Privacy policy

Well by Orion Pharma online store Information Notice

 
Orion Corporation is committed to protecting your privacy in compliance with all applicable regulations and ensuring the security of your personal data. This privacy notice explains how we collect, use, and protect your personal information.

Contact Details

Data Controller: Orion Corporation Data Protection Officer (DPO): Jyri Wesanko, privacy@orionpharma.com
Representative : Tanja Kipinoinen well@orionpharma.com

1. What data do we collect about you?

We collect and process the following types of personal data::

  • Account information: name, age, information about the family, email address, purchase history data.

  • Contact data: unregistered customer information including name, phone number, email address and street/delivery address.

  • Purchase information: purchase history data and receipt or equivalent proving the purchase.

  • Marketing survey data: any information provided by you through surveys.

  • Drug safety related information such as drug side effect reports submitted by you. We collect this drug safety data as a part of our pharmacovigilance duties. For more information on how we process pharmacovigilance and drug safety related data, please read our information notice on pharmacovigilance.

  • Marketing consent data: your direct marketing consent and consent withdrawal information.

  • Customer service communication data: email address and email communication with you.

2. How do we use your data?

We process your personal data for the following purposes:

  • Webstore and purchase management: general webstore operating, making products available for purchase, processing transaction data and delivering products.

  • Marketing purposes: delivering products, communicating about our offerings, sales promotions, and other marketing purposes, as well as creating aggregated target groups for marketing. Knowing customers' preferences enables us to target our offers and offer products and services that better meet the needs and expectations of our customers.

  • Customer service: processing customer reclamations, product returns and customer feedback provided by you.

  • Website usage and marketing analytics: developing our webstore functionalities and services.

  • Pharmacovigilance purposes (For more information on how we process pharmacovigilance data, please read our information notice on pharmacovigilance.)

  • Product recalls: contacting customers in case of product recall.

3. Legal Basis

We process your data based on the following legal grounds:

Consent of the data subject (EU General Data Protection Regulation Article 6.1.a) / 9.2.a) (special categories of data) 
  • Account information, Marketing survey data and Marketing consent data for Marketing purposes.

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract / (EU General Data Protection Regulation Article 6.1.b) 
  • Contact data and Purchase information for Webstore and purchase management.

Compliance with the controller’s legal obligations based on binding law / (EU General Data Protection Regulation Article 6.1.c) 
  • Drug safety related information for Pharmacovigilance purposes.

Legitimate interests of the controller or a third party (the legitimate interest to be identified, such as direct marketing) (EU General Data Protection Regulation Article 6.1.f). 
  • Account information and Marketing survey data for marketing purposes.
  • Contact data, Purchase information and Customer service communication data for Customer service purposes.
  • Account information and Marketing survey data for Website usage and marketing analytics.

We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.

 

4. How do we share your data?

We may share your data with the following recipients:

  • Your Account information, Contact data, Purchase information data and Marketing consent data to our online platform providers. Please note that our online platform service provider Shopify may transfer your data to third countries outside of the EU and EEA. These countries might not provide an adequate level of data protection and privacy. For more information on how Shopify processes and transfers your data, please refer to Shopify’s privacy policy.

  • Your Contact data with our payment service provider. Please note that when personal data is shared with such other data controllers, that organization's privacy policy and personal data processing applies.

  • Your Contact data with our delivery service provider.

  • Your Account information, Contact data to our customer service provider.

5. How long do we store your data?


We will retain your personal data for no longer than is necessary for the purposes defined in this Statement.

Type of data

Retention period

Contact data; purchase information

12 months from last purchase.

Account data

7 years from last activity.

Customer service communication data

5 years from collection.

Adverse event reporting 

Please read our information notice on pharmacovigilance.

Marketing survey data

12 months from collection

Direct marketing consent

Consent is stored until withdrawn.


6. What are your rights and options?

You have the right to:

  • Access your data: You can request information and a copy of your personal data that we have collected and stored in connection with our services / this information notice.

  • Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as descripted in chapter 12.

  • Erase your data: You can contact us if you think the processing of your personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 7 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.

  • Restrict processing: If you want to restrict our processing of your personal data, please contact us.

  • Object to processing: If you want to object to the processing of your data for marketing purposes, please contact us. When making the request, please specify the scope of your request.

  • Data portability: The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.

  • Withdraw consent: You can withdraw your any consent that you may have given us for data processing activities. After withdrawing your consent, we will no longer process your personal data for purposes the consent was asked for. Please note that withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.

7. Cookies and Tracking Technologies

We use cookies and similar technologies. For more information on how use cookies, please read our Cookie Policy.


8. Security Measures

We hold your personal data in secure computer storage facilities.

We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.

We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:

  • locks and security systems;
  • encryption;
  • usernames and passwords;
  • virus checking;
  • auditing procedures and regular data integrity checks;
  • and recording of file movements.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.

We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.

9. Changes to this Notice

We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.

10. Contact Us

If you wish to use your rights as a data subject described in chapter 8, or if you have any questions or concerns, please contact us at privacy@orionpharma.com

Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your data subject rights.