PRIVACY POLICY

1. Responsibility

1.1 Protecting your Personal Data is our highest priority regardless of whether such Personal Data relates to you, your transactions, your products or your services.

1.2 We process Personal Data and have therefore adopted this Privacy Policy, which tells you how we process your Personal Data.

2. Service Provider

Service provider is: Lakrids by Johan Bülow A/S CVR-nr: 33041586 Sydholmen 7 DK-2650 Hvidovre
Danmark (Hereinafter referred to as ”Lakrids”)

T: [+45] 3217 6822 E: service@lakridsbybulow.com W: www.lakridsbybulow.com

3. Personal Data

3.1 It is important for us to keep your Personal Data safe and confidential. We have procedures for collecting, storing, deleting, updating and disclosing Personal Data to prevent unauthorized access to your Personal Data and to comply with applicable laws.

3.2 We ensure fair and transparent computing. When we ask you to provide us with your Personal Data, we will let you know what Personal Data we process about you and for what purpose such Personal Data is being processed. You will receive information about this at the time of collection of your Personal Data.

3.3 The following guidelines describe the types of Personal Data we collect, how we process such Personal Data, and who you can contact, if you have any questions or comments about this Privacy Policy.

4. Categories of Personal Data

4.1 We will collect and process the following Personal Data pertaining to You or the Data Subject, which may include: – General Personal Data (e.g. name and/or username, address, e-mail, date of birth, gender, profile picture, location, etc). – Traffic data on using the Internet – Transaction Data – Purchase history – Unique numbers on network devices – IP Address

5. Purpose

5.1 We collect and store your Personal Data for specific purposes or other legitimate business purposes.

5.2 Your Personal Data is collected and used for: – to provide you with Lakrids’ service information and news, – to support Lakrids and services offered on or through Lakrids, – to contact you for feedback about our services, – to conduct research about Lakrids’ customer base or services, – to fulfil your reservation and purchase requests, – to process your payments including credit checks and collection, – to notify you of technical updates or changes in policy, – to contact you for our own marketing and promotional purposes, or – to process contests, sweepstakes, or other promotions and fulfil any related awards or discounts.

5.3 We may use non-Personal Data such as demographic data to analyse and develop our marketing strategy and further improve lakrids.nu and our services.

6. The Data Subjects' Rights

6.1 The Data Subjects’ rights will only be individually important in relation to Lakrids in the cases where Lakrids is data controller. If Lakrids is data processor, the Data Subjects’ rights must be fulfilled by the data controller who will typically be Lakrids’ customer.

6.2 Right of access

6.2.1 According to article 15 of the General Data Protection Regulation, the Data Subject is entitled to be informed whether any Personal Data about the subject is being processed and if so, obtain access to the Personal Data (a copy of the Personal Data must be handed over).

6.2.2 Furthermore, the Data Subject is entitled to receive the following information: – the purpose of the processing – the affected categories of Personal Data –the recipients or categories of recipient, the Personal Data has been or will be passed on to, particularly recipients in third countries or international organisations –if possible the period in which the Personal Data will be stored or, if this is not possible, the criteria used for determining this period –the right to request the data controller for rectification or erasure of Personal Data or limitation of the processing of Personal Data regarding the Data Subject or to object to such processing –the right to complain to a supervisory authority –any available piece of information about the origins of the Personal Data if it has not been collected from the Data Subject –the occurrence of automated decisions, including profiling as described in article 22(1) and (4) and, as a minimum, meaningful information about the logic hereof as well as the importance and the expected consequences for the Data Subject of such processing.

6.2.3 Furthermore, the Data Subject is entitled to receive information about the necessary guarantees if the Personal Data has been transferred to third countries.

6.2.4 In order to comply with a request for access we shall search all systems - including all databases, all hardware and all portable media - as well as all physical materials which are part of a register and hand over the Personal Data that has been registered about the Data Subject.

6.2.5 According to the General Data Protection Regulation the right to access does not apply if the Data Subject’s interest in the information is considered to be of less importance than fundamental concerns for personal interests, including the concern for said subject.

