OCHAMA PRIVACY POLICY
Version 9-2023
This Privacy Policy contains important information as it sets out how we, Jingdong Retail (Netherlands) B.V. (“ochama”), handle personal data of our website visitors, app users and customers (members and non-members) (“user” or “you”). Our processing activities may differ if you have registered for an account with us or if have chosen for one of our memberships. Where there is a distinction between the way in which we use the personal data of members and non-members, we will make this clear below.
Please read the Privacy Policy carefully. If you have any questions, please feel free to contact us.
1 About ochama
1.1 Jingdong Retail (Netherlands) B.V. (“ochama”, we, us or our) attaches great importance to the protection of its users privacy and personal information. We collect and use your personal data when you use our products and/or services. This ochama Privacy Policy (the 'Policy') explains to you how we and other members of the ochama group collect, use, save, share, transfer or otherwise process your personal data when you, or in the case of business users any individuals acting on your behalf (your “Personnel”), use(s) our products and/or services, and the way we provide for you to access, update, delete and protect that information.
1.2 References to Personnel below are relevant only to business users` use of ochama. Your personal information or your personal data shall refer to both the personal information of individuals as well as Personnel of business users.
2 Scope
2.1 The scope of this Policy is limited to processing activities to which the General Data Protection Regulation (“GDPR”) and its national implementation acts apply.
3 Responsibility
3.1 We will only process personal data in accordance with the applicable privacy legislation and as described in this Policy.
3.2 The website includes links to website of third parties. We are not responsible for the content of these websites, services provided by these third parties or their compliance with the applicable privacy legislation.
4 How we obtain your personal data
4.1 We obtain your personal data in various ways:
a. We obtain information actively provided by you. For example, if you contact us, if you sign up for our newsletter or if you provide information to us in the course of our services.
b. We obtain some information automatically when you visit our website. For example, we automatically obtain information about you via cookies when you visit our website. For more information on this, please see our Cookie Policy here.
c. We may perform analysis on personal data about you. The resulting data can also qualify as personal data about you. For example, we may analyze which webpages are visited most frequently.
4.2 It may be that providing certain personal data to us is a statutory or contractual requirement, a requirement necessary to enter into a contract, or that you are otherwise obliged to provide the data to us. If that is the case, we will inform you thereof separately, and will also explain the possible consequences if you fail to provide such personal data to us.
5 Details of processing
5.1 It depends on the processing activity, which personal data we process about you, for which purposes and based on which legal ground. Please find an overview below.
Activity | Categories of personal data processed | Legal ground(s) for processing and purposes for processing |
Visiting our website or app (“cookie information”) |
• IP address • Browsing history • Cookie preferences • Movements on our websites or websites of third parties gathered through tracking cookies • Information gathered through “event tracking” activities • Information gathered through “device fingerprints” For detailed information about our use of cookies, we refer to our Cookie Policy. | We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, on the basis of our legitimate interests, namely improving our online services. This is the case with regard to technical cookies necessary for the functioning of the website and several analytic cookies that are not used to treat you differently from other users. We process your personal data for purposes of (i) improving our website and/or app, (ii) being able to show you the products and services that fit your preferences, (iii) being able to provide you with consistent service across all your devices, (iv) enhancing our security and protecting your information and (v) enhancing your shopping experiences. |
Registering a user account (“user account information”) |
• Your gathered cookie information • Telephone number • Email address • Login details, such as your login name, password and answers to passphrase protection answers • User avatar We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, on the basis of our legitimate interests, namely verifying your identity for security reasons. We process your personal data for the purposes of (i) registering you as a user to our services, (ii) verifying your identity to make sure you are who you say you are, and (iii) enhancing our security and protecting your information. | We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, on the basis of our legitimate interests, namely verifying your identity for security reasons. We process your personal data for the purposes of (i) registering you as a user to our services, (ii) verifying your identity to make sure you are who you say you are, and (iii) enhancing our security and protecting your information. |
Additional memberships (“membership information”) |
• Your gathered cookie information • Your provided user account information • Your provided shopping information with regard to purchases made through the membership card • Family card name • Members added to the family card • Type of membership • Duration of the membership • Credit and coupon amounts • • Information with regard to cancellation of the membership | We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, as this is necessary for the performance of a contract or on the basis of our legitimate interests, namely verifying your identity for security reasons. We process your personal data for the purposes of (i) registering you as a member, (ii) carrying out our obligations with regard to your membership, (iii) verifying your identity to make sure you are who you say you are, and (iv) enhancing our security and protecting your information. |
