Privacy Policy

Last updated: March 2026

Welcome

Welcome to our guidelines regarding how we handle the important topic of privacy policy.

We are a happiness company, and our members are our everything. Therefore, we naturally want to treat and store your personal data in the best possible way. We have described all relevant details below. We would prefer to keep it completely simple, down-to-earth, and easy to understand, but legally we are required to explain it as described below so that we include all details. If it becomes too lawyer-technical, too extensive, or too complicated, you are always welcome to reach out to our Team Happiness, who are ready to do their best to answer your questions. You just need to send an email to hello@goodiebox.dk. We also have our very own Data Protection Officer whose job is to ensure that we do everything we can to give you and our other members the best experience and protect your information. If you have any questions regarding your rights as a data subject, you can either go directly to Section 7, "Your rights as a data subject," or contact our Team Happiness at the above email address or write directly to our Data Protection Officer at dpo@goodiebox.dk.

Let's get started.

First, just some quick tips. When we write "we", "us", or "our", we mean Goodiebox and all our subsidiaries. When we write "you", we mean you as a visitor, customer, or member. Everything we write here concerns everyone who logs onto our websites or purchases our products and services in any form.

Goodiebox collects and processes your personal data only in accordance with this privacy policy and always in accordance with the General Data Protection Regulation 2016/679 (which we hereafter call "GDPR"). If we change this policy, the changes will be made available on our websites ("the website(s)"), and where relevant, you will also be notified via email or in another way. We therefore encourage you to review this once in a while to stay updated on how we process your personal data.

About us

This privacy policy applies to all personal data processed by Goodiebox ApS, with its registered office at Artillerivej 86, 5th floor, 2300 Copenhagen S., Denmark, and its subsidiaries. Goodiebox is the so-called data controller (as defined in Article 4(7) GDPR) of all processing activities related to our products and services ("the Services"). These services include any interaction you have with us through our websites, over the phone, through social networks, or other channels.

Privacy Policy Structure

In order to make this as easily accessible as possible, we have organized our privacy policy as follows, which also allows you to jump directly to the section that is most relevant to you:

  • Global overview of data processing activities at Goodiebox (Section 1)
  • In more detail – what data, for what purposes do we process your personal data, and on what legal basis or bases? (Section 2)
  • What is our retention policy? (Section 3)
  • What is our Cookie policy? (Section 4)
  • Where do we store your personal information? (Section 5)
  • When can we disclose your personal information? (Section 6)
  • What are your rights as a data subject? (Section 7)
  • How do you contact us? (Section 8)

Section 1 – Global overview of data processing activities at Goodiebox

First and foremost, the terms "data", "personal data", and "personal information" all refer to the definition of "personal data" in Article 4(1) of the GDPR, which is any information that allows us to directly or indirectly identify you. It can be your name, your phone number, your member ID, your order number, and email address. The data we process is mostly data that you submit when you use our services. For example, when you order a box, you may provide your name, email address, and transaction and billing information (e.g., credit card/debit card or other bank information and delivery information). It is the same when you contact us (for example, when you contact our customer service, "Team Happiness", on social media or other platforms), and when you participate in online competitions, surveys, or add a product review to your member account. Sometimes we also collect your data when you visit our website(s) (for example, technical device and access data collected when you interact with our services), and depending on your cookie preferences and consent, we may use tracking technologies to see which Goodiebox pages you have visited or if you have opened our newsletter.

We always rely on a legal basis to collect and process your personal information. Sometimes it is for our legitimate interest in operating the business or to comply with a legal obligation, and sometimes we may need to ask for your permission in advance. This could be the case, for example, when we wish to:

  • Collect and process some special categories of data through your beauty profile (if applicable), such as your skin color or hair type
  • Send you our newsletter (there are exceptions, so go to Section 2 below if you want to know more)
  • Ask for your participation in surveys, online competitions, or advertising campaigns
  • Transfer your data to third parties or third countries (i.e., located outside the EEA) if there are no adequate protective measures (e.g., if you log in with Facebook Connect)
  • Use cookies and tracking technologies to access which pages you have looked at on our website(s) and if you have opened our newsletter, for example

Protection of children's personal data – Please note that our websites are not intended for and should not be used by children under the age of 18. We therefore do not knowingly collect personal data about individuals under the age of 18 unless we have received the legal guardian's consent.

If you want to go into the details, we advise you to read Section 2 below, which shows the cases where Goodiebox collects and processes your data along with the purpose (reasons) and legal grounds for doing so. Otherwise, you can jump directly to our retention duration policy (Section 3), the information about your Cookies (Section 4), the storage of your data (Section 5), the cases where we might disclose your information to third parties (Section 6), your rights as a data subject (Section 7), and finally how you can contact us (Section 8).

Section 2 – What data does Goodiebox process, for what purpose, and on what legal basis?