6.3 Data portability

6.3.1 Furthermore, according to article 20 of the General Data Protection Regulation the Data Subject is entitled to receive Personal Data about himself which said subject has provided to the company. This data must be provided in a structured, commonly used and machine readable format.

6.3.2 The Data Subject is also entitled to transmit this information to another data controller himself without objections from the company when the processing is based on consent and carried out automatically. If the Data Subject makes use of this right to data portability, the Data Subject is also entitled to have Personal Data transmitted directly from one data controller to another, if this is technically possible.

6.3.3 The right to data portability only comprises information received from the Data Subject and will only comprise automatic processing. Further, the right to data portability will be very limited if the company bases its right to process Personal Data on any other legal rights to process Personal Dta than consent.

6.4 Right to rectification

6.4.1 According to article 16 of the General Data Protection Regulation, the Data Subject is entitled to obtain rectification of incorrect Personal Data by the data controller without undue delay. Taking the purpose of the processing into consideration, the Data Subject is also entitled to obtain completion of incomplete Personal Data, e.g. by submitting a supplementary statement.

6.4.2 This right supplements our own basic obligation to continually ensure that only correct and updated information is processed, cf. article 5(1), point d.

6.4.3 However, the right to rectification only applies to objective Personal Data and not to subjective assessments. The fact that we may have decided that an employee does not have legal basis to conduct a case is not considered to be Personal Data governed by the right to rectification.

6.5 Right to be forgotten

6.5.1 According to article 17 of the General Data Protection Regulation, the Data Subject is entitled to request erasure of Personal Data by us without undue delay. In that case we are obliged to erase Personal Data without undue delay.

6.5.2 However, this right is limited in such a manner that the Data Subject cannot request erasure if the processing is necessary in order to comply with a legal obligation or to establish, exercise or defend legal claims, cf. article 17(3), points b and e.

6.5.3 We believe that the ”right to be forgotten” will very rarely be relevant for the Personal Data collected by us. It may become relevant if the collection of Personal Data was never necessary and therefore should not have been carried out or if the Personal Data is undoubtedly no longer necessary. In that case the obligation to erase Personal Data will also follow from the basic obligation to only process necessary information, cf. article 5(1), point c of the General Data Protection Regulation. However, the “Right to be forgotten” shall not apply if (and for as long as) we store such Personal Data in order to refute a possible legal claim from customers.

6.5.4 If, according to article 17, we are obliged to erase Personal Data, which has been transferred to other data controllers or data processors, we must inform such data controllers and data processors of the request for erasure of all links to or copies or reproductions of said Personal Data.

6.6 Right to object - also against automated decisions

6.6.1 It follows from article 21 of the General Data Protection Regulation that the Data Subject may at any time exercise his right to object to the processing of his Personal Data, if the processing - including profiling - is based on article 6(1), point e or f. These provisions govern the right to process ordinary Personal Data if the processing is necessary to carry out a task in the interest of society or if the processing is necessary to pursue a legitimate interest and the concern for the Data Subject does not exceed this interest.

6.6.2 If an objection is filed we are no longer entitled to process said Personal Data unless we can prove substantial legitimate reasons for the processing which supersedes the interests of the Data Subject or if the processing is necessary in order to establish, exercise or defend legal claims.

6.6.3 We believe that this provision will only have limited impact on our processing because our processing of Personal Data is to a wide extent tied to the authority to comply with an agreement or establish a legal claim just as we - if the processing otherwise complies with the basic processing rules - will often be able to show substantial legitimate reasons for processing the Personal Data.

6.6.4 The provision in article 21 is based on the condition that the Data Subject is made specifically aware of his right to object and that this information must be given no later than at the time of the first communication. Furthermore, this information must be given in clear terms and kept separate from other information.

6.6.5 In addition to article 21, article 22 provides the Data Subject with a right to not be subject to a decision which is solely based on automated processing, including profiling, which has legal effect or similar considerable effect on said person.