Online shopping (“shopping information”) |
• Your gathered cookie information • Your provided user account information • Contents of your shopping basket • Order information, such as verification information, the consignee`s name, order number, the goods and/or services purchased, serial numbers, price and terms of payment • Payment details, such as amount paid, date of payment and outstanding payments • Delivery information, such as your address or chosen delivery depot, track and trace code and third party delivery company • Order history, such as received and/or cancelled orders, pictures of damaged products, receipts of your orders and information regarding refunds | We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, as this is necessary for the performance of a contract or on the basis of our legitimate interests, namely improving our online services, verifying your identity for reasons of security and for carrying out debtor management activities. We process your personal data for the purposes of (i) enhancing your shopping experiences, (ii) carrying out your orders, payments and deliveries as per the contract, (iii) gathering and collecting your order history, (iv) verifying your identity to make sure you are who you say you are, and (v) enhancing our security and protecting your information. |
Customer service or otherwise corresponding with you |
• If registered, your provided user account information • If not registered, your name, e-mail address and telephone number • Content of your message, including voice recording of your conversation with our customer services personnel, for instance a complaint or pictures of a damaged product | We collect these personal data on the basis of your consent or, in case we are not legally required to obtain consent, as this is necessary for the performance of a contract or on the basis of our legitimate interests, namely verifying your identity for reasons of security, improving our services and providing customer service. We process your personal data for the purposes of (i) following up on your questions, complaints and claims, (ii) providing information with regard to products or services that are relevant to you, (iii) verifying your identity to make sure you are who you say you are, and (iv) enhancing our security and protecting your information. |
Newsletter |
• If registered, your provided user account information • If not registered, your name and e-mail address • Preferences for receiving information, such as frequency and categories of information | We collect these personal data on the basis of your consent. We process your personal data for the purposes of (i) providing information with regard to products or services that you might like, and (ii) providing offers. |
Other general purposes |
• If registered, your provided user account information • If not registered, any other information we possibly have of you that is necessary for the relevant purpose of processing. | We collect these personal data as this might be necessary for compliance with a legal obligation that is applicable to us as a data controller or for purposes of our legitimate interests, namely carrying out our regular business activities and protecting our interests in case of conflicts. We process your personal data for purposes of (i) following requests of public authorities, (ii) conducting criminal investigations, prosecutions, trails and the execution of judgments, (iii) protecting rights of third parties, (iv) conducting statistical or academic researches, or (v) other circumstances as stipulated by relevant laws and regulations. |
5.2 If and insofar your personal data is processed on the basis of legitimate interests, information can be obtained by you as to the so-called balancing test that was carried out to allow us to rely on this processing ground. Please find our contact details below.
5.3 It may be that we intend to further process your personal data for a purpose other than those for which the personal data have been collected. In such case, we will provide you with information about the(se) other purpose(s) and all relevant further information prior to that further processing.
6 Sharing with third parties
6.1 To ensure the smooth completion of our services, we may share your personal data with some third parties. This however only takes place strictly on a need-to-know-basis with:
a. affiliate companies of ochama;
b. subcontractors and service providers involved, such as:
• shipping lines, trucking companies and depots for purposes of supporting our services
• auditing companies, consulting and law firms for professional advisory services
• third party merchants in order for you to carry out purchases of goods and services of third parties that provide offers on our platform
• hosting and payment providers for technical and financial infrastructure services
• marketing partners including online platforms and publishers for providing you with offers through our mailing list, for gathering information about your preferences for provision of customer services, and for collecting and analyzing your other behavior preferences on our website or app to retarget and run customized advertisements
• third party customer services company to provide customer services to
all employed or engaged by a data processor of ochama or affiliated companies of ochama, on a need-to-know basis;
c. competent authorities, such as the authorities of the country of transit or destination for customs clearance in as far as required by the laws of the respective country; and
d. incidentally: other third parties, on a need-to-know basis, for instance in case of a merger, acquisition, asset transfer or similar transaction of where this is needed to comply with the law or to protect our own rights, properties and safety.