When you use our website(s)

We use your data to provide you with access to our website(s). Depending on your settings, we may collect the following data during each visit:

User data – technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, language settings, and system authentications; details of your visits, including your Uniform Resource Locator (URL) journey to, through, and from our services (including date and time).

Analysis data – your IP address, operating system, and browser type; page visits, visit duration, and page interactions (such as scrolling, finger movements, clicks, and mouse-overs).

Advertising data – Information about the origin of how you visit us, for example, from social media or a search engine, can be shared with our partners along with a random ID assigned to your browser session at each visit.

Purpose – to provide you with access to our website(s), improve your user experience, and/or ensure proper use of our services. In any case, we never use this data to identify you.

Legal basis – legitimate interest (Article 6(1)(f) GDPR) / consent (Article 6(1)(a) GDPR)

When you create a member account

When you create an account, we may collect the following information about you: your full name, email address, password, phone number, and payment information.

Purpose – to provide you with a member account and the ability to subscribe to and receive our services.

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR).

If you log in with Facebook Connect and/or Google

You have the option to log in to your member account with your Facebook credentials and/or Google account. If you do this, you agree to share public profile information with us. Please note that Facebook and/or Google may also process some of your data, and we are not responsible for this data processing. Before using these logins, we advise you to check their privacy policies, which are available here (Facebook / Google).

Purpose – to allow you to easily log in and use our services without using your member credentials.

Legal basis – legitimate interest (Article 6(1)(f) GDPR) / consent (Article 6(1)(a) GDPR).

When you have filled out your Beauty Profile

Your Beauty Profile is optional, and you do not need to fill it out to receive our service. If you decide to fill it out, you will always be able to change your mind and modify or delete it. If you decide to fill out your Beauty Profile, you can provide us with information such as your age, skin color and/or type, hair type and/or condition, color preferences, favorite products, and your favorite brands. We process this information with special sensitivity and security. Although it does not inherently fall under the "special categories" of personal data (as defined in the GDPR and after a thorough assessment), we believe that certain information requires extra care.

Purpose – to know our members and customers better and maintain our services as best as possible. In fact, we always strive to learn more about our members and customers to deliver the best products and experiences. We may use your data to customize your experience on our website(s) and at times customize the products we offer you so that it becomes more interesting and relevant for you. Or we may simply collect information and understand trends or tendencies better.

Legal basis – legitimate interest (Article 6(1)(f) GDPR) / consent (Article 9(2)(a) GDPR) when we believe that some information requires extra care, even if it does not fall under the definition of "special categories of personal data".

Following your subscription to Goodiebox or your online shopping

When it comes to your subscription to our monthly/quarterly boxes, we process information about shopping and delivery, such as your order number and shipment number, the details of the purchased boxes, your payment method information and preferred delivery method, your delivery and billing addresses, any messages and communication related to purchases (including complaints or messages sent to our Team Happiness), delivery and payment status (completed, sent), return status (if relevant), and all relevant information about third-party service providers involved in the delivery of our services. If you buy products online via our webshop, the same types of data may be collected and processed.

Purpose – to provide you with our services (i.e., process your orders and deliver our products according to your information).

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

About your payment information

When you subscribe to our monthly boxes or purchase products online, you can use common payment methods such as your credit/debit card, PayPal, and direct debit options depending on your location such as iDeal, Bancontact, Klarna, and MobilePay. We process your payment information to execute the payment and may receive additional information from the external payment service providers we cooperate with. This may include your transaction and billing information; e.g., credit/debit card information and delivery information. Please note, however, that we do not store your credit card information; these are located on a specifically encrypted server in our so-called payment gateway, which is PCI-certified. In the event of failed registration (i.e., your payment did not go through), Goodiebox reserves the right to try to charge the payment again or send you a payment link (according to our terms and conditions). Please note that we may tokenize any of your new payment methods, which means we can reuse this new payment method in the event of further failed payments. If your payment was wrongfully reversed, we may use this method to directly charge you the applicable fee (according to our terms and conditions).

Purpose – To enable you to pay online in exchange for our services (i.e., Delivery of the products).

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

When you have left your shopping cart

When you navigate our website(s), you can add products to your shopping cart. Sometimes it happens that members and customers think they have completed their purchase, but some information is missing, and therefore Goodiebox does not process the order. To avoid such an unpleasant situation, we may process the products you put in your shopping cart along with your contact information, provided we have a way to identify you (e.g., if you were logged in or if you provided sufficient information so we can actually contact you).

Purpose – to remind you that you have an excellent product in your shopping cart and ensure that the lack of completion is not due to an error or inattention. This will typically be the reason if you were close to completing a transaction but did not complete it (e.g., if you selected a product but did not complete the payment, or if you entered the information during checkout that makes us believe you were interested in purchasing the product despite the failed transaction).

Legal basis – legitimate interest (Article 6(1)(f) GDPR). You can, for reasons due to your specific/special circumstances, at any time object to such processing by writing an email to us (as explained in Section 7 below).

