What data do we collect?
Carra collects the following data:
- Account data includes registration date and payment plan. Identity data includes first name, last name, gender, birthday, gender and living environment related information.
- Contact data includes email address and may additionally include phone number.
- Profile data includes hair images, online survey and may additionally include video consultation notes. We may ask general questions about your hair through an online questionnaire and video consultation. This data will only be collected where you have expressly provided your consent to provide us with this data through online survey or video conversations and secure messaging, as well as through image submission.
- Usage data includes details of your use of the Service, such as traffic data and the features that you access.
- Transaction data includes details about purchases and payments, but excluding bank account and full payment card details.
How do we collect your data?
We collect and process data when you:
- Register an account.
- Complete a hair questionnaire.
- Upload images.
- Complete a video call, or message us via email.
- Complete product reviews or follow-up questionnaires.
- Voluntarily complete surveys or provide feedback via phone call.
- Use or view our website via your browser’s cookies.
- Google analytics
- Facebook ads conversion tracking (Facebook Pixel)
- Referrals via friends and family
Third-party servicesWe use the following services for data collection:
- Acuity Scheduling
- Google Calendar
Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, "cookie" information, the type of browser and/or device you're using to access our Services, and the page or feature you requested. "Cookies" are identifiers that we transfer to your browser or device that allow us to recognize your browser or device and tell us how and when pages and features in our Services are visited and by how many people. You may be able to change the preferences on your browser or device to prevent or limit your device's acceptance of cookies, but this may prevent you from taking advantage of some of our features.
How will your information be used?
We collect your data so that we may:
- To enable you to participate in features and services.
- To communicate with you and provide customer support.
- To schedule and contact you prior to a consultation.
- To perform a hair analysis and provide hair care recommendations.
- To send email notifications regarding updates to website, services or goods being provided.
- To process purchases and deliver the Services.
- To track and analyse activity on our Website.
- To conduct research and improve our Services (in anonymised and aggregated forms).
Your Profile data is treated with confidentiality. We will never disclose your Profile data without your consent unless legally required to do so.
Sharing information for legal purposes
We reserve the right to access, read, preserve and disclose any information that we believe is necessary to comply with law or court order; enforce or apply this Policy, our Terms of Service, or other agreements; respond to claims concerning the Services; or protect the rights, property, or safety of Carra, our employees, our users, or others.
Sharing aggregated information
If you agree with our policy, we will aggregate information about the use and effectiveness of our services for benchmarking purposes and share this aggregated de-identified information for research or marketing purposes and in order to provide our customers with haircare insights and trends. An example of the information we would share is: "75% of 25-34 year old women using product A experienced an improvement in hair within x months."
We have put in appropriate security measures to protect your data from being lost, used or accessed in an authorized way. Your data is securely stored and encrypted using Amazon Web Services. Please note that sending information via the internet is not totally secure and on occasion such information can be intercepted. We cannot guarantee the security of personal information that you choose to send us electronically and sending such information is entirely at your own risk.
We use the following services for data storage:
- Acuity Scheduling
Personal data shall be processed and stored for as long as required by the purpose they have been collected for. Personal data may be allowed to be retained for a longer than a period whenever the User has given consent to do so.
Your legal rights
We take your rights seriously. To make any of the following requests please contact us at firstname.lastname@example.org.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
Subject access requests
This enables you to receive a copy of the data we hold about you and to check that we are legally processing it.
You will not have to pay a fee to access a copy of your data (or to exercise any of the other rights set out). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
The information you can view, update, and delete may change as the Services change over time and from time to time. If you have any questions about viewing or updating the information that we have on file about you, please contact us at email@example.com.
This enables you to ask us to delete or remove your data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have successfully exercised your right to object to processing, where we may have processed your data unlawfully or where we are required to erase your data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
You may not request the removal of de-identified, anonymous, or aggregate data from our databases.
Object to processing
You may request restriction of processing of your data. This enables you to ask us to suspend the processing of your data in the following scenarios: if you want us to establish the data’s accuracy; you have objected to our use of your data, but we need to verify whether we have overriding legitimate and/or legal grounds to use it.
You may withdraw consent at any time where we are relying on consent to process your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Privacy policies of external providers