6.2 We will only make information public under the following conditions and to the extent that security measures that are generally accepted in the industry have been taken:
a. At your request, and only limited to the personal data you have requested;
b. As required by relevant laws and regulations applicable to us.
7 Transfer to countries outside the EEA
7.1 Some of our recipients as referenced above are located in countries, including China, that may not – by law – provide the same level of data protection as you are used to in the European Union. For instance, if your order indicates that the order will be sent directly to you from outside EEA, we will share your data with our logistic partners located there. This is necessary for labeling, packing, shipping, and customs clearance purposes. In those cases, we will ensure that there are adequate safeguards in place to duly protect your personal data and we guarantee that we are able to and have mechanisms in place to respect the level of data protection required by EU data protection laws, and that we shall refrain from processing personal data subject EU data protection laws in the event of a breach of the concluded safeguarding measures or if we are no longer able to honor them.
7.2 Transfers of your personal data to a country outside the EEA may in the first place be legitimized on the basis of a so-called adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. See this link for the current list of adequacy decisions. If and insofar as we transfer personal data with parties in countries outside the EEA to which no adequacy decision applies, we will agree with these parties to data protection provisions set by the European Commission, so called standard contractual clauses. A copy of the agreed standard contractual clauses can be requested by you. If needed, we will in addition make use of supplementary measures in order to protect your personal data. Please also contact us if you would like to obtain additional information on the transfer of your personal data out of the EEA. Our contact details are stated below.
7.3 The personal data processed by us are primarily stored on a server located in the Netherlands.
8 Security
8.1 We take appropriate organizational and technical security measures to protect your personal data and to prevent misuse, loss or alteration thereof. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who need to have access in view of their work/services. Also, the aforementioned persons involved are bound by a confidentiality obligation, either in their employment agreements or (data processing) agreements.
8.2 Examples of technical security measures taken by us are:
a. logical and physical security (e.g. safe, doorman, firewall, network segmentation);
b. technical control of authorizations (as limited as possible) and log files keeping;
c. management of the technical vulnerabilities (patch management);
d. keeping software up-to-date (e.g. browsers, virus scanners and operating systems);
e. making back-ups to safeguard availability and accessibility of the personal data;
f. automatic erasure of outdated personal data after the concluded retention period, in accordance with our internal data retention policy;
g. encryption of personal data;
h. applying hashing or (other) pseudonymization methods to personal data; and
i. provide secure storage facilities for end-users (e.g. file server storage).
8.3 Examples of organizational security measures taken by us are:
a. assign responsibilities for information security;
b. promote privacy and security awareness among new and existing employees;
c. establish procedures to test, assess and evaluate security measures periodically;
d. check logfiles regularly at a reasonable frequency;
e. using mature internal processes and protocols for handling data breaches and other security incidents;
f. conclude confidentiality, data processing and data protection agreements;
g. perform regular data minimization assessments at a reasonable frequency;
h. provide access to personal data to as few people within the organization as possible; and
i. define the internal data government structure (who is responsible for the processing activity) and underlying considerations (why are the processing activities necessary) per processing.
8.4 We have internal security policies in place in which it is further described how we ensure an appropriate level of technical and organizational security measures. We also have a data breach policy in place in which it is described how we deal with a (possible) data breach.
9 Retention periods
9.1 In principle, we do not store your personal data any longer than is strictly necessary for the purposes for which we process your personal data. ochama has put in place a Retention Policy to ensure that your personal data are automatically deleted after a reasonable period.
9.2 We have the following retention terms in place:
Activity | Retention period |
Visiting our website or app | We refer to our Cookie Policy for the retention terms per cookie used by us. |
User account information | 3 years after your last activity |
Membership information | 3 years after your last activity |
Shopping information | 3 years after your last activity |
Customer service and correspondence | 3 years after your last activity |
Newsletter preferences | 3 years after your last activity |
Other general purposes | 3 years after your last activity |
9.3 Please contact us via our contact details displayed below, should you wish to be further informed on how long we process your personal data.