When you want to use your Goodiepoints

Sometimes, when you complete an action (such as, but not limited to, writing a product review), you may be credited certain loyalty points ("Goodiepoints") at the company's sole discretion. These Goodiepoints can be used for a variety of things, including but not limited to, buying products/boxes for free or at a discounted price (when available via our online store). When you decide to use them, we may therefore look at your member account to check if your balance is sufficient, along with the allocation date and expiration date (if relevant).

Purpose – to create loyal members and customers and thank them for their loyalty. We use the submitted data when you use your Goodiepoints to check and process the order. We may also process this information in connection with fraud prevention when we believe Goodiepoints have been allocated and/or used unlawfully.

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

When you want to make use of a gift card

When you use a gift card to order a box or other available products, we will process information about the gift card's issue and expiration date, the value, the allocation code, along with the box(es) or product(s) to be sent, the name of the person who bought the gift card and payment information, the name of the person using the gift card (if different) and their delivery address, the member ID of the account used for redemption. If you are the buyer of the gift card and you still have a right to be refunded, we may also ask for your bank details. If you have a complaint about the box you have received, we may allocate Goodiepoints to you according to our terms and conditions, and we may also process information about your member account.

Purpose – to send you the box(es) or product(s) in exchange for the gift card, to refund the gift card (if relevant), to allocate Goodiepoints to you in the event of a complaint (if relevant), or fraud prevention.

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

When we communicate together

We love our members and always want to treat you as our best friend. It is important to us that we can communicate on a real and human level, with sincere and personal conversations, so we can help as best as possible whether it concerns a problem with a box or just a chat about anything or nothing. We may therefore collect personal data when you contact us via chat, telephone, through our social media platforms, or in other available ways. This may include conversation content, your name, email address, address, phone number, and/or profile name on social media platforms. Note that we do not record phone conversations, and if this becomes the case in the future, it will only be based on your prior consent, and you will be informed of your right to withdraw such consent at any time with immediate effect. Note also that Goodiebox is not responsible for the terms of use of social media platforms that you may use to contact us.

Purpose – To ensure proper follow-up on any complaint or comment you may have and improve our services. We may also use your contact information to send you a new box in the event of a product problem (if relevant).

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

When you participate in our marketing campaigns or surveys, or provide feedback and/or product reviews

If you decide to participate in a campaign, give us feedback, review a product, or if you participate in a survey and/or online competition, we collect and process some of your personal data. This may include your name and email address along with your product settings and any comments you may have added.

Purpose – to analyze whether you are satisfied or dissatisfied with our services and to assess your overall experience. This is a fundamental resource for us to improve your user experience and adapt our actions to your needs. Sometimes you may be offered to participate in a campaign as a member or as an influencer on social media platforms. This helps us grow and increase the visibility of our brand. Surveys and member reviews are useful for improving our product range, predicting our members' wishes, and they are a good testament for new members or customers that they can trust Goodiebox. We may sometimes share snippets of your reviews on our own media platforms and websites, although this will never be done with the intention of identifying you, and you can object to this at any time by contacting us directly.

Legal basis – legitimate interest (Article 6(1)(f) GDPR) to improve your user experience and adapt our actions to your needs. Under no circumstances will we use the collected data to identify you / performance of a contract (Article 6(1)(b) GDPR) when the processing is necessary for the performance of a contract (for example, participating in a campaign) / consent when the other two legal grounds do not apply (Article 6(1)(a) GDPR or Article 9(2)(a) GDPR) for the processing of special categories of personal data.

About the information we can collect on online media platforms

We maintain online media platforms (such as, but not limited to, Facebook, Instagram, Messenger, TikTok, YouTube, WhatsApp, Snapchat, Pinterest, Google – etc.) and regularly send content, offers, campaigns, and organize online competitions (see specific subsection below). When you use these online media, the network operators may process your information, e.g., your age, gender, and geographical location. Remember that we are not responsible for the way they collect and process your personal data for their own purposes. We have no influence on these data processing activities and advise you to read their own privacy policy if you want to know more. Goodiebox is only responsible for the data you provide during your visit to our online sites (e.g., the information you give to us directly when you post something on our pages or when you send us private messages). If you have a public account, we may also be able to see your public information (e.g., your username and the content you have published and shared with a public audience).

Purpose – to better understand how members and customers view our products and identify beauty trends, to increase our visibility in the market, and continuously develop our brand.

Legal basis – legitimate interest (Article 6(1)(f) GDPR).