6.6.6 This provision also includes several exceptions, cf. article 22(2). Among other things, this right does not apply if the decision is necessary to enter into or comply with an agreement between the Data Subject and data controller, if the processing is in accordance with the law or if the processing is based on the Data Subject’s explicit consent.

6.6.7 However, article 22 generally presumes that automated decisions are not based on specific categories of Personal Data, cf. article 9(1), unless explicit consent has been given and sufficient measures have been taken to protect the Data Subject’s rights and civic rights and legitimate interests.

6.7 Right to restriction of processing

6.7.1 Article 18 of the General Data Protection Regulation gives the Data Subject the right to obtain from the data controller restriction of processing where one of the following applies: – the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the Personal Data – the processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead – the controller no longer needs the Personal Data for the purposes of the processing, but back up of the Persona Data are required for the establishment, exercise or defence of legal claims – the Data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the Data Subject

6.7.2 Thus, this right is an alternative (and smaller) interference in the processing compared to the Data Subject’s right to object under articles 21 and 22 and the Data Subject’s ”right to be forgotten” under article 17.

6.7.3 It follows from subsection 2 of this provision that if processing has been restricted, such Personal Data may, except for purposes of storage, still be processed if, among other things, the Data Subject consents or if the processing is necessary to establish, exercise or defend a legal claim.

6.7.4 In our opinion this provision will only have limited importance for our access to process Personal Data as part of our case work.

7. General Processing Principles

7.1 Processing principles

7.1.1 We will process Personal Data in a legal, reasonable and transparent manner.

7.1.2 Our processing of Personal Data is subject to purpose limitation which means that Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,

7.1.3 We carry out restrictive processing of Personal Data which means that it must be sufficient, relevant and limited to the necessary data for the purposes for which it is processed.

7.1.4 Personal Data must be processed in accordance with a principle of accuracy which means that it must be correct and, if necessary, updated.

7.1.5 We process Personal Data in accordance with a principle of storage limitation which means that Personal Data must be stored in such a way that the Data Subjects cannot be identified for any longer than what is necessary for the purposes for which the relevant Personal Data is processed.

7.1.6 Personal Data must be processed in accordance with principles of integrity and confidentiality which means that it must be processed in such a way that the Personal Data is kept sufficiently safe and protected against unauthorised or unlawful processing and accidental loss, destruction or damage, by using adequate technical or organisational measures.

7.2. Risk analysis

7.2.1 In connection with our case work we must carry out adequate technical and organisational measures in order to ensure a level of security which corresponds to the risks that are specifically related to our processing of Personal Data.

7.2.2 We have carried out a risk analysis which forms the basis of this Privacy Policy.

7.3 Data Protection Impact Assessment (DPIA)

7.3.1 Article 35 of the General Data Protection Regulation contains a requirement that where a type of processing, in particular when using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data.

7.3.2 The duty to carry out an assessment of the impact only applies to specific cases where a high risk to the rights and freedoms of natural persons is found.

7.3.3 A data protection impact assessment shall be required in the case of: a) processing on a large scale of special categories of data or of Personal Data relating to criminal convictions and offences, or b) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person, or c) a systematic monitoring of a publicly accessible area on a large scale.

7.3.4 It is our assessment that we will rarely carry out processing which complies with one of the above criteria. Therefore, we expect that the provisions governing impact assessment will have relatively little impact on our processing of Personal Data about customers.

7.3.5 If an impact assessment is carried out anyway, the result of the assessment will be taken into consideration when adequate measures need to be taken.

7.4 Data Protection Officer (DPO)

7.4.1 The duty to appoint a Data Protection Officer is, according to article 37 of the General Data Protection Regulation, conditioned upon the fact that processing of Personal Data is ”core activity”. This is neither the case where Lakrids acts as data processor, nor in situations where Lakrids acts as data controller.

