Joom Privacy Policy

This Privacy Policy, also referred to as “Policy”, is an integral part of Terms of Service (“Terms”) and describes how Joom uses and protects the information we process about our users. Any use (including registration or visit) on or of Joom Website, App, Service, is subject to this Privacy Policy (including Our Cookie Policy, please see the relevant section below) and updates thereof. All the terms and definitions in this Policy are used in the meaning set out in Terms, unless explicitly stated otherwise.

# Personal data controller

The controller of your data is SIA Joom, registered at Gustava Zemgala st. 78-1, LV-1039, Riga, Latvia (email for personal data management requests: privacy@joom.com).

# A. About our Privacy Policy in Simple Words

We offer our users choices about the data we collect, use and share as described in this Privacy Policy: provide different settings available for both registered and non-registered users and provide the options to adjust them by sending us an automated request or email via privacy@joom.com.We care about the safety of your personal data and wish to make your customer experience a pleasant one. For this reason we use the best available technologies to provide you with an ability to enjoy tailored content anytime, take advantage of efficient and secure payment processing, delivery options and many other features which we hope you will truly enjoy. You will have the opportunity to manage personal data settings in your profile right after you register and accept our Terms.

If you wish to understand in more details how and which personal data we process, please read the below and in case any of your questions regarding the privacy matters remain unanswered — feel free to ask us via privacy@joom.com.

# B. This Policy in More Details

This Privacy Policy, including our Cookie Policy, applies to your use of our App, Website and Services. Any processing of your personal data by Joom or parties engaged by Joom under a personal data processing assignment (hereinafter -processors), is conducted in accordance with GDPR, this Policy and Terms.

We reserve the right to amend this Privacy Policy from time to time. We will undertake reasonable steps to notify you of material changes in it. Changes to this Privacy Policy are effective when they are posted on this page.

# Data that we collect and process

Most of the data we process we collect from you when you use our Services via various forms and interactions with our interfaces. In addition to this, some data relating to you is generated on our side. Finally, when you login via your preferred social network, you may grant us permission to process additional data recorded in your social network’s profile (e.g. you profile picture).

# Data you provide to us regarding yourself

In course of your use of our Services you provide us with certain information necessary for the operation of your account, such as your name, your interactions with our services as well as whether your age is above 18 (for purposes of protection of minors against explicit content), gender, age range.

In order to place orders, you may also save your delivery address as a template to be shared with merchants upon conclusion of transactions with them. In certain cases, for the delivery to take place, we may also need to collect your passport details and/or VAT identification numbers due to local regulatory requirements.

Following placement of orders Joom will allow you to manage such orders from your account.

While you use our Services, you may contact our support agents at any time. Please note that your interactions with the support agents are monitored and may be stored following the resolution of your issue in order to assist you in subsequent inquiries as well as to improve our Services.

# Data on user preferences and behaviour

This data includes, inter alia, your user id, UTM labels, when you visit sites that include our plugins, ads, cookies, or similar technologies, we receive the relevant information about your visits and interaction with third-party services provided by others, the country where you are currently located, the list of products that you viewed, opened, searched and purchased, advertising that you click on, cookies, device information and internet protocol (“IP”) address (if applicable). If you use our App from a mobile device, that device will send us data about your chosen language interface based on your phone settings, your advertising ID, user id. We do not identify your precise location, unless you choose to use our location-specific services and provide us with consent to process such data. We may also obtain additional available information regarding your device in order to tailor the Services to you.

# Information on the orders

This data includes e.g. information on purchased items, their size and colour, delivery details, your contact details, shipping information, last selected pickup point, your email address, your phone number

# Information on payments

While you perform payments for your orders you provide us with payment data (e.g. cardholder name, account names in the third-party services). We handle this data securely, and we’re certified PCI-DSS 3.2.1 standard compliant for processing cardholders' data. We can also share this data with other authorized counterparties, including payment processors. Most of this data is immediately deleted after necessary processing.

# User-generated content

To make Joom more useful, users may review products, and can ask and answer questions about products and use our sociality features. This information (your name (as provided for reviews), the review itself, picture if you or your social network shared it with us and your country, if you share it in your reviews) is public, and can be searchable by general search engines. We support anonymous product reviews, if you wish to remain anonymous for these purposes.