When you decide to participate in online competitions

Once in a while, we organize online competitions through our online media platforms, where participants are encouraged, as an example, but not limited to, to vote, share, like, comment, or interact in some way with a post or invite a friend to follow us to perhaps win prizes or awards. We may therefore process personal data such as participants' usernames and ask the winner for additional information such as name, email address, and delivery information to send the prize. Sometimes Goodiebox handles the delivery itself, while sometimes the brand collaborating with us in the competition delivers the gift directly. In this case, we inform the winner in advance that their information will be shared with the brand solely for the purpose of delivering a prize. We have data processing agreements with all the brands we collaborate with, so the transferred information is only used for delivery of the prize/reward.

Purpose – to increase our members' engagement or have our followers discover our services. The processing of the above data is necessary to conduct the online competition and deliver prizes to the winner.

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR)

When you are signed up for our marketing initiatives

Depending on your marketing preferences, we may use your personal data to send you marketing content via email, phone calls/SMS, or post. We may sometimes offer personalized content based on your previous browsing or purchasing activity or other information we may have collected about you. This will only be the case if you have given your consent to it in advance. Some of these messages can be customized for you based on your previous browsing or purchasing activity, or other information we may have collected about you.

Purpose – to receive marketing (offers regarding products and services). If you no longer wish to receive marketing communications from us or an individual product recommendation, or if you conversely would like to subscribe to it again, you can at any time change your settings via your member account. You can do this by contacting us or by clicking on the "unsubscribe" link at the bottom of each marketing email we send. If you have opted out of our marketing, please be aware that we can still contact you from time to time with service messages (e.g., order and delivery confirmations, payment methods, and information about your legal rights).

Legal basis – legitimate interest (Article 6(1)(f) GDPR) / consent (Article 6(1)(a) GDPR)

When we perform pseudonymized statistics on products, beauty profile, and preferences

We may collect some data about the products, product types, and brands we collaborate with and match them to our members' beauty profile.

Purpose – to perform pseudonymized statistics and improve the content of our offers by analyzing how well members like previous products from the boxes and how well this matches their beauty profile.

Legal basis – legitimate interest (Article 6(1)(f) GDPR) to improve your customer experience and adapt our actions to our members' needs. Under no circumstances will we use the collected data to establish your identity, and you can, for reasons arising from your specific/special circumstances, at any time object to such processing by writing an email to us (as explained in Section 7 below).

When we use product reviews for statistical purposes

You have the opportunity to add product reviews to your member account, and when we assess them, we may process some personal data (for example, the personal data you have included in the content of your review (if relevant) along with your username (if relevant), your geographical location, and the time and date of the review). We never use the reviews to identify you.

Purpose – We process pseudonymized data to perform aggregate statistics (such as ratings or preferences for certain products) and may present such aggregate statistics to our brand partners, always on an anonymized basis.

Legal basis – the processing is necessary for statistical purposes, and we can only provide our brand partner with anonymized and aggregate statistics from which identification of a specific natural person is impossible (Article 9(2)(j) GDPR). Our legitimate interest in processing data for these purposes is to give our partners an overview of trends and preferences so they can improve the products we offer you. You can, for reasons due to your specific/special circumstances, at any time object to such processing by writing an email to us (as explained in Section 7 below).

When we monitor the use of our website(s) to improve and maintain them, ensure correct use and successful receipt of our transactional emails

When using our services or receiving service messages (transactional emails), we may collect and process the following data: device ID, IP address, operating system and browser type, visit duration on certain pages, and your page interaction information such as scrolling, finger movements, clicks, and mouse-overs, geographical location, time and date, checked products, boxes previously viewed, and start of member account creation.

Purpose – to ensure correct receipt and assess the service to improve it and to ensure correct use and successful receipt of transactional emails.

Legal basis – legitimate interest (Article 6(1)(f) GDPR). Under no circumstances do we use the collected data to identify you. You can, for reasons due to your specific/special circumstances, at any time object to such legitimate processing by writing an email to us (further details in Section 7 below).

When we aim to optimize our marketing initiatives

When you use our services or receive our marketing emails, we may collect and process the following data: IP address, operating system and browser type, visit duration on certain pages, and page interaction information such as scrolling, finger movements, clicks, and mouse-overs, geographical location, time and date, and order information.

Purpose – We may use limited user data to track your interaction with the site and analyze data to optimize our marketing initiatives. We may also process your order information to better assess the impact of our marketing initiatives by encrypting them before sharing them with our API partners. (We do not use the data to determine your identity).

Legal basis – consent (Article 6(1)(a) GDPR). When it comes to tracking your page interaction. You can adjust your tracking settings at any time by editing your consent / Legitimate interest (Article 6(1)(f) GDPR) when it comes to the processing of your order information. We under no circumstances use the collected data to determine your identity. You can, due to special situations, object to such legitimate processing of data by writing an email (further information on this under Section 7).

For us to develop our own products

When using our services, we may process some of your information for our own brands and products that are exclusively part of the Goodiebox group. (For example, as products from "Comme Deux" and all dietary supplements available under our brand). This may include the following data: name and email address along with your product settings and any comments you may have added.