7.4.2 The data controller and the data processor shall designate a Data Protection Officer in any case where: a) the core activities consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale, or b) the core activities consist of processing on a large scale of special categories of data, or c) the core activities consist of processing on a large scale of Personal Data relating to criminal convictions and offences.

7.4.3 It is our assessment that Lakrids does not process Personal Data on a scale as described above. We have therefore chosen not to appoint a Data Protection Officer.

7.4.4 Because of the principle of accountability we have - irrespective of whether we are acting as data controller or data processor - appointed a person within our organisation that is responsible for carrying out the assessments and the advice service which is usually carried out by a Data Protection Officer.

7.5 Data controller

7.5.1 With regard to Personal Data about employees and information about Lakrids’ customers, Lakrids will predominantly work as data controller. Lakrids will independently assess whether there is basis for collecting/processing Personal Data which is relevant and necessary and for how long the Personal Data should be stored.

7.6 Data processing agreement

7.6.1 In cases where we are data controllers and have assessed that the arrangement with the data processor constitutes a data processing structure, we will prepare a data processing agreement.

7.6.2 The data processing agreement must be entered into between us (the data controller) and the other party (the data processor) and must comply with the requirements to data processing agreements as set out in the General Data Protection Regulation, cf. article 28(3) of the General Data Protection Regulation. This means that a contract or another legal document which is binding for the data processor must be prepared. Furthermore, it is a requirement that the data processing agreement is in writing, including electronic form.

7.6.3 Furthermore, the General Data Protection Regulation sets out several specific requirements to the contents of the data processing agreement. The contract must, among other things, set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the controller as well as the obligations of the data processor with respect to carrying out the task. These requirements are described in detail in article 28(3), points a-h of the General Data Protection Regulation.

7.6.4 If we act as data processor for the customer, we must enter a written data processing agreement with the customer.

7.7 Transfer to third countries

7.7.1 There will be no transfer of Personal Data to third countries.

7.8 Data processors - an overview

7.8.1 The technical operation of Lakrids is carried out by external companies. These companies act as data processors of the Personal Data for which we are data controllers.

7.8.2 The data processing is carried out within the European Union.

7.8.3 The data processor acts solely under our instruction.

7.8.4 We use the following data processors:

Data processor

Location: Denmark

Contract type: Data processing agreement

7.8.5 The data processor has taken the necessary technical and organisational security measures to ensure that the Personal Data is not accidentally or illegally destroyed, lost or impaired and that it does not become known to unauthorised persons, is abused or in any other way processed in a manner that violates the Data Protection Act. The data processor will upon request - and against payment of the data processors at any time applicable hourly rates for such work - provide you with sufficient Personal Data to prove that the data processor has taken the necessary technical and organisational security measures.

7.9 Transfer – customer data

7.9.1 We may disclose Personal Data to other companies or people under any of the following circumstances:

– if sharing the information is reasonably necessary to provide or otherwise make available Lakrids and any feature of Lakrids or a service that you have requested. – to keep you up to date on the latest product announcements, software updates, special offers, or other information we think you would like to hear about either from us or from our business partners (unless you have opted out of these types of communications). (Note that you will not be able to opt out of service announcements that contain important information relevant to your use of Lakrids and are not promotional in nature.) – if we believe in good faith that we are required to do so by law, about litigation, to prevent a crime, or to protect personal property, the public, or Lakrids. – about a sale or merger with another entity, consolidation, restructuring, sale of company assets, financing or other corporate change, including during the course of any due diligence process or if Lakrids should ever file for bankruptcy or related proceeding. – when we otherwise have the Data Subject’s consent to share the information. – Lakrids may also share non-Personal Data with third parties (e.g. aggregate or demographic data).

7.10 Transfer to social media networks

7.10.1 No Personal Data will be transferred to any social media network.

7.11 Other transfers

7.11.1 If we receive a request from the police (or similar public authority) or the court system to hand over Personal Data, we will hand over your Personal Data in accordance with applicable law.