# Technical data generated by your use of the Services

To improve Service, we collect any issues that users encounter in our apps and web, and collect Anonymized Data about hardware and software properties and actions. For these purposes we collect e.g. the following data: technical device information (hardware model, OS version, Joom app version, screen dimensions), connectivity information — such as IP address, connection time to Joom server and some other technical information.

We further generate certain logs that relate to your use of the Services, including transaction data, Services interaction data etc.

# Information we receive from third parties

Users prefer their orders and other user-generated information to remain safe and up to date when changing or using numerous devices. To make this possible, we support registration through social networks, so that your user account can be accessed in the future.

Should you decide to use your social media login (e.g. Facebook Login) to create and log into your Joom account, you share some information (including your social id with us, as well as other information that you choose to share when establishing your social login, including your name, photo, gender etc.). This saves you from having to remember yet another username and password.

We may also receive info about you from our partners, e.g. when our ads are published on our partners’ websites and platforms (they will share with us details on the marketing aspects).

# Anonymized data

We collect some information on an anonymous basis. We also may anonymize the data we collect about you. We obtain aggregate data by combining anonymous data that meet certain criteria into groups. We may share aggregated or anonymous information in various formats with trusted non-Joom entities, and may work with those entities to do research and provide products and services. We may process data and using the statistical probabilities predict your other preferences and characteristics (e.g. preferences, gender).

We are committed to providing you the best customer experience and are constantly improving our Services, therefore the methods we use evolve and create new opportunities to provide our Service with new features in a more efficient way and in your best interest.

# Duration of processing

We process your data no longer that it is necessary for the purposes identified in this Policy. Unless we are obligated by law to retain such data, we safely delete or anonymize the data so it may no longer be attributable to you in accordance with our retention policies. We may keep de-personalized information after your account is closed.

Below you may find the factors we take into consideration when determining specific retention periods:

• For processing based on your consent we store your data as long as necessary to achieve the purpose indicated in your consent or until you withdraw it, whichever earlier;
• For processing based on performance of a contract with you the retention period is generally the duration of the contract;
• For processing based on our legal obligation, the terms are either provided under the relevant law or determined based on the period required/estimated to fulfil such legal obligation;
• For processing based on legitimate interests, the specific retention term is determined based on our estimation of the period required to achieve the interest and surely taking into account the balance between risks for your rights and freedoms against our legitimate interests.

# Purposes of processing and legal bases for data processing

In order to process your personal data, we need to establish and secure a lawful basis in accordance with the requirements of the GDPR. You may be acquainted with consent as one of the lawful bases that you come across while using this or other websites. Apart from consent, there are, however, other grounds for processing your data. For example, we will need to process your data in order to perform our contract with you, namely, the Terms. In other cases, we may be obliged by the law to process certain data, for example, under applicable product safety law. Furthermore, in certain cases we may have legitimate interest in processing your data.

Please note that each legal basis comes with its own set of rights granted to you attached to it. Please read the below section carefully, since, for example, we will not be able to stop processing data in connection with our performance of the contract without terminating our contract with you.

# Processing is necessary for the performance of a contract with you or in order to take steps to enter into a contract with you, such as use of our Services

Performance of our contract with you involves different operations and requires processing of your personal data for the following specific purposes:

• Creating and maintaining your user account and enabling you to use the Services, in particular:
  • maintenance of your account and keeping your information regarding you required to create and process your orders;
  • remembering and retaining your past orders;
  • sharing of your feedback and recommendations regarding the products purchased, including through our social networking functions;
  • resolution of technical issues in connection with your use of our Services;
• Processing payments and refunds for your orders;
• Arranging delivery of your orders;
• Providing communications related to our services and your orders;
• Proviiding user support services to you;
• Checking restrictions applicable to your jurisdiction based on general location data (based on IP data) to determine the restrictions applicable in your jurisdiction;
• Handling your complaints;
• Enforcing our agreement with you.

# Processing is necessary to comply with our legal obligations

We are subject to certain legal obligations which may require us to retain or even, in some cases, share your personal data with public authorities. We are always assessing such requests for information and try our best to minimize the shared information. Nevertheless, we hereby notify you about such processing activities:

• Retention of data in order to comply with specific applicable retention requirements, including those under applicable tax laws;
• Operations associated with responding to your data subject requests, including verifying your identity and authority to make the request, where you make it on behalf of another person;
• Notifying you about product recall due to product safety concerns addressed by competent public authority.