Purpose – to send you relevant information about our own brands, ensure you have the opportunity to participate in customer research (e.g., surveys), and receive the right marketing information (including marketing of our own products).

Legal basis – legitimate interest (Article 6(1)(f) GDPR) to improve your user experience and adapt our actions to your needs. Under no circumstances will we use the collected data to identify you, and you can, for reasons arising from your specific/special circumstances, at any time object to such processing by writing an email to us (as explained in Section 7 below). You can also at any time change your marketing settings by using the link at the bottom of each marketing email or by sending your request via email / consent when the other legal grounds are not relevant (Article 6(1)(a) GDPR) or Article 9(2)(a) GDPR for the processing of special categories of personal data.

When we create performance reports

When navigating our websites, we may collect and process the following data: errors, crash reports, IP address, URL, geographical location, time and date of navigation.

Purpose – to ensure the functionality of our services; our websites cannot function properly without this processing.

Legal basis – legitimate interest (Article 6(1)(f) GDPR). Under no circumstances will we use the collected data to identify you.

For security and prevention of fraud

Your security is our highest priority, and to avoid or detect any data security breaches, our services are encrypted in transmission with the code system SSL ("Secure Socket Layer"). This means that data is encrypted when you leave our websites, and during this process, information or data is converted into a code to prevent unauthorized access. We have technical and organizational measures in place to secure our systems against loss, destruction, and unauthorized access. This entails that we may process the following information: name, device and access data (IP address and member ID), purchase information (delivery and billing address), and payment information.

Purpose – to detect patterns of fraud and prevent deception.

Legal basis – legitimate interest (Article 6(1)(f) GDPR)

When you decide to cancel your subscription or deactivate your member account

At Goodiebox, you can cancel your subscription at any time according to our terms of use and directly via your member account or by contacting us. If you decide to do so via our Team Happiness, we may ask for information to verify your identity. For example, we may ask you to confirm your email address, date of birth, delivery address, phone number, and/or bank details. Note that when you intend to request cancellation of the subscription or deactivation of the member account on behalf of another, we may request additional information to confirm your eligibility to request such cancellation or deactivation (according to our terms and conditions). We may store your name and your relationship to the member (parent, appointed administrator, bank owner).

By cancelling your subscription, your member account is deleted, and you will still have the option to log in and reactivate it (or subscribe to another type of box). If, on the other hand, you decide to deactivate your account – directly via your member account – you will no longer be able to log in. This means that, in addition to losing all your benefits as a member, you may lose all or part of your purchase history or Beauty Profile, and you will no longer receive any communication from us. If you wish to become a member of Goodiebox again in the future, you must contact Team Happiness. Beware – deactivation of your account must not be confused with permanent deletion of your personal data according to your right to erasure (more details in Section 7 below). If in doubt, please contact us.

Purpose – to verify your identity in order to cancel your subscription and/or deactivate your member account

Legal basis – performance of a contract (Article 6(1)(b) GDPR) / legitimate interest (Article 6(1)(f) GDPR).

When you apply to work with us

Candidates can apply to be part of our team when there are open positions via our "Careers" link, which is available at the bottom of our website(s) or via our recruitment tool partners (e.g., Teamtailor, LinkedIn). When applying for a position, candidates may be asked to provide information such as their name, email address, phone number, geographical location (city), CV, LinkedIn profile (optional), which we may collect along with the time and date of the application.

Purpose – to check the candidate's suitability for the position (or other vacant positions in Goodiebox).

Legal basis – to take the first steps prior to entering into a contract (Article 6(1)(b) GDPR)

If you apply for and/or participate in Goodiebox Aid Initiatives

Goodiebox aims to strengthen female entrepreneurs and other creatives by offering financial support and business support through programs/grants and competitions. Upon application for such an opportunity, applicants may be asked to provide information such as full name, email address, phone number, geographical location (Country, city), CV, Biography, or other forms of information within the given business in order to receive support from Goodiebox.

Purpose – To review applications and ultimately award the selected person financial support / or business support.

Legal basis – Legitimate interest (Article 6(1)(f) GDPR) / consent (Article 6(1)(a) GDPR).

Section 3 – How do we store and process your personal information?

We store your personal data for the period necessary to fulfill the purposes described in Section 2 above and until you request the deletion of your member account, in accordance with the data minimization principle. If your personal data is used for more than one purpose, we store it until the purpose with the longest period expires. We stop using them for the purpose with the shorter period as soon as the shorter period expires (to comply with the principle of purpose limitation). We restrict access to your personal information to those individuals who need it for the relevant purpose(s), in accordance with the principles of integrity and confidentiality. If your member account remains inactive for more than 30 months, we will contact you to check if you want to continue using our services. If you then leave your member account unused for a further 6 months, we restrict access and/or delete it permanently. When the processing of your personal data is no longer necessary for any purpose, we may either irrevocably anonymize them or securely delete them. As an exception, we store your personal data for a longer retention period if required or permitted by law for legal, tax, or regulatory reasons (e.g., for the purpose of establishing, exercising, or defending against legal claims) or for other legitimate business reasons. This can go up to ten years, depending on local specificities and business needs. Below you can see our retention period for specific purposes:

Purpose: marketing initiatives
Retention period: 3 years after your last activity (for example, purchase, communication activities, or when you log in to our website(s)).