7.12 Disclosure for legal reasons

7.12.1 We disclose Personal Data to companies, organizations or individuals outside of our group of companies if we believe in good faith that access, use, preservation or disclosure is necessary to: (1) comply with applicable law, regulation, legal process or enforceable governmental request, (2) enforce applicable user terms, including investigation of potential violations, (3) register, prevent or otherwise protect against address fraud, security or technical issues, or (4) indemnifying us, our users or the public's rights, property or safety, as required.

7.13 Other disclosure

7.13.1 Lakrids does not use your Personal Data for profiling.

7.14 General technical measures

7.14.1 The Danish Data Protection Agency’s IT security guidelines, cf. below, form the basis of the considerations and assessments we have carried out under the General Data Protection Regulation.

7.14.2 Access to Personal Data is restricted to persons who have a material need for access to Personal Data. Personal Data will only be accessed on a "need to know" basis.

7.14.3 Employees, who handle Personal Data, are instructed and trained in what they must do with Personal Data and how to protect Personal Data.

7.14.4 There must be as few people as possible with access to Personal Data, with due regard for the operation. However, there must be a sufficient number of employees to ensure the operation of the tasks concerned in case of sickness, holidays, staff replacement, etc. Personal Data will only be accessed on a "need to know" basis.

7.14.5 Personal Data on paper - for example in cartons and binders- are kept closed and locked when not in use.

7.14.6 When documents (papers, charts, etc.) are discarded, shredding and other measures are used to prevent unauthorized access to Personal Data.

7.14.7 We use access codes to access PCs and other electronic equipment with Personal Data. Only those who need to have access will receive an access code and then only for the systems that they need to use. Those who have a password may not leave the code to others or leave it so others can see it. Change of assigned codes must be done at least once every six months.

7.14.8 We have appointed a responsible person to monitor such inaccessible access attempts. Taking into account the technological development, software is available that can clarify who has attempted to gain access to Personal Data.

7.14.9 If Personal Data is stored on a USB key, Personal Data must be protected, e.g. by use of a password and encryption key. Otherwise, the USB key must be stored in a locked drawer or cabinet. Similar requirements apply to the storage of Personal Data on other portable data media.

7.14.10 PCs connected to the Internet shall have an updated firewall and virus control installed. When connecting to WiFi, for free access, we ensure appropriate security measures taking into account the current state of technology development in the IT-area.

7.14.11 If sensitive Personal Data or social security numbers are sent by e-mail via the Internet, such e-mails must be encrypted. If you send Personal Data to us via email, please note that sending to us is not secure if your emails are not encrypted.

7.14.12 In connection with the repair and service of data equipment containing Personal Data and when data media are to be sold or discarded, we take the necessary measures to prevent information from being disclosed to a third party.

7.14.13 When we use an external data processing agent to handle Personal Data, a written data processing agreement is signed between us and the data processor. This applies, for example, when we use an external document archive or if cloud systems are used in the processing of Personal Data - including communication with the customer. In the same way, a written agreement between us and our customer is always entered into if we act as data processor. Data processing agreements are also available electronically.

7.14.14 We have internal rules on information security. We have adopted internal rules on information security that contain instructions and measures which protect Personal Data from being destroyed, lost or modified, from unauthorized disclosure, and against unauthorized access or knowledge of them. We will ensure that collected Personal Data are treated with care and protected according to applicable safety standards. We have strict security procedures for collecting, storing and transferring Personal Data to prevent unauthorized access and compliance with applicable laws.

7.14.15 We have taken the necessary technical and organizational safeguards to protect your Personal Data from accidental or illegal destruction, loss or change, and against unauthorized disclosure, abuse or other actions contrary to applicable law.

7.14.16 The systems are located on servers in secured premises.

7.14.17 We use industry standards such as firewalls and authentication protection to protect your Personal Data.

7.14.18 All data transferred between client (browser and web app) and server(s) are encrypted according to the HTTPS protocol.

7.14.19 All facilities are locked and only staff members who have signed a declration of confidentiality have access to the facilities. After the end of normal working hours, the production facilities are locked. Access to the production facilities is always carried out under the supervision of an employee.

