Personal information is defined in the Regulation and is information or an opinion about an identified individual or an individual who is reasonably identifiable. Examples include an individual’s name, address, contact number and email address.

1 Personal data controllers
Shared personal data responsibility
KMP Online AB, 559069-5945, Ljusslingan 4, 120 31 Stockholm, Sweden and 2XU Pty Ltd, ABN 85 112 308 602, 23 Ceremore Street, Ceremore VIC 3121, Australia are jointly responsible for the processing of your personal data. KMP Online AB and 2XU Pty Ltd have established a special data sharing agreement. KMP Online AB and 2XU Pty LTD are responsible for ensuring that the personal data provided in connection with the order is handled in accordance with the Personal Data Protection Regulation (GDPR), hereinafter referred to as the Regulation. KMP Online AB is part of MnO International AB (556497-9457). Between KMP Online AB (subsidiary) and MnO International AB (parent company), certain information and documentation is also exchanged, including personal data.

2 How we collect personal information
We may collect personal information in a variety of ways, including when:
a) You visit and communicate with us via our website or social media
b) You place an order on the website
c) You sign up for our newsletter
d) You contact us by e-mail
e) You as a supplier or representative of these enter into cooperation with us
f) You apply for a position with us; and
g) You participate in competitions arranged by us.

The kinds of personal information that we collect and hold about you will depend on the circumstances of collection, including whether we collect the information from you as a consumer, reseller, partner, job applicant, newsletter subscriber or in some other capacity. For example, if you have placed an order via the online store, we may collect:
a) Your name
b) Your contact details including email, delivery and billing address
c) Payment details; and
d) Other information in connection with the purchase or which you may have provided in connection with you contacting us.

If you have contacted us for another purpose (for example as a reseller, job applicant or in other matters), we can save your name and contact information you choose to share with us. We may also collect data about the interactions you have with us.

3 Cookies
When you visit our website, we and/or third parties may place cookies on your browser to enhance and manage our website and improve our business and the services we provide to you. We, third parties and/or Google may use this information to optimize and place ads, including third party ads and remarketing ads based on past visits to this website, on our own and third party sites. Google’s ability to use and share information collected by Google Analytics is limited by the Google Analytics Terms of Service and Privacy Policy. More information can be found in our cookie policy, read more about cookies in the section Cookie Policy.

4 Use of your personal data
We collect and use personal information for a range of purposes, including to:
a) deliver products and process payment for the products
b) respond to your inquiries and provide you information about our products
c) if you enter one of our competitions or promotions, we will administer your participation in that competition or promotion
d) deal with any complaints or feedback you have
e) manage our relationships with our business customers, suppliers and contractors; and
f) consider jobseekers for current and future employment.

We may use your information for other purposes required or authorized by law (including purposes for which you have given your consent), for the purpose of other legitimate interests or in order to comply with a legal duty imposed on us. If we are unable to collect personal information from or about you, we may not be able to respond to your inquiries or requests or do business with you.

If you have given approval to receive newsletters for marketing purposes, we may use your personal information to contact you with 2XU news, offers and information about our products and events. When you sign up for our newsletter, you agree that we use your personal information, such as your email address, for direct marketing purposes. This includes sending you promotional emails. You can opt out of receiving direct marketing communications at any time by using the unsubscribe function located at the bottom of each newsletter or by contacting us via info.nordics@2xu.com.

5 Processing of personal data
In this section, we describe how we process your personal data more in detail.

Customers or potential customers
A) Purpose: Processing orders from customers.
Type of processing: This includes processing for delivery (including notifications and contacts concerning the delivery), processing of orders from customers, identifying customers, processing payment and processing complaints and warranty claims.
Categories of personal data: Name, social security number, contact information (such as e-mail address and phone number), payment information, purchase information (i.e. which product has been ordered or whether the product should be delivered to another address).
Categories of data subjects: Customers.
Source: Customer.
Lawful basis: Completion of order. This gathering of your personal data is required in order for us to be able to fulfil our commitments as agreed. If the information is not provided, our commitments cannot be fulfilled and we may terminate the agreement.
Automated decision making: This processing does not mean that decisions will be made based on automated processing of personal data.
Data retention: Until the agreement has been performed (including delivery and payment) and for a time of up to 36 months thereafter with the purpose of processing complaints or warranty claims.

B) Purpose: To fulfil the company’s legal obligations regarding purchase of goods or services.
Type of processing: This includes the necessary processing for fulfilling the company’s legal obligations according to law, court rulings (e.g. the Book-keeping Act) or decisions by authorities.
Categories of personal data: Name, social security number, contact information, payment history, payment information.
Categories of data subjects: Customers.
Source: Customer.
Lawful basis: Legal obligation.
Automated decision making: This processing does not imply that decisions will be made based on automated processing of personal data.
Data retention: Until the purchase had been completed (including delivery and payment) and for a time of up to 7 years thereafter.

C) Purpose: Processing customer service matters.
Type of processing: The processing includes communication and answering to potential questions related to customer service (by phone or in digital channels, including social media), identifying the customer and investigation of potential complaints.
Categories of personal data: Name, social security number, contact information, correspondence with the customer or customer’s representative. Information on purchase time, potential defects/complaints.
Categories of data subjects: Customers.
Source: Customer.
Lawful basis: Legitimate interest. The processing is necessary in order to meet ours and the data subject’s legitimate interest in processing information regarding customer service matters.
Automated decision making: This processing does not imply that decisions will be made based on automated processing of personal data.
Data retention: Until the customer service matter has been settled.

