Privacy Policy
Policy date – 05 March 2020 (Last update – 20 July 2023)
Thanks for visiting our website! We are Serokell, and here we explain why and how we collect, use, disclose and store your personal data when you are browsing our website.
About us
Our business name is Serokell OÜ, and we are registered as a private limited company in the Republic of Estonia under Estonian laws with company registration number: 14049961. Place of our business is at Pille tn 7/5-13, Kesklinna linnaosa, Tallinn, Harju maakond, 10135, Estonia.
By “Serokell”, “us”, and “our”; we mean Serokell. By “website” we refer to the website located at www.serokell.io. We also have a Serokell Shop, which is located at www.shop.serokell.io Basically, the conditions of collecting and processing of your personal data are the same for the website and Serokell Shop, but there are some differences that we have specified in this policy.
We are your personal data controller – that means that we determine the purposes and means of the processing of your personal data. The legal basis for each category of personal data is indicated in the respective sections of this policy.
Updating
We may update this policy by posting the updated version on this page. Unfortunately, we cannot notify you about any changes personally, so you should check this page from time to time. The effective date of this privacy policy is stated at the top.
Personal data
Personal data means any information related to an identified or identifiable natural person. You may find more details about personal data definition in Article 4 and Recital 30 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
We do not knowingly collect any other personal data except stated in sections “User-provided information” and “Data processors”, so we encourage you not to provide any other personal data except the stated below if it is not related to our website or shop. Please do not provide sensitive personal information.
User-provided information
We collect your personal information provided by you in cases described in this section:
“Let’s Have a Chat” form
We may collect your Personal Data that you provide to us when you contact us via the “Let’s Have a Chat” form on our website. Through this form you provide to us your name and email address, which is necessary for us to contact you and answer your request. We have a legitimate interest in processing and responding to your request.
We do not knowingly collect any other Personal Data except stated above, so we encourage you not to provide any other Personal Data except stated above, if it is not related to your request.
Newsletter
Our blog posts (available at https://serokell.io/blog) contain a “Subscription” button, which allows you to subscribe to our mailing list. By subscribing to our newsletter you provide us with your email address and we may upon occasion send you emails. In this case, we will share your email with The Rocket Science Group LLC d/b/a Mailchimp to include you into the mailing list in order to send you emails. You may find more information about Mailchimp GDPR compliance here and learn about their Privacy Policy here. You may unsubscribe from our newsletter at any moment by managing your preferences with a special link provided in any newsletter email.
Serokell Shop
If you visit www.shop.serokell.io (“Shop”), we collect certain information about your device, your interaction with the Shop, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support.
Information we collect at the Shop:
-
Device information
- Purpose of collection: to load the Site accurately for you, and to perform analytics on Shop usage to optimize our Shop.
- Source of collection: Collected automatically when you access our Shop using cookies, log files, web beacons, tags, or pixels.
- Disclosure for a business purpose: shared with our processor Shopify.
- Personal Information collected: version of web browser, IP address, time zone, cookie information, what sites or products you view, search terms, and how you interact with the Shop.
-
Order information
- Purpose of collection: to provide products or services to you to fulfill our contract, to process your payment information, arrange for shipping, and provide you with invoices and/or order confirmations, communicate with you, screen our orders for potential risk or fraud, and when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
- Source of collection: collected from you.
- Disclosure for a business purpose: shared with our processor Shopify.
- Personal Information collected: name, billing address, shipping address, payment information (including credit card numbers, PayPal and Stripe details), email address, and phone number.
-
Customer support information
- Purpose of collection: to provide customer support.
- Source of collection: collected from you
- Disclosure for a business purpose: no
- Personal Information collected: the data you provide to us when you contact
Data processors
Data processor processes personal data on our behalf. Third-party services integrated into the pages of our website and Serokell Shop also may store some information that can be considered personal data. You can find more details about them in the corresponding section below.
Google Analytics
We use Google Analytics to get a better understanding of how people use our website. It allows us to collect various statistical data, such as the number of users visiting and their geographic distribution. We have a legitimate interest in making our website operate efficiently.
