Last Modified: October 4, 2020
2. Information Collected
At Made Shop, we collect personally identifiable information (“PII”) and non-personally identifiable (“Non-PII”) information from you. Personally identifiable information is information that can be used to identify you personally. Non-personally identifiable information is information that must be combined with other information to identify you personally.
Personally Identifiable Information Collected
You will not be required to provide us any information when you visit our Platform. However, in order to fully use our Platform, we may collect PII such as your name, date of birth, email, telephone number, website and business information, and address. We may also collect your relevant payment or credit card information if you wish to pay for any services offered via the Platform. Please be aware that all payment information shall be stored and processed by our third party payment processors.
Whenever you use our website, we may collect Non-PII from you, such as your IP address, zip code, gender, browsing history, search history, and registration history, interactions with the Platform, usage information, location, referring URL, browser, operating system, data usage, data transferred, and Internet service provider. We may also collect information including but not limited to postings you make on the public areas of our website, messages you send to us, and correspondence we receive from other members or third parties about your activities or postings.
3. Use of Your Information
Some of your information will be visible to other users of the Platform to facilitate communication between users. We will never sell your information without your permission; however you agree that we may use your information in the following ways:
To provide any services offered and to operate Made Shop Platform.
To enhance or improve our users’ experiences.
To contact you via email or other electronic communications where you have an inquiry.
To notify you of additional Made Shop services and updates.
To share with third parties, with whom you have requested additional information relating to their products and services.
To process your transactions.
4. Anonymized Data
Please be aware that we may collect and aggregate personally identifiable information from our Platform and may anonymize that information for our own research or internal purposes. Once such data has been anonymized, it cannot be traced back to you, the user.
5. Accessing, Editing, and Removing Your Information
You will be able to access any information contained in your account through our Platform. You may edit that information by removing or changing the information listed in your account. If you have any questions or wish to review, remove, change, or access any of your information collected by us, please contact us by submitting a ticket here. After you have cancelled your account please be aware that we may keep inaccessible copies of your PII and non-PII subject to our data retention policies.
6. Permanent Removal Requests
If you wish to have any of your PII stored within Made Shop Platform permanently removed, please follow our instructions as stated within the policy titled “Removal of Information”. If you have any questions regarding such removal please contact us by submitting a ticket here.
7. Cookies and Tracking
8. Third Party Access to Your Information
Although you are entering into an Agreement with Made Shop to disclose your information to us, we do use third party individuals and organizations to assist us, including contractors, web hosts, and others to allow you to access the Platform.
9. Law Enforcement
10. Opt Out of Commercial, Non-Commercial Communications and Do Not Track
If you decide to provide us with your contact information, you agree that we may send you communications via text and emails. However, you may unsubscribe from certain communications by notifying Made Shop that you no longer wish to receive these communications, we will endeavour to promptly remove you from our account once we have received that request. We currently do not offer functionality for you to opt out through “do not track” listings. If you wish to opt out of certain communications or information collection, please contact us by submitting a ticket here.
11. Third Parties
Made Shop or other users may post links to third party websites on Platform, which may include information that we have no control over. When accessing a third party site through our Platform, you acknowledge that you are aware that these third party websites are not screened for privacy or security issues by us, and you release us from any liability for the conduct of these third party websites.
12. Security Measures
We make reasonable attempts to protect your information by using physical and electronic safeguards. For this reason we use SSL certificates to enhance our Platform security. However, as this is the Internet, we can make no guarantees as to the security or privacy of your information. For this reason, we recommend that you use anti-virus software, routine credit checks, firewalls, and other precautions to protect yourself from security and privacy threats.
13. Your California Privacy Rights
14. Age Compliance
We intend to fully comply with American and international laws respecting children’s privacy including COPPA. Therefore, we do not collect or process any information for any persons under the age of 18. If you are under 18 and using our Platform, please stop immediately and do not submit any information to us. In the event that we have inadvertently collected any information from users under the age of 18 please contact us immediately.
15. International Transfer
16. Merger and Acquisition
In the event that Made Shop is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be sold or transferred as part of that transaction. Please be aware that once the information is transferred your privacy rights may change.
18. Privacy Notice for European Citizens
19. Legitimate Purposes for Collecting Your PII
The following are the specific legitimate purposes that we may use your PII for:
Contract Administration – We may use your PII to (1) negotiate, execute, renew and/or manage a contract with you; (2) process billing information and payments related thereto; and/or (3) communicate with you in respect of the above (including sending (legal) notifications).