10 Your rights (incl. the right to object)
10.1 In relation to our processing of your personal data, you have the below privacy rights. For more information on your privacy rights, please be referred to this webpage of the European Commission.
a. Right to withdraw consent: In so far as our processing of your personal data is based on your consent (see above), you have the right to withdraw consent at any time.
b. Right of access: You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will then also provide you with further specifics of our processing of your personal data.
c. Right to rectification: You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
d. Right to erasure: You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services. We do not have to honour your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defence of legal claims.
e. Right to object: You have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see above). Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honour your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.
f. Right to restriction: You have the right to request restriction of processing of your personal data in case: (i) the accuracy of the personal data is contested by you, during the period we verify your request, (ii) the processing is unlawful and restriction is requested by you instead of erasure, (iii) we no longer need the personal data but they are required by you for the establishment, exercise or defence of legal claims, or (iv) in case you have objected to processing, during the period we verify your request. If we have restricted the processing of your personal data, this means that we will only store them and no longer process them in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defence of legal claims, (iii) for the protection of the rights of another natural or legal person, (iv) or for reasons of important public interest
g. Right to data portability: You have the right to request to transfer of your personal data to you or to a third party of your choice (right to data portability). We will provide to you, or such third, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if the our processing ground for such processing is your consent or the performance of a contract to which you are a party (see above).
h. Automated decision-making: You have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
i. Right to complaint: In addition to the above mentioned rights you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement of the GDPR at all times. Please be referred to this webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us beforehand.
10.2 The exercise of the abovementioned rights is free of charge and can be carried out by phone or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.
10.3 We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.
10.4 We will provide you with information about the follow-up to the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The applicable privacy legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
10.5 If you want to re-register from ochama, you can do so through your account. You can also contact us to delete your account on our contact details as listed below. With regard to storing your personal data after deletion, we refer to our storage periods.
10.6 If you have subscribed to our newsletter, you can always revoke your consent through the unsubscribe-link at the bottom of the newsletter.
11 Protection of minors
11.1 ochama attaches great importance to the protection of personal data of minors. If you are a minor under the age of 18, you must obtain prior written consent from your parent or legal guardian before using our products and/or services. ochama protects personal information of minors in accordance with applicable laws and regulations. For personal data of minors collected with the consent of parents or legal guardians, we will only use or publicly disclose it when permitted by law, explicitly consented to by the parent or guardian or required for protecting the child. If we find ourselves collecting personal information of a minor without the prior consent of a verifiable parent or legal guardian, we will try to delete it as soon as possible.
12 Contact details
12.1 For any questions, comments or requests, you may contact us via support@ochama.com. Please let us know by e-mail if you prefer to have further contact over the phone.
12.2 Further, the data protection officer can be contacted at support@ochama.com. Please note that our data protection officer is located in China. As to our data transfers, we refer to clause 7.
13 Miscellaneous
13.1 ochama is entitled at all times to delete your personal data without notice. In such a case, ochama owes no compensation to you as a result of the termination of the account.
13.2 If provisions from this Policy are in conflict with the law, they will be replaced by provisions of the same purport that reflects the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain applicable unchanged.
13.3 ochama reserves the right to change this privacy policy on a regular basis. Where required, ochama will inform you of updates made to this Policy. The current version is always available on our website and in our app. This Policy was last amended and revised in September 2023.
14 Definitions
14.1 In this privacy policy, the following definitions apply:
Applicable privacy legislation | All applicable privacy legislation, including the General Data Protection Regulation (“GDPR”) and the relevant national implementation acts. |
Privacy policy | This present privacy policy. |
ochama |
Jingdong Retail (Netherlands) B.V. Da Vincistraat 5 2652 XE Berkel en Rodenrijs Chamber of Commerce-number: 80456774 |
Website | www.ochama.com |
App | ochama |
14.2 Other terms that are defined in the applicable privacy legislation, such as ‘personal data`, (joint) controller, processor, data subject and processing will have the meaning as described in the applicable privacy legislation.