorized Agent with written permission to allow them to submit your request and that you verify your identity directly with us. Failure to do so may result in us denying your request.
6. UK AND EEA USER RIGHTS
If you are located in the EEA or the UK, you have certain rights in relation to your personal data:
· Access: You have the right to access personal data we hold about you, how we use it, and who we share it with.
· Portability: You have the right to receive a copy of the personal data we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
· Correction: You have the right to correct any of your personal data we hold that is inaccurate.
· Erasure: In certain circumstance, you have the right to delete the personal data we hold about you.
· Restriction of processing to storage only: You have the right to require us to stop processing the personal data we hold about you, other than for storage purposes, in certain circumstances.
· Objection: You have the right to object to our processing of your personal data.
· Objection to marketing: You can object to marketing at any time by opting-out using the unsubscribe/ opt-out function displayed in our communications to you.
· Withdrawal of consent: Where we rely on consent to process your personal data, you have the right to withdraw this consent at any time by emailing us at firstname.lastname@example.org.
Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain your personal data.
To exercise any of these rights, please contact us at email@example.com with specific attention to the Data Protection Officer. We will respond to requests to exercise these rights without undue delay and at least within one month (though this may be extended by a further two months in certain circumstances).
If you consider that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. You may do so in the EEA member state of your habitual residence, your place of work or the place of the alleged infringement or, in the UK, you can submit a complaint to Information Commissioner’s Office (ICO).
7. INTERNATIONAL TRANSFERS
As we are a company located in the United States (“US”), please note that your personal data will be transferred and stored in the US in order to provide our services to you, or if applicable, we will obtain your consent.
To the extent the GDPR applies, for transfers of data to third parties located outside the EEA or the UK, we rely on the European Commission’s standard contractual clauses for the transfer of personal data to third countries (the “Model Clauses”), supplemented by any equivalent contracts issued by the UK’s data protection authority (“ICO”), as relevant, unless the data transfer is to a country that has been determined by the European Commission or the ICO as applicable, to provide an adequate level of protection for individuals’ rights and freedoms for their personal data. Please contact our Data Protection Officer at firstname.lastname@example.org should you wish to examine a copy of the Model Clauses.
8. SOCIAL MEDIA PLUGINS AND COOKIES / DO NOT TRACK
(a) Cookie types:
· Session Cookies: Session cookies keep track of you or your information as you move from page to page within the website and are typically deleted once you close your browser.
· Persistent Cookies: Persistent cookies reside on your system and allow us to customize your experience if you leave and later return to the website. For example, persistent cookies may allow us to remember your preferences.
(b) Cookie purposes:
· Strictly necessary cookies: These cookies are essential to provide you with our website and its features. Without these cookies, our website would not function properly.
· Functional cookies: Functional cookies record information about choices you've made and allow us to tailor our website to you. When you continue to use or come back to our website, we can provide you with our services as you have asked for them to be provided. These cookies allow us to save your location preference if you have set your location, remember settings you have applied, such as layout, text size, preferences, and colors and store accessibility options.
· Analytics cookies: We use analytics cookies to analyze how our website is accessed, used or is performing in order to provide you with a better user experience and to maintain, operate and continually improve our website.
· Advertising and targeting cookies: We allow third parties, including advertising companies, to place advertising cookies on our website. These cookies enable such third parties to track your activity across various sites where they display ads and record your activities so they can show ads that they consider relevant to you as you browse the Internet. These cookies also allow us and third parties to know whether you have seen an ad or a type of ad, and how long it has been since you've last seen it. This information is used for frequency capping purposes, to help tailor the ads you see, and to measure the effectiveness of ads.
· Social media cookies: We make use of social media plugins to direct you to our social media channels and to allow you to interact with our content. These social media channels are Facebook, Instagram, LinkedIn, Twitter, Google, Vimeo, TikTok, Snap, and Pinterest. In the event you click on the plugins, the social media service provider may collect personal data about you and may link this information to your existing profile on such social media. We are not responsible for the use of your personal data by such social media service providers. For your information only, please find below links to the services providers’ privacy policies (note these links may be changed from time to time by the relevant service provider):
o Facebook: http://facebook.com/about/privacy;
o Instagram: https://help.instagram.com/155833707900388;
o LinkedIn: http://linkedin.com/legal/privacy-policy;
o Twitter: http://twitter.com/privacy;
o Vimeo: https://vimeo.com/privacy;
o Pinterest: http://policy.pinterest.com/en/privacy-policy.
(c) Controlling or deleting cookies:
In addition to the above, you may be able to configure your browser settings to use the website without some cookie functionalities. You can delete cookies manually or set your browser to automatically delete cookies on a pre-determined schedule. For example, in the Internet Explorer menu bar, select: Tools Internet OptionsBrowsing HistoryDelete to view manual and automatic options.
(d) Do Not Track Signals:
Some web browsers may transmit Do Not Track signals to websites with which the browser communicates, telling the site not to follow its online movements. Because of differences in how web browsers interpret this feature, it is not always clear whether website users intend for these signals to be transmitted, or whether they are even aware of them. Therefore, we currently do not respond to such Do Not Track signals. However, we do recognize GPC requests made by California Consumers, as discussed in the California Rights section, above.