Purpose: order history
Retention period: 7 years from your last order or as long as we must fulfill legal requirements.

Purpose: customer service in connection with the provision of our services
Retention period: 3 years or as long as we must fulfill legal requirements.

Purpose: fraud and risk assessment
Retention period: 3 years after your last activity (for example purchase, communication, or visit to our website(s)), or as long as we must fulfill legal requirements.

Purpose: compliance with legislation regarding our services
Retention period: As long as we are obliged to comply with legal regulations according to individual country specifications.

Purpose: performance report and monitoring of usage data to ensure correct use, function, maintenance, and improvement of services and transactional emails
Retention period: 30 days unless a security-relevant event occurs (e.g., a Distributed Denial of Service attack). If a security-relevant event occurs, the log files are stored on the servers until the security-relevant event is fully eliminated and clarified.

Purpose: optimization of our marketing initiatives/personalization of shopping
Retention period: Tracking information is deleted no later than 180 days after it is collected.

Purpose: commercial and tax law
Retention period: As long as we are obliged to comply with legal regulations according to individual country specifications, up to ten years.

Purpose: job application
Retention period: In the event of rejection, candidate data is deleted after 6 months. If you have accepted further storage of your personal data, we will add your data to our application pool. Data is deleted after two years from that moment. If you are offered a job in connection with the application process, the data is transferred from the data system to our HR information system.

Section 4 – Cookies

Our websites use so-called "cookies". Cookies are text files that are stored in the internet browser or by the internet browser on your device (computer, tablet, or phone). We use the term "cookies" to refer to all tools that can collect your indirect/pseudonymized personal data on our websites, such as your IP address, place, and time of your visit. These cookies and similar technologies help us provide certain website features, understand and measure performance, and display targeted ads. The processing of this information is always carried out on a legal basis and, when required by law, based on your consent. For detailed information about the cookies we use, for what purposes we use them, and to manage your cookie settings, see our cookie policy.

Section 5 – Where do we store your personal information?

The personal information we collect from you is stored both in the EU on the registered Google Cloud Services (Google EMEA HQ – 4 Barrow St Ringsend, Dublin 4, D04 V3A0, Ireland) and Hetzner Online GmbH (A company with headquarters in Industriestraße 25, 91710 Gunzenhausen, Germany; with data centers in Nuremberg, Falkenstein, and Helsinki).

However, we use suppliers all over the world, and therefore your personal data may be processed by processors and/or sub-processors operating outside the European Economic Area (EEA). These processing activities are always based on a data processing agreement, and only if the further requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g., if the sub-processor can provide appropriate safeguards according to Article 46 GDPR, such as but not limited to standard contractual clauses ("SCC") on data protection, binding corporate rules, approved code of conduct) or if the sub-processor is located in a third-party country which has secured an adequate level of protection, as put forward by the EU Commission (In Article 45 GDPR). It may also be in situations with exceptional circumstances according to Article 49 GDPR, such as, but not limited to, when we collect your specific consent to move personal information outside the EEA, after we have informed you of any risks that exist due to the lack of necessary adequacy decisions and correct data safeguards, or if it is necessary for our performance of our agreement with you.

We implement any additional supplementary measures based on case-by-case assessments. Contact us if you want further information about the specific security measures used when exporting your personal data outside the EEA.

Section 6 – Disclosure of your personal information

We may share your personal data within the Goodiebox group between subsidiaries as long as this is necessary for the operation of our websites, direct products, and/or to provide our services. Access is always controlled on a need-to-know basis. Our subsidiaries are not considered "third parties" and are all in compliance with the GDPR.

Your personal data may be transferred to our trusted third-party providers under the following circumstances:

  • it is necessary to operate our websites, e.g., technical service providers
  • It is necessary to provide you with our services, e.g., payment processors, logistics companies/shipping companies, CRM, and other IT tools to store your information and communicate with you as requested
  • it is necessary for our business, e.g., professional and legal advisors
  • we have obtained your consent to do so

Technical service providers

We work with technical service providers to operate our websites and provide you with our services. These technical service providers act as our processors, based on a data processing agreement, and can therefore process your data under specific conditions, always according to the above Section 3. This concerns, for example, our CRM, IT services such as our platform providers, hosting services, maintenance, and support on our databases.