# Processing is based on our legitimate interest

When providing our Services and doing business, we like any other company have and pursue legitimate interests which require performance of certain activities involving processing of personal data. Below you can find out which activities, e.g purposes of processing activities, support which of our legitimate interests.

• Development and improvement of our Services, including provision of safer and smoother authentication, provision of site features as remembering your shopping cart or interface language chosen.

  Legitimate interest(s):

  Enhancing your user experience; improving and developing our products and services and their features.

• Performance of analysis of user behaviour, including analytics allowing us to tailor and improve our Service to provide the best experience to you specifically and to make our suggestions generally more relevant.

  Legitimate interest(s):

  Enhancing your user experience; improving and developing our products and services and their features.

• Creating and maintaining logs to monitor performance of our Services, identify and correct errors, improve and develop our Services.

  Legitimate interest(s):

  Improving and developing our products and services and their features; ensuring and improving security of our products and services.

• Customization of content made available to you and recommendations based thereon.

  Legitimate interest(s):

  Enhancing your user experience; improving and developing our products and services and their features.

• Maintaining, improving, and developing information security of our Services.

  Legitimate interest(s):

  Ensuring and improving security of our products and services; protecting and securing our customers, business, and partners.

• Prevention, detection, and investigation of security breaches, fraudulent and other prohibited or unlawful activities.

  Legitimate interest(s):

  Detecting and preventing fraud; protecting and securing our customers, business, and partners; ensuring and improving security of our products and services.

• Communication of advertising, including by email and push notifications, and other content to you where such communication is not subject to consent.

  Legitimate interest(s):

  Promoting our products and services.

• Issuing coupons including personalized, executing them, and measuring and analysing their effectiveness.

  Legitimate interest(s):

  Promoting our products and services; enhancing your user experience; improving our marketing activities.

• Evaluation, monitoring of user actions to assess the success of our marketing actions.

  Legitimate interest(s):

  Promoting our products and services; improving our marketing activities.

• Ensuring that deeplinks from our advertisements you find on third party sources lead to the exact product you were interested in.

  Legitimate interest(s):

  Enhancing your user experience; promoting our products and services; improving our marketing activities.

• Providing our partners offering BNPL services with certain information regarding the history of your payments for Joom orders.

  Legitimate interest(s):

  Enhancing your user experience; increasing customer’s purchasing capacity.

• Management of customer reviews.

  Legitimate interest(s):

  Enhancing your user experience; improving and developing our products and services and their features.

• Review of your communications left on our Services (e.g. your product feedback) automatically and manually.

  Legitimate interest(s):

  Ensuring relevance and authenticity of reviews and ethical acceptability of their contents; protecting our users and customers from misleading or explicit content.

• Customer research activities, where your consent is not required.

  Legitimate interest(s):

  Enhancing your user experience; improving and developing our products, services and their features.

• Monitoring and improving customer support services.

  Legitimate interest(s):

  Enhancing your user experience; improving our customer support services.

• Transmitting your account and order information to our partner providing marketplace services in Armenia, Russia, and Belarus (please note, that this applies only if you made any orders with delivery to Armenia, Russia, or Belarus).

  Legitimate interest(s):

  Maintaining your great user experience when our business changes; maintaining your loyalty to Joom brand.

• Processing copyright infringement reports.

  Legitimate interest(s):

  Ensuring protection of third party’s copyright in connection with use of our products and services.

• Participation in judicial, enforcement and other similar proceedings by state courts, supranational bodies, enforcement agencies, arbitral tribunal etc. with respect to protection of interests of Joom and/or third parties as well as prosecution of illegal activities where it is proportional, taking into account all relevant factors, to disclose the information to third parties.

  Legitimate interest(s):

  Protecting our and affected third party’s (our partners, copyright owners etc.) legal rights and defending against legal claims.

We do not rely on legitimate interest legal basis unless we perform a legitimate interest assessment and conclude that your rights and interests will not be affected adversely by such processing.

# Processing based on your consent

Where our processing activities cannot be based on any of the abovementioned legal bases and we are in position to obtain your freely given, informed and, where applicable, explicit consent, we use such as a legal basis for processing. Namely, your consent, if given, is used as a legal basis when processing the data for the following purposes:

• Optimization of our advertising functions, such as personalization of advertisement shown to you;
• Processing of your exact location data for jurisdictions where customer pick-up is available;
• Providing marketing communication by email, push notification, and other electronic means, where consent is required by law.