We do not share any of this data with Google or other third-parties and we do not use Remarketing or Advertising Reporting Features. Neither do we use User-ID. Also, we have configured Google Analytics to anonymise your IP address.
We believe this configuration restricts the information collected to the bare minimum required for us to obtain meaningful statistical data. Neither we, nor other parties use it for targeting ads or any equally evil marketing purposes.
You may opt-out of making your site activity available to Google Analytics by using the Google Analytics Opt-out Add-on.
Leadfeeder
We use Leadfeeder (https://www.leadfeeder.com/) to collect the visitor IP address to detect the company and geographic location. Leadfeeder only shows company visits; it automatically filters out all users visiting from residential IP addresses. All visit data is aggregated at the company level.
Leadfeeder automatically collects the following data:
- pages accessed;
- time of visit;
- time of last visit;
- name of the owner of the IP address;
- reverse domain of the IP address;
- referring site, application, or service, including the relevant search queries that led you to Leadfeeder’s website;
- browser information;
- operating system and device information;
- IP address (from users signing in to the service, for security purposes).
You may find a detailed description of Leadfeeder GDPR compliance here.
Shopify
We share your Personal Data with Shopify to help us provide our services and fulfill our contracts with you, as described above. For example:
- We use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here.
- We may share your Personal Data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
Usage data
We collect some default information about usage of our service: log data (including its date and time), IP address, browser type, some browser settings and browser plugins, device information (your screen resolution, operating system, device settings etc.).
Any website may work differently depending on your device. We use this information in order to make our website work as designed on your device.
Payment getaways
All payments are made via PayPal and Stripe (secure third-party online payment gateways). We do not have access to your card number, its period of validity and CVC code. If you wish to learn more about payment transactions, see:
Your financial information is kept private, and every payment is followed by an email confirming your transaction.
Shopify may receive partial data about a successful payment in order to facilitate cooperation between the website and payment system.
Personal data disclosure
We do not sell your Personal Data.
We will not disclose or share any of your Personal Data with third parties except:
-
We have a legitimate interest:
- We will share your personal data provided to us to our employees or contractors who are responsible for contacting you, if you contact us via the “Let’s Have a Chat” form on our website.
- We also will share your personal data with our successor in case of transferring the rights.
-
Based on your consent:
- If you give us your consent to receive emails from us, we will share your email with The Rocket Science Group LLC d/b/a Mailchimp to include you into the distribution list in order to send you emails. You may find more information about Mailchimp GDPR compliance here and learn about their Privacy Policy here.
-
In order to fulfill a contract of sale:
- If you place an order on www.shop.serokell.io, we will store your name, shipping address and email address in our personal account in the Shopify system, in order to fulfill your order.
- If disclosure is required by law or court order.
Personal data storage and transfer
Personal data collection and storage
Website (www.serokell.io)
The website server is located in Ireland. However, your personal data may be transferred outside the European Union, since it is not possible to ensure the normal operation of the website without using international services.
Serokell Shop (www.shop.serokell.io)
When you place an order through the Shop, we will retain your Personal Data for our records unless and until you ask us to erase this information. For more information on your right of erasure, please see the “Your Data Protection Rights” section below.
Personal data transfer
Where is your data transferred:
Your personal data provided via “Let’s Have a Chat” is stored on Google’s servers, as we use the Google Mail service to process emails.
Our email server supports TLS encryption to ensure the security of sending and receiving emails. However to take advantage of it, your email service provider needs to support it too.
If you contact us via email, your message will be stored on Google servers which may be located in various countries, so your data can be transferred to other countries outside the EU, but Google is using the European Commission’s Standard Contractual Clauses (SCCs).
You can find more information about Google Cloud GDPR compliance here and here.
Mailchimp
Mailchimp is headquartered in and has offices in the United States. Our servers are also located in the United States. This means data we process may be transferred to, stored, or processed in the United States. Mailchimp ensures reliable transfer and storage of personal data. For more information, read Mailchimp and European Data Transfers.