Payment service provider

At Goodiebox, you have several payment options to purchase our products, such as payment by credit/debit card, via PayPal, Klarna, or direct debit solutions (such as, but not limited to iDeal, Bancontact, Klarna, and MobilePay). We may therefore transfer some of your data to your chosen payment service provider to provide you with our services. Note that we are not responsible for the payment service providers' way of processing your data, so before choosing one, we encourage you to read their own privacy policy.

Logistics companies/shipping companies

We work with external shipping companies (e.g., DAO) to deliver our products. These transport companies receive the following data to execute the relevant order: your full name, your delivery address, your postal code (if relevant), your email address if relevant (if the shipping company wants to notify you of the preliminary delivery date via email), your phone number if relevant (you may receive an SMS about delivery – whether it is delivered to either your home address or to a parcel shop). The third-party warehouse we cooperate with, which produces our boxes and takes care of the webshop, also receives the above-mentioned personal information in addition to your online order information or subscription type to improve the order or produce the relevant box.

Marketing & IT tools

We provide our services, ensure good customer service, and communicate correctly using CRM & internal IT tools. Currently, this covers Dixa ApS, Jira Software (Supported by Atlassian PTY Ltd.), and Klaviyo, Inc. Besides this, we use Meta Pixel, which is the foundation for Meta advertising, allowing us to measure, adjust, target, and improve our activities on the Meta platform.

These above-mentioned lists of sub-processors (And others that apply) can on our behalf, and solely to provide their service, collect personal information, such as member/customer information (For example name, contact information, preferences, membership, purchase history, and marketing preferences), the content of the communication you send to us (For example, emails, chats, summaries of conversations, or private messages received via Social Media), and marketing and transactional emails we send to you. Please note that at present we do not record our phone conversations. We potentially change the above sub-processors from time to time without informing you, except if processing or transfer of data depends on your consent.

Be aware that some of the above list of sub-processors are located in the USA, which means that your data will be transferred to a so-called third-party country. On July 10, 2023, the European Union made an adequacy decision for the "EU-US Data Privacy Framework" (also called "DPF"), and it ensures that the USA has an adequate data protection level – comparable to the EU – to secure data being transferred between European and American companies. This agreement entered into force with immediate effect, and American companies can now participate in the DPF (Self-certified) without additional data protection protocols being necessary. To be DPF certified, American companies must be able to demonstrate that they comply with comparable GDPR rights and principles, such as, but not limited to "the right to object", "the right of access", "the right to rectification", and "the right to erasure". Minimization and security principles must be observed, as well as transparency and accountability. Goodiebox will at all times be aware of the certification of our data providers, and if the proper certification cannot be presented, we will ensure to remove and transfer any form of personal data to other methods to ensure that your data is always respected.

Professional and legal advisors

In the event of conflict or dispute resolution, we may work with external agents and legal advisors who may receive your personal data. If this becomes the case, we ensure to have a data protection agreement with such professional and legal advisors in advance.

In addition, we do not transfer your personal information to any third party except if it is relevant for the following purposes:

  • if we sell or buy a business or assets: we may disclose your personal data to the potential seller or buyer of such business or assets. The same applies if we or all our assets are acquired by a third party, personal data about our members will be one of the transferred assets. In these cases, disclosure of your personal information will be based on our legitimate interest (Article 6(1)(f) GDPR), except for the processing of special data categories (e.g., your beauty profile which may include sensitive information), where consent may be required by law (Article 9(2)(a) GDPR)
  • if we are obliged to disclose or share your personal data with the police, any public authority, or any other competent authority to comply with our legal obligations such as ensuring information security at all times or to defend ourselves against any attempted fraud
  • if we are obliged to disclose or share your personal information with law enforcement authorities, other public authorities, or on the basis of EU law in a member state's law. We will base this on our legal obligation to do so (Article 6(1)(c) GDPR)

Service providers who process personal data on our behalf outside the EEA (or "third countries") will only be used if such recipients have received an adequacy decision from the European Commission, if there are appropriate safeguards for the third country, or if we have received your prior consent. Goodiebox commits to ensuring that your data is not transferred to a country with a lower data protection standard than the European Union.

Section 7 – Your rights as a data subject

According to the GDPR and as a "data subject," you have various rights in relation to your personal data, e.g., the right to be informed, to erasure, to correction, to restriction of processing, to data portability, to lodge a complaint with a supervisory authority, to withdraw your consent, and to object to certain data processing activities. If you have questions about this, or if you want to exercise one or more of them, please send us an email at dpo@goodiebox.dk. Note that we may ask for some additional information to verify your request (such as confirming your email address linked to your member account, proof of ID, or other information) to ensure that you are the owner of the member account or that you are entitled to make such a request on behalf of the member and avoid disclosing data to third parties in connection with, for example, a request for information.

Although we are fully invested in processing every query received in our customer service/team happiness, please be aware that our customer service can be extraordinarily busy, and therefore our confirmation is not sent immediately upon receipt. To ensure that you exercise your rights as quickly as possible and always in a timely manner (Up to 30 days from receipt), we recommend that you send your request directly to our email dpo@goodiebox.dk, and not Team Happiness. If this is not done, you should be aware that the response time may be slightly longer, but will always comply with GDPR regulations.