Please note that in some cases you may be subject to automated decision making, including profiling. These decisions will not have, however, any legal effect or significantly affect you outside of the conclusion or performance of our contract with you.

# Our Cookie Policy

We use cookies (small files placed onto your device) and similar technologies (e.g., pixels, ad tags, local storage etc.) to recognize you and/or your device(s) across different services as well as in order to allow the use of certain functionality, including making your experience convenient and secure. For simplicity, we refer to all these technologies together as "cookies".

Cookies can be used to recognize you when you visit Website or App, remember your preferences, and give you a personalized customer experience according to your settings. Cookies enable us to provide you Services faster. We use them for the following purposes:

Authentication. Cookies may be used in order to recognize that you are already logged in to your account with Joom.

Security and fraud prevention. We use cookies in order to prevent fraudulent and other unlawful actions on Joom. These technologies are also vital to keep your information and our Services secure.

Enabling features and services. Some cookies enable us to provide you with the functionality offered by the Services as well as to remember your settings and preferences. For example, such cookies are used to remember the language you chose, or the items you put into your cart.

Advertising. We use cookies to make advertising messages more relevant to you, choose ads that match your preferences and measure the number of ads displayed to you and their efficiency.

Analytics. This type of cookies helps us to evaluate how good our Website and/or App, our marketing efforts are, and helps us to customize and improve our Website and App.

Some of the cookies are placed by third parties. You may visit their websites and read their privacy policies:

• Google (https://policies.google.com/privacy);
• Facebook (https://www.facebook.com/about/privacy/);
• Adjust (https://www.adjust.com/terms/privacy-policy/);
• Branch (https://branch.io/policies/#privacy);
• Rakuten Marketing LLC dba Rakuten Advertising (https://go.rakutenadvertising.com/hubfs/Services-Privacy-Policy-English.pdf).

Please note that we do not generally respond to "do not track" signals (a specification proposed by the US FTC to control tracking of online activities).

By continuing to visit or use our Website, App and/or Services, you are agreeing to the use of cookies and similar technologies for the purposes we describe herein. You can control cookies through your browser settings and other tools on your device. You can also opt-out from our use of certain cookies and similar technologies that track your behaviour in your personal settings.

# Recipients of your data

When processing personal data, we may share them with third parties, who can be processors acting on our instructions or controllers acting independently or jointly with us.

We always assess (before and periodically during engagement) our partners that may receive and process your personal data and impose obligations on them to ensure confidentiality of the data and security of the processing. We only use processors who can guarantee and demonstrate their compliance with the GDPR requirements. We also ensure that they process data based on the exact instruction provided by us and fully observe the confidentiality requirements. Where recipients of your data are not in the EU, we apply certain additional measures to ensure security of the processing and protection of your rights. Please learn more about Transfers of personal data to third countries in the next section of this Policy.

More information about categories of data recipients can be found below.

Performance of our contract with you requires sharing of your personal data with such recipients as:

• IT services providers, including, but not limited to, hosting and IT development services;
• Merchants with whom you make your order;
• Payment and logistics services providers, depending on your jurisdiction, order delivery destination, chosen payment and delivery options;
• Customer support services providers;
• Our affiliates.

Pursuing our legitimate interests (described above) may involve sharing of your personal data with such recipients as:

• IT services providers, including, but not limited to, analytics and IT development services providers;
• Ads services providers, including, but not limited to, ads serving and ads analytics services providers;
• BNPL services providers (such as KLARNA; please see their privacy notice here);
• Antifraud and security services providers (such as Riskified; please see their privacy notice here);
• Customer research services providers, for example, where we use outside platforms to conduct our survey or interviews;
• Our affiliates, consultants, business partners, and other third parties who assist us with our legitimate interests or have their own ones (for example, in case of processing copyright infringement reports).

Fulfilling our legal obligation may involve sharing your personal data with recipients determined by respective legal provision such as:

Competent public authorities, which for the purposes of this list shall include law enforcement agencies, courts, government agencies, or public authorities;Your duly authorized representative.

More information about our partners that may process your personal data, including links to their privacy notices and details of arrangements with our joint controllers can be found here. Please note, that this list is not exhaustive and mainly includes partners and details as agreed with such partners.

We kindly ask you to remember that when you access any third-party website or service, including through a link placed on our Website, App, Service, such websites may contain their own privacy policies that are different from ours. We are not responsible for such provisions, and expressly disclaim any liability for them. You should read such policies and be aware of such third party’s terms of data processing.