D) Purpose: Marketing.
Type of processing: This includes e.g. marketing mailings regarding our products and services via e-mail and by post.
Categories of personal data: Name, contact information.
Categories of data subjects: Customers, potential customers.
Source: Customer or representatives of customers, potential customers.
Lawful basis: Consent and legitimate interest. The processing is necessary to cater our interest in marketing our products and services.
Automated decision making: This processing does not imply that decisions will be made based on automatic processing of personal data.
Data retention: One year from the last contact. Longer after consent.

Suppliers
Purpose: In order to communicate with contact persons for suppliers and partners.
Type of processing: This includes e.g. processing deliveries and cooperation as well as providing an organizational chart and telephone list in order to collaborate internally within the company. Supplier directory for easier access to contact information.
Categories of personal data: Name, contact information.
Categories of data subjects: Suppliers and their representatives.
Source: From suppliers.
Lawful basis: Legitimate interest. The company has a legitimate interest in processing the personal data necessary in order to communicate with contact persons for suppliers and partners.
Automated decision making: This processing does not imply that decisions will be made based on automated processing of personal data.
Data retention: Until we have received information that the contact person has quit or changed contact information, or for as long as the contractual relationship remains.

Job seekers
Purpose: In order to administer a recruitment process.
Type of processing: This includes e.g. to review the application and communicate with the applicant.
Categories of personal data: Name, social security number, contact information, proof of identity, information on jobseeker’s performances and prior work experience.
Categories of data subjects: Jobseekers.
Source: Jobseeker and jobseeker’s employer.
Lawful basis: Until the position is appointed: completion of the agreement. After the position has been appointed: legitimate interest (or consent).
Automated decision making: This processing does not imply that decisions will be made based on automated processing of personal data.
Data retention: Up to two years from when the position was appointed. Following completed recruitment process, the information is filed in order to be used at a potential appeal of the recruitment in accordance with e.g. non-discrimination legislation. When there is no longer a possibility to appeal, the information will be destroyed unless there is consent to continued processing.

6 Information to third parties
The information collected is used by us and the partners we work with depending on which channel you have contacted us through. We may sometimes need to disclose personal information to third parties. These include, where appropriate, internally our related bodies corporate and third parties that provide services to us, including parties that provide our payment gateway, marketing, logistics and IT support services. We may also disclose your personal information to other third parties and for other purposes where we are required or authorized by or under law to do so (including where you have provided your consent).

Some of our related companies and service providers are located abroad. As a result, personal information collected and held by us can be transferred outside Sweden to countries that do not have adequate data protection level. The transfer of personal data to such a country shall only take place if contractual clauses (e.g. EU Model Clauses, Privacy Shield, etc.) have been put into place.

We have signed agreements that include provisions on the processing of personal data on behalf of KMP Online AB with selected goods and service suppliers, such as IT suppliers.

To carry out the order on the online store, we work with Shopify Payments, which takes care of our payment solution.

We will share the personal information to transport companies such as Postnord that is required to be able to complete and deliver your order.

When you send e-mail to our customer service, we will handle and store the personal data such as. first and last name and e-mail or other information that you provide yourself as well as the e-mail history.

If you have chosen to subscribe to the 2XU Newsletter, your e-mail, name and any other information that you have provided to us in connection with subscribing to the 2XU Newsletter will be saved. The information is stored in accordance with the laws of the Data Protection Regulation.

You can be assured that we will not share or sell personal information on to third parties for marketing purposes. We mainly use partners and third parties within the EU / EEA area to process and store the information.

Please note that the web shop may contain links to other web pages. We are not responsible for the personal data policy or processing of your personal data on third party websites. We recommend that you read the personal data policy that applies to that website.

7 Data processing rules
We process your personal information in compliance with the Data Protection Regulation, which is based on the processing principles set out below. Personal information must be:
a) processed lawfully, fairly and in a transparent manner.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
(e) kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data is processed.
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

8 Security
We take reasonable steps to protect the personal information we hold against loss, unauthorized access, use, modification or disclosure and against other misuse. This includes taking appropriate security and organizational measures to protect electronic materials and materials stored and generated in hard copy.

We use appropriate firewalls and antivirus software to protect and prevent unauthorized access. The website uses SSL (Secure Socket Layer) which is a protocol for secure data transfer. SSL uses digital certificates to control the sender and receiver of the data transmission.

9 Your rights and correction / removal of personal data
According to the Data Protection Regulation, you have the following rights:
a) the right to be informed about the collection and use of personal data by us.
b) the right to access the personal data we hold about you.
c) the right to rectification if any personal data we hold about you is inaccurate or incomplete.
d) the right to be forgotten, i.e. the right to ask us to delete any personal information we hold about you.
e) the right to restrict (i.e. prevent) the processing of the personal data.
f) the right to data portability (obtaining a copy of the personal data to re-use with another service or organization).
(g) the right to object to us using the personal data for particular purposes; and
(h) the rights with respect to automated decision-making and profiling (where applicable).

You can always request correction, extracts and that we delete your information from our register by writing an e-mail to info.nordics@2xu.com. Upon written request, we remove the customer information from our customer register, unless it is information that is mandatory and required to be saved for accounting or lawful reasons.

10 Complaints
Please contact us (see contact details in section below) if you have any concerns or complaints about how we have collected or handled your personal information. We will ask you about your complaint and respond in writing within 30 days. If you are not satisfied with our response, you can contact us to discuss your concerns or make a complaint to the competent supervisory authority.

11 Contact information and additional information
f you would like more information about our privacy policy, or if you would like to contact us regarding the information in this policy, please contact us:
by e-mail: info.nordics@2xu.com
by post: KMP Online AB, Ljusslingan 4, 120 31 Stockholm, Sweden

12 Change to this policy
We may amend this policy from time to time at our discretion. Amended versions will be published on our website.

Privacy policy last updated August 2022.