Right to withdraw your consent at any time

Where the processing of your personal data is dependent on your prior consent, you have the right to withdraw such consent at any time under the condition of Article 7(3) GDPR. Note that this will not affect the lawfulness of the processing based on consent until the time of withdrawal.

Right to object to processing

You can object to the processing of your personal data under the conditions in Article 21 GDPR as follows:

When you wish to object to the processing of your personal data for advertising purposes, including direct marketing, you can do this at any time and without any reason. This can be done directly via login to your user under the "My preferences" section, by clicking on the "Unsubscribe" link at the bottom of marketing emails, or by contacting our Team Happiness or dpo@goodiebox.dk. Note that by contacting us via email, execution may take slightly longer.

When we process your information under our legitimate interest, or when we make anonymous statistics based on your pseudonymized information: as a data subject, you have the right to object for reasons relating to your specific/special circumstances at any time against the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. In the event of an objection regarding your specific/special circumstances, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

The same applies if the interruption of such processing is likely to make it impossible or seriously impair the realization of statistical purposes, and the continuation of the processing is necessary to fulfill statistical purposes.

Please note that based on member feedback, we have decided to unsubscribe the data provider from all marketing communication immediately after we receive a request for erasure (As defined in the point about "Right to erasure" below).

Right to be informed

As a data subject, you have the right to access and information under the conditions set out in Article 15 GDPR. This especially means that you have the right to obtain confirmation from us as to whether or not we are processing your personal data. In that case, you also have the right to access the personal data and the information listed in Article 15(1) GDPR. This includes information about the purposes of the processing, the categories of personal data processed, and the recipients or categories of recipients to whom the personal data has been or will be disclosed. Note that you can find most of your information directly on your member account. We will send you an email to confirm that we have received your request, and within 30 days from receipt of the request, provided that it is sent to dpo@goodiebox.dk. If the request is sent to Team Happiness, the inquiry will also be processed in a timely manner, but depending on the extent, a longer period may be necessary as described in the GDPR regulations.

Right to erasure

As a data subject, you have the right to erasure ("right to be forgotten") under the conditions set out in Article 17 GDPR. This means that you generally have the right to have your personal data erased from us, and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. Exceptionally, the right to erasure does not apply if processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can, for example, be the case if processing is necessary to comply with a legal obligation, or for legal claims to be established, exercised, or defended (Article 17(3)(b) and (e) GDPR). Thus, the relevant data is not deleted but blocked for further processing (i.e., data is stored securely with different access rights and technical and organizational measures to ensure that only a few employees can access such relevant data when necessary). Before we delete your information, we may anonymize it for statistical purposes. In all situations, we will send you an email to confirm that we have received your request for erasure and will confirm as soon as all data is permanently deleted or restricted as requested. Once again, we emphasize that the inquiry will be handled as quickly as possible, but always exercise your rights by writing to dpo@goodiebox.dk

Right to restriction of processing

As a data subject, you have the right to restriction of processing under the conditions listed in Article 18 GDPR. This means that you have the right to obtain restriction of processing if one of the following conditions in Article 18(1) GDPR applies. This can, for example, be the case if you contest the accuracy of personal data. In such a case, the restriction of processing lasts until we are able to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data is marked with the aim of limiting its future processing (Article 4(3) GDPR).

Right to data portability

As a data subject, you have the right to data portability under the conditions in Article 20 GDPR. This means that you have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transfer this data to another data controller without hindrance from us, where the processing is based on consent (according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR) or on the performance of a contract (according to Article 6(1)(b) GDPR), and where the processing is carried out automatically (Article 20(1) GDPR). In exercising your right to data portability, you also have the right to have your personal data sent directly from us to another data controller where technically possible (Article 20(2) GDPR).

Right to rectification

As a data subject, you have the right to rectification under the conditions in Article 16 GDPR. This means that you have the right to have inaccurate personal data about yourself rectified without undue delay and the right to have incomplete personal data completed.

Right to lodge a complaint

As a data subject, you have the right to lodge a complaint with a supervisory authority under the conditions in Article 77 GDPR. The supervisory authority responsible for us is the Danish Data Protection Agency (Datatilsynet). You can contact any data protection authority in any member state (especially in your country of residence); your complaint is then sent to the competent authority.

Section 8 – Contact

We only want the best for you. You are always welcome to contact our Team Happiness at any time, and we will do our best to answer any questions you may have. You can email them at hello@goodiebox.dk. Our Data Protection Officer is also available at dpo@goodiebox.dk or by post at the following address:

Goodiebox ApS
ATT: Data Protection Officer
Artillerivej 86, 5th floor
2300 Copenhagen S, Denmark