# International data transfers

In order to provide our service, we process, incl. transmit your data within the EU as well as outside of it. In the latter case we undertake all the necessary safeguards provided under the applicable legislation.

Where data is transferred outside of the EU to a territory that has not been deemed adequate by the European Commission, we with rare exceptions rely on appropriate safeguards under Article 46 of the GDPR. As a rule, the safeguard applied is that the transfer is subject to standard contractual clauses adopted by the European Commission binding upon recipients of your data. You may learn more about the standard contractual clauses here. In those rare cases when we rely on a derogation under Article 49 of the GDPR, we first make all reasonable efforts and take necessary measures to ensure that such derogation can be used without any harm to your privacy.

# Technical and organizational security measures followed by the controller

In accordance with the applicable requirements, we have determined and implemented appropriate technical and organizational measures to safeguard your data against accidental loss and unauthorized disclosure. Implemented security measures and their effectiveness are monitored on an ongoing basis and reviewed as may be necessary.

We require our processors acting under our instructions to protect any data they may receive in a manner consistent with this Policy. We do not allow them to use such information for any other purpose.

Our Data Protection Officer monitors our compliance with this Policy.

# Your rights and how to manage your data shared with Joom

In the Settings section of the App you can choose any of the personal data management options you like. we will process your request and provide you the relevant option without undue delay within 30 days after such request has been submitted. When you make such requests, we may need time to investigate and facilitate your request. After we process your request we will send you a confirmation at the email address that you provide us for this purpose.

When you submit such request you warrant and represent that you are the natural person in relation to which the contemplated data have been provided, shared and/or processed and you have full capacity and authority to submit such request. We reserve right to check this based on the data, that was shared with us, in case we have doubts and also to provide this information to the third parties, including the authorities, should they lawfully request such information.

Pursuant to the GDPR, you have the following rights with respect to your data:

• Request access your data as well as receive personal data relating to you in a structured, commonly used and machine-readable format (right to data portability).
• Request rectification of your data where the data is inaccurate. You may edit your data through your account settings.
• Withdraw your consent, which will result in the termination of processing based on your consent as the lawful basis for personal data processing.
• Object to processing of your personal data where the data processing is based on our legitimate interest. In order to process your request we kindly ask you to provide the ground for your particular situation why you object. We will cease processing related to direct marketing purposes upon your objection.
• To have your data deleted, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation which requires processing by Union or Member State or for the performance of a task carried out in the public interest; for the establishment, exercise or defence of legal claims.

  To delete your data via the Application follow this instruction:

  • Open the app.
  • Open your profile tab
  • For Apple devices: open "Settings".
  • Click "Conditions and Confidentiality" / "Privacy and Terms"
  • Click "Personal information".
  • Select "Delete data".

  To delete your data via the Website follow this instruction:

  • To delete your data, visit our Privacy Policy at https://www.joom.com/privacy, scroll to the bottom and submit the request to delete your data.

  Please remember that following the removal of your personal data, your account will also be deleted, you will lose all information about your orders, you will not be able to track them and ask for a refund if necessary.

• To restrict processing where the accuracy of the personal data is contested by you; the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; the Joom no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; you have objected to our use of your data pending the verification whether such processing should be carried on.
• To lodge a complaint with the supervisory authority in accordance with their competence. Typically, you may address the supervisory authority of your place of residency. You also have the right to lodge a complaint with Data State Inspectorate (Datu valsts inspekcija), our lead supervisory authority, by sending your compliant a) signed with a secure electronic signature by sending to Data to the official electronic mail address of the State Inspectorate at pasts@dvi.gov.lv or in the E-address information system; or b) signed by hand - by sending them by mail or placed in the mailbox on the 1st floor of the Data State Inspectorate (Elijas iela 17, Rīga, LV-1050). You can find document samples and actual information about complaint lodging here.

To exercise any of these rights, please contact us at privacy.officer@joom.com or privacy@joom.com.

You may manage your data by sending an email at privacy@joom.com in case you have any other request not listed above or you have any question in connection therewith.

You may also have the right to contact our Data Protection Officer via privacy.officer@joom.com.

Should you wish to communicate with us via mail:
SIA “Joom”
Address:
Gustava Zemgala st. 78-1, LV-1039,
Riga, Latvia

Last modified: 9 April 2024