Access and Communications to Our Platform – We may use your PII to (1) set-up and manage your Made Shop account; (2) interact with you through our Platform (e.g. software updates, Platform announcements, etc.): and/or (3) manage and respond to your questions or comments (e.g. technical, commercial or administrative) or requests for maintenance and support.
Use of the Platform – We may use your PII to (1) enable you to enjoy the use of, and easily navigate the Platform; and/or (2) better understand your needs and interests.
Sharing with Third Parties – We may use your PII to share with our partner companies that we share data with.
Allowing You To Access or Download Content – We may use your PII to allow you download data or content from the Platform.
Training and Improvements – We may use your PII to (1) train our employees or contractors to allow for a better Platform experience; and/or (2) improve the Platform.
Direct Marketing – We may use your PII to contact you for additional products and services that you may be interested in.
20. Retention of PII
Made Shop will only retain your PII for as long as required. We will keep your personal information:
For any legally required duration.
Until we no longer have a valid reason to keep or use your PII.
Upon your request to eliminate, delete, or modify any of you PII stored with us.
Where you have requested modification or deletion of your PII, we may keep just enough of your personal information to ensure that we comply with your requests not use your personal information or comply with your right to erasure. If you require additional details regarding the retention of your PII please contact us.
21. Transfer of PII Outside of the EEC
Where your PII is transferred outside of the EEC, Made Shop shall ensure that your PII shall have an adequate level of protection and that your information will be accessible as stated under the Privacy Notice.
22. Sharing of Data with Third Parties
Aside from the uses listed within this Privacy Notice, Made Shop does not share any of your PII with any third parties aside from third parties that are hired by us to assist us in processing your data (Data Processors). All Data Processors have entered into binding agreements with us to ensure that your rights to your PII are respected.
23. Contact Information
If you have any questions or require additional information related to our information collection practices, please contact us by submitting a ticket here.
At Made Shop we value your privacy and your right to access and control your personal information. We have implemented this policy so that you may request the permanent removal of any personal information stored within Made Shop Platform.
If you wish to have any of your personal information stored within Made Shop Platform removed, please contact us by submitting a ticket here and follow the directions stated within this policy. With each removal request you must list the information you wish to have removed exactly as listed. Please be aware that removal requests are not processed instantaneously. There may be a reasonable delay in processing and removing any information requested.
Although we will attempt to remove all of your personal information upon receipt of your removal request, please be aware that Made Shop may have multiple areas where your personal data is stored and a single removal request may not eliminate all of your personal information stored within our Platform. Therefore, you may be required to submit multiple requests. If your information repeatedly reappears please contact us.
You may make a removal request by submitting a ticket here, please label the first line of the ticket with the following: “Removal Request – Your Full Name and Account Name”.
ADDITIONAL RIGHTS FOR EEC USERS
If you reside in the European Economic Community (EEC) or if you are an EEC citizen you are afforded additional rights to your information.
If you wish to exercise any of these additional rights with regards to any of your PII, we’d be happy to assist you, please contact us by submitting a ticket here, please label the first line of the message with the following: “Request – Your Full Name and Account Name”.
Last Updated: January 19, 2019
Thank you for visiting Made Shop platform (“Platform”). Made Shop is committed to protecting your personal information and ensuring your experience with us is as safe and as enjoyable as possible. In this section, you’ll find information on how and why we use “cookies” to improve our service and your web experience. You’ll also find out how to manage the information that is collected.
What Are Cookies?
Cookie Types and Their Uses
Third Party Cookies
You may have seen references on other websites to “first party cookies” and “third party cookies.” Determining whether or not a cookie is a first or third party cookie depends on which website sets the cookie on your device. First party cookies are set by, or on behalf of, the company whose website you visit. Cookies set by any other company are third party cookies. For example, third party cookies may be used by advertising companies to serve ads when you visit their website.
Currently, Made Shop uses first party cookies as identified above. Please be aware that third party cookies may be employed on the Platform for the purposes of advertising.
What If I Don’t Want to Accept Cookies?
You can choose to restrict or block access to cookies set by Made Shop or any other company. You can set your browser to notify you when a web server attempts to write or load a cookie to your computer. This gives you a chance to accept or reject the cookie. Please be aware that rejecting any cookies may render some portions of the Platform inaccessible or otherwise cause the improper functioning of portions of the Platform.
How Can I Control Cookies?
Web Browser Cookies
If you don’t want to receive cookies, you can modify your browser so that you are alerted when any cookies are being placed on your computer. Additionally, you can reject all cookies or you may delete cookies that have already been set.