7.14.20 We take a backup of all databases and files on shared drives every night. The backup is stored on an internal servers.

7.15 Back-up

7.15.1 We make the following types of backup: a) Rolling backup. This method takes daily backup of all file and data updates and creates a backup of all new data. This creates a history of changes so that the ability to recover lost data is increased. b) backup clone. This backup strategy creates a perfect copy of each device on the network c) backup offsite. This backup ensures against data loss if backup is stored on site. All data and files are backed up and backup stored offsite.

7.15.2 All backup data and files are overwritten at 40-day intervals. It is not technically possible to complete erasure of individual files on a backup before such overwriting occurs. Thus, if you have requested that we erase Personal Data, such Personal Data will be erased in live environment, but will remain on backup until the specific backup is overwritten after 40 days. However, we have introduced internal processes and procedures to ensure that Personal Data is not reintroduced as live data by reloading data and files from a backup as Personal Data has been erased according to the "right to be forgotten."

7.16 Erasure - when

7.16.1 When an assignment from a customer has ended, we will have no further need to process the Personal Data. The assignment has been solved.

7.16.2 However, several other considerations and special provisions mean that Personal Data should not or cannot be erased until some time has passed.

7.16.3 The period in which the Personal Data is stored before erasure should be decided.

7.16.4 Under the book keeping rules, Personal Data related to a payment must be kept for 5 years + the current calendar year after the end of the accounting year.

7.16.5 To ensure that we are able to represent our interests in case of a liability suit Personal Data can be stored for 3 years after the end of the assignment.

7.16.6 To ensure the logical synergi with the processing of accounts, customer data should be stored for 5 years after the termination of the customer relationship.

7.16.7 Contact information - CRM must be continuously erased and updated. Emails which may be important for the determination of a legal claim must be stored for 5 years and then erased, unless legal claims have been submitted against or may be submitted by Lakrids.

7.17 Erasure - how

7.17.1 It appears from IT security text ST3 from the Danish Data Protection Agency regarding the erasure of Personal Data that erasure of Personal Data means that Personal Data is irrevocably removed from all storage media on which they have been stored and that Personal Data cannot be recreated in any form. In that connection, it is necessary to pay attention to all storage media - including portable storage media such as laptops, USB sticks etc. as well as back up.

7.17.2 To facilitate the erasure process, all physical material must be scanned to the electronic case and then shredded or returned to the customer.

7.17.3 Alternatively, Personal Data may be completely anonymised with the result that they cannot be ascribed to a specific person. In this case, the General Data Protection Regulation does not apply and complete anonymisation is therefore an alternative to deletion. It is, however, important to remember that anonymization as an alternative to deletion is conditioned upon deletion of all traces that may lead to the person, the data concerns. This is often a very difficult task.

7.17.4 Following deletion/anonymisation we will carry out appropriate cross checks in the form of searches for name/CPR-no. etc. regarding the customer and the case to ensure that nothing appears.

7.18 Duty to disclose - Customer

7.18.1 Each customer receives a link to our Privacy Policy if requested and the Privacy Policy is available on lakrids.nu.

8. Detailed Processing Rules

8.1 Authority to process

8.1.1 Our authority to process Personal Data is primarily based on the relationship to our customer and our ability to administrate agreements we have entered into. In general, we will have the authority to process the necessary data within the framework of this assignment. This specifically follows from the General Data Protection Regulation, article 6(1), points a-c and point f as well as article 9(2), points a and f.

8.1.2 These provisions govern the right to process Personal Data, (i) if there is consent, (ii) if the processing is necessary to fulfil the terms of an agreement, (iii) if the processing is necessary in order to comply with a legal requirement, (iv) necessary in order to comply with significant interests that supersede the interests of the Data Subject; or (v) necessary in order to ensure that a legal claim may be established, exercised or defended.

8.1.3 We are authorised to process civil registration numbers (i) when it follows from the law, (ii) if there is consent; or (iii) if it is necessary to establish a legal claim, cf. the Danish Data Protection Act, section 11, cf. section 7.