Leadfeeder
Leadfeeder Tracker collects data to their Amazon Web Services infrastructure. All data is encrypted on transfer and at rest. Leadfeeder has an EU Commission Standard Contractual Clauses agreement in place with Amazon Web Services, as a part of Leadfeeder Data Processing Agreement with them. More information about security measures taken by Leadfeeder may be found here.
Hotjar
We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. More information about security measures taken by Hotjar may be found here and here.
Cookies
Cookies are files that are downloaded to your device when you visit a website. You can learn more about how we use cookies and similar technologies here.
We do not support the Do Not Track browser option.
We use the following cookies:
First-party cookies
We use:
PreviousUrl cookie
This cookie stores your previous visited page URL and expires at the end of your session.
Third-party cookies
Google Analytics
We use Google Analytics which sets its own cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
_ga |
Used to distinguish users. | 2 years |
_gid |
Used to distinguish users. | 1 day |
_gat |
Controls throttling requests to Google servers. | 1 day |
Google Analytics does not collect information that identifies the visitor. You can find more details about these cookies in Google’s own guide.
Any private data that Google stores on their servers is deleted and any cookies that they set in your browser expire after the period shown in the table above.
Leadfeeder
Leadfeeder also sets its own cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
_lfa |
Used for identifying the IP address of devices visiting the website. |
1 year |
The cookie collects information such as IP addresses, time spent on website and page requests for the visits. This collected information is used for retargeting multiple users routing from the same IP address.
More information about cookies set by Leadfeeder may be found here.
Shopify
The following third party Cookies may be placed on your computer or device by Shopify:
Cookies Necessary for the Functioning of the Shop
| Cookie | Purpose | Expiry |
|---|---|---|
_ab |
Used in connection with access to admin. | 2 years |
_secure_session_id |
Used in connection with navigation through a storefront. | 24 hours |
_shopify_country |
Used in connection with checkout. | session |
_shopify_m |
Used for managing customer privacy settings. | 1 year |
_shopify_tm |
Used for managing customer privacy settings. | 30 min |
_shopify_tw |
Used for managing customer privacy settings. | 2 weeks |
_storefront_u |
Used to facilitate updating customer account information. | 1 min |
_tracking_consent |
Tracking preferences. | 1 year |
c |
Used in connection with checkout. | 1 year |
cart |
Used in connection with shopping cart. | 2 weeks |
cart_currency |
Used in connection with shopping cart. | 2 weeks |
cart_sig |
Used in connection with checkout. | 2 weeks |
cart_ts |
Used in connection with checkout. | 2 weeks |
cart_ver |
Used in connection with shopping cart. | 2 weeks |
checkout |
Used in connection with checkout. | 4 weeks |
checkout_token |
Used in connection with checkout. | 1 year |
dynamic_checkout_shown_on_cart |
Used in connection with checkout. | 30 min |
hide_shopify_pay_for_checkout |
Used in connection with checkout. | session |
keep_alive |
Used in connection with buyer localization. | 2 weeks |
master_device_id |
Used in connection with merchant login. | 2 years |
previous_step |
Used in connection with checkout. | 1 year |
remember_me |
Used in connection with checkout. | 1 year |
secure_customer_sig |
Used in connection with customer login. | 20 years |
shopify_pay |
Used in connection with checkout. | 1 year |
shopify_pay_redirect |
Used in connection with checkout. | 30 min, 3w or 1y depending on value |
storefront_digest |
Used in connection with customer login. | 2 years |
tracked_start_checkout |
Used in connection with checkout. | 1 year |
checkout_one_experiment |
Used in connection with checkout. | session |
Reporting and Analytics
| Cookie | Purpose | Expiry |
|---|---|---|
_landing_page |
Track landing pages. | 2 weeks |
_orig_referrer |
Track landing pages. | 2 weeks |
_s |
Shopify analytics. | 30 min |
_shopify_d |
Shopify analytics. | session |
_shopify_s |
Shopify analytics. | 30 min |
_shopify_sa_p |
Shopify analytics relating to marketing & referrals. | 30 min |
_shopify_sa_t |
Shopify analytics relating to marketing & referrals. | 30 min |
_shopify_y |
SShopify analytics. | 1 year |
_y |