If you wish to restrict or block web browser cookies you may do so via your browser settings. The Help function within your browser should be able to assist you in this matter. Alternatively, you may wish to visit www.aboutcookies.org, which contains comprehensive information regarding the management of cookies on your browser. Aboutcookies.org contains both general information and specific information regarding cookies and their usage.
Last Updated: January 19, 2019
1. ACCOUNTABILITY FOR ONWARD TRANSFER
A. To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
B. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
1. While the United States and the European Union share the goal of enhancing privacy protection, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. Given those differences and to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation with respect to the processing of their personal data when they have been transferred to non-EU countries, the Department of Commerce is issuing these Privacy Shield Principles, including the Supplemental Principles (collectively “the Principles”) under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). The Principles were developed in consultation with the European Commission, and with industry and other stakeholders, to facilitate trade and commerce between the United States and European Union. They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefiting from the European Commission’s adequacy decision.1 The Principles do not affect the application of national provisions implementing Directive 95/46/EC (“the Directive”) that apply to the processing of personal data in the Member States. Nor do the Principles limit privacy obligations that otherwise apply under U.S. law.
2. In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU, an organization must self-certify its adherence to the Principles to the Department of Commerce (or its designee) (“the Department”). While decisions by organizations to thus enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the “FTC”), the Department of Transportation or another statutory body that will effectively ensure compliance with the Principles (other U.S. statutory bodies recognized by the EU may be included as an annex in the future); (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with these Principles; and (d) fully implement them. An organization’s failure to comply is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts.
3. The Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (“the Privacy Shield List”). Privacy Shield benefits are assured from the date that the Department places the organization on the Privacy Shield List. The Department will remove an organization from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual recertification to the Department. An organization’s removal from the Privacy Shield List means it may no longer benefit from the European Commission’s adequacy decision to receive personal information from the EU. The organization must continue to apply the Principles to the personal information it received while it participated in the Privacy Shield, and affirm to the Department on an annual basis its commitment to do so, for as long as it retains such information; otherwise, the organization must return or delete the information or provide “adequate” protection for the information by another authorized means. The Department will also remove from the Privacy Shield List those organizations that have persistently failed to comply with the Principles; these organizations do not qualify for Privacy Shield benefits and must return or delete the personal information they received under the Privacy Shield.
4. The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously self-certified to the Department, but that have been removed from the Privacy Shield List. The Department will provide a clear warning that these organizations are not participants in the Privacy Shield; that removal from the Privacy Shield List means that such organizations cannot claim to be Privacy Shield compliant and must avoid any statements or misleading practices implying that they participate in the Privacy Shield; and that such organizations are no longer entitled to benefit from the European Commission’s adequacy decision that would enable those organizations to receive personal information from the EU. An organization that continues to claim participation in the Privacy Shield or makes other Privacy Shield-related misrepresentations after it has been removed from the Privacy Shield List may be subject to enforcement action by the FTC, the Department of Transportation, or other enforcement authorities.
5. Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.
6. Organizations are obligated to apply the Principles to all personal data transferred in reliance on the Privacy Shield after they enter the Privacy Shield. An organization that chooses to extend Privacy Shield benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the Department and conform to the requirements set forth in the Supplemental Principle on Self-Certification.
7. U.S. law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities (“DPAs”). Unless otherwise stated, all provisions of the Principles apply where they are relevant.
A. “Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the Directive, received by an organization in the United States from the European Union, and recorded in any form.
B. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
C. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
9. The effective date of the Principles is the date of final approval of the European Commission’s adequacy determination.
10. Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway.
3. RECOURSE, ENFORCEMENT AND LIABILITY
a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include:
i. readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;
ii. follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and
iii. obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.
b. Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints.
c. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.
d. In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
e. When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.
In compliance with the Privacy Shield Principles, Made Shop commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Made Shop at:
FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION HAS SELECTED A PRIVATE SECTOR DISPUTE RESOLUTION PROVIDER.
Made Shop has further committed to refer unresolved Privacy Shield complaints to our Marketing Operations Manager, Andrew Russo, an alternative dispute resolution employee located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact Andrew Russo for more information or to file a complaint. The services of Andrew Russo are provided at no cost to you.
FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION WILL COOPERATE WITH EU DPAS AND/OR THE SWISS FEDERAL DATA PROTECTION AND INFORMATION COMMISSIONER.
Made Shop commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to [human resources] data transferred from EU [in the context of the employment relationship].