8.1.4 We believe our processing of Personal Data with respect to a customer to a wide extent will have its authorisation in the above-mentioned provisions.

8.2 Activation

8.2.1 We collect Personal Data from you and the Data Subject when you activate the service we provide and when you and the Data Subject use lakrids.nu.

8.3 Visit on our Website

8.3.1 When you visit lakrids.nu, we also collect non-Personal Data, which is information that by itself cannot be used to identify or contact you, such as demographic information (e.g. age or gender) or usage information (e.g. the browser you are using, the URL that referred you to Lakrids and the areas of Lakrids you visit). We may also supplement the information we collect with information from other sources to assist us in evaluating and improving our Platform and offerings.

8.4 IP addresses and browser settings

8.4.1 For each visit to lakrids.nu, the used IP address and browser settings are registered. Your IP address is the address of the computer you use to visit lakrids.nu. Browser settings are, for example, the browser type you are using, browser language, time zone, etc. The IP address and browser settings are registered to ensure that Lakrids can always identify the computer used in case of abuse or unauthorized use about the visit to or use of lakrids.nu. The IP address is also used to determine your approximate location (at city IP-address level).

8.5 Newsletter

8.5.1 If you subscribe to Lakrids’ newsletters, your Personal Data will be registered directly with Lakrids. If you no longer wish to receive newsletters from Lakrids, you can unsubscribe by contacting Lakrids on info@lakrids.nu.

8.6 Anonymization

8.7 Lakrids applies anonymization of data from customers for statistic and research purposes, as well as to improve systems, processors and products.

8.8 Lakrids irrevocably anonymizes Personal Data in such a way that the Data Subject can no longer be identified. For example, name, address or personal identification number will be replaced by a code, serial number, etc. Codes are assigned randomly and cannot be restored using lists, keys, etc., showing the relationship between the serial number and the actual identification information. This also means that Personal Data, such as image, a person's voice, fingerprints or genetic characteristics are erased in aboutonymization.

8.9 Contact Information

8.9.1 Contact information will be updated and permanently erased on a continuous basis. E-mails that may affect the determination of a legal claim must be stored for 5 years and then erased, unless a legal claim has been raised or Lakrids suspects one will be raised.

9. Cookies

9.1 We collect various pieces of information about you in connection with the operation of lakrids.nu. We collect information about you and your use of lakrids.nu in two ways: Through the so-called 'cookies' and through registration and use of lakrids.nu.

9.2 Cookies are small bits of information that lakrids.nu places on your computer's hard drive, on your tablet or on your smart phone. Cookies contain information that lakrids.nu uses to streamline communication between you and your web browser. The cookie does not identify you as an individual user but identifies your computer.

9.3 There are two types of cookies - session cookies and persistent cookies. Session cookies are bits of information that are erased when you close your web browser. Persistent cookies are bits of information that are stored on your computer until they are erased. Persistent cookies erase themselves after a certain period of time but are renewed each time you visit lakrids.nu. lakrids.nu uses both temporary and persistent cookies.

9.4 We use similar technologies that store and read information on the browser or device, which utilizes local units and local storage, such as HTML 5 cookies, Flash and other technologies. These technologies can work across your browsers. In some cases, the use of these technologies is not controlled by the browser but require special tools. We use these technologies to store information that is used to ensure the quality of reviews and to pick up irregularities in your use of lakrids.nu.

9.5 A cookie can contain text, numbers, or for example, a date, but there is no Personal Data contained in a cookie. It is not a programme and cannot contain viruses.

9.6 When visiting lakrids.nu for the first time, you will automatically receive a cookie. We use cookies to customize and create content and services that match your interests and desires. We also use cookies to create demographic and user-related statistics and thus determine who is visiting lakrids.nu. We record only anonymous information such as IP numbers, number of bytes sent and received, internet host time, browser type, version, and language, etc.