SShopify analytics. | 1 year |
_shopify_evids |
SShopify analytics. | session |
_shopify_ga |
Shopify and Google Analytics. | session |
Hotjar
Hotjar sets its own cookies:
| Cookie | Cookie Description & Expiry |
|---|---|
_hjSessionUser_{site_id} |
Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type. |
_hjid |
This is an old cookie that we do not set anymore, but if a user has it unexpired in their browser, we will reuse its value and migrate to _hjSessionUser_{site_id}. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type. |
_hjFirstSeen |
Identifies a new user’s first session. Used by Recording filters to identify new user sessions. 30 minutes duration, extended on user activity. Boolean true/false data type. |
_hjHasCachedUserAttributes |
Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not. Session duration. Boolean true/false data type. |
_hjUserAttributesHash |
Enables us to know when any User Attribute has changed and needs to be updated. 2 minutes duration, extended every 30 seconds. Content hash data type. |
_hjUserAttributes |
Stores user viewport details such as size and dimensions. Session duration. UUID data type. |
_hjSession_{site_id} |
|
_hjSessionTooLarge |
|
_hjSessionResumed |
|
_hjCookieTest |
|
_hjLocalStorageTest |
|
_hjSessionStorageTest |
|
_hjIncludedInPageviewSample |
|
_hjIncludedInSessionSample_{site_id} |
|
_hjAbsoluteSessionInProgress |
|
_hjTLDTest |
|
Third-party links
This website may contain links to third party websites, which are governed by their own privacy policies. We are not responsible for the content or privacy of third-party websites, so we encourage you to check third parties’ privacy and security policies before providing them with any information.
Automatic decision-making
If you are a resident of the EEA, you have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.
We do not engage in fully automated decision-making that has a legal or otherwise significant effect using customer data.
Our processor Shopify uses limited automated decision-making to prevent fraud that does not have a legal or otherwise significant effect on you.
Services that include elements of automated decision-making include:
- Temporary blacklist of IP addresses associated with repeated failed transactions. This blacklist persists for a small number of hours.
- Temporary blacklist of credit cards associated with blacklisted IP addresses. This blacklist persists for a small number of days.
Children
Our website is not directed at children under 16, and we do not knowingly collect Personal Data from children under 16. If a child under the age of 16 has provided us with personal data, the child’s parent or guardian may contact us and request that such information be deleted.
Your data protection rights
General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) provides data protection rights for each user. Here they are:
- Right to access – you have the right to request from us a confirmation as to whether or not any personal data concerning you has been processed. You also can request a copy of your personal data that we hold.
- Right to rectification – you have the right to request us to correct your personal data you believe is inaccurate or incomplete.
- Right to erasure – in certain circumstances, you can ask for your personal data we hold to be erased.
- Right to restriction of processing – in certain circumstances, you can request us to limit the way we use your personal data.
- Right to data portability – in certain circumstances, you can request us to transfer your personal data to another company.
- Right to object – you have the right to challenge certain types of processing, such as direct marketing.
CCPA
If you are a resident of California, you have the right to access the Personal Data we hold about you (also known as the ‘Right to Know’), to port it to a new service, and to ask that your Personal Data be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information below.
If you would like to designate an authorized agent to submit these requests on your behalf, please contact us at the address below.
Contact
If you would like to access, erase, update, or rectify any of your personal data that we hold, or exercise any other of your data protection rights, please contact us:
Murad Murzaev <legal@serokell.io>
Serokell
Pille tn 7/5-13
Tallinn, 10135
Estonia
Data Protection Authority
If you wish to lodge a complaint, you may contact Estonian Data Protection Inspectorate:
info@aki.ee
+372 627 4135
39 Tatari St.
Tallinn, 10134
Estonia