9.7 We use cookies

  • for statistics, ie: measuring traffic on lakrids.nu, including the number of visits to lakrids.nu, what domains visitors come from, what pages they look at on lakrids.nu and what general geographic area the user is in.

  • to enhance the functionalities functionality: improve the functionality and optimize your experience of lakrids.nu and help you remember your username and password so you do not have to log in again when you return to lakrids.nu.

  • to integrate with social media, i.e.: allow you to integrate with social media such as Facebook.

  • for quality assurance: to ensure the quality of reviews and preventing fraud and irregularities in connection with writing reviews and applying lakrids.nu.

  • for targeted marketing, i.e. display specific marketing at lakrids.nu as we think you will find interesting.

9.8 lakrids.nu provides access for its third party’s suppliers to inspect the contents of the cookies that are set by lakrids.nu. This information shall be used exclusively on behalf of lakrids.nu and must not be used for the third party's own purposes.

9.9 Our Website uses cookies from the following third parties:

  • Google Analytics: for statistical purposes. You can refuse cookies set by Google Analytics by clicking here: http://tools.google.com/dlpage/gaoptout

  • Facebook: made by Facebook.

  • Twitter: set by Twitter if you interact with the Twitter plugin or are already logged on to Twitter from another source for the purpose of interacting with them.

9.10 Most browsers allow you to erase cookies from your hard drive, block all cookies or receive a warning before a cookie is stored. You must be aware that in such case services and features cannot be used by you because they require cookies to remember choices you make. We hope that you will allow the cookies we set as they help us improve lakrids.nu.

9.11 You always have the option to erase cookies stored on your computer.

  • How to erase cookies in Microsoft Internet Explorer

  • How to erase cookies in Mozilla Firefox browser

  • How to erase cookies in Google Chrome browser

  • How to erase cookies in Opera browser

  • How to erase flash cookies - applies to all browsers

9.12 lakrids.nu uses Google Analytics to analyse how users use lakrids.nu. The information generated by the cookie about your use (traffic data, including your IP address) is transmitted to and stored on Google's servers in the United States. Google uses this information to evaluate your use of lakrids.nu, compiling reports on the activity of lakrids.nu and providing other services relating to the operation of lakrids.nu and internet use. Google may also transfer this information to third parties if required by law or if third parties process the information on Google's behalf.

9.13 Google Analytics sets two types of cookies: (a) persistent cookies providing information on whether the user is recurrent, where the user is coming from, which search engine is used, keywords, etc., and (b) session cookies that are used to show when and how long a user uses lakrids.nu. Session cookies expire after each session, that is, when you close your tab or browser. Google will not process your IP address with other data, Google holds.

9.14 Most browsers allow you to erase cookies from Google Analytics. Read more about Google Analytics cookies.

9.15 By using lakrids.nu you provide your consent to our use of cookies as described. If you no longer wish to consent to the use of cookies, deselect the cookies by modifying the settings in your browser.

10. Questions

If you have questions about this privacy policy or our treatment of Personal Data, rectification or your relationship with us in general, please feel free to contact us at the following address: Lakrids by Johan Bülow A/S, CVR-nr: 33041586 Sydholmen 7, DK-2650 Hvidovre, Danmark, T: [+45] 3217 6822, E: info@lakrids.nu, W: www.lakrids.nu

11. Changes

11.1 We may change our Privacy Policy at any given time. You should review our Privacy Policy regularly. Such changes shall come into force immediately. If you do not agree to the modified Privacy Policy, please stop using our service. In the event of a conflict between this Privacy Policy and the modified terms, the modified terms shall apply. Your continued use of the services provided by us after the date the modified terms are posted will constitute your acceptance of the modified Privacy Policy.

12. Supervision

12.1 The Danish Data Protection Agency, inter alia, supervises the compliance with the applicable national regulation on Personal Data. The contact information for the Danish Data Protection Agency is:

Datatilsynet Borgergade 28, 5 DK- 1300 Copenhagen K T: 3319 3200 F: 3319 3218 E-mail: dt@datatilsynet.dk