CLOETTA PRIVACY POLICY AND COOKIE INFORMATION

This Privacy Policy, including cookie information, has been adopted by Cloetta AB (publ) and its group companies (“Cloetta”) or (“We”), and applies to our processing activities in relation to, inter alia, end-users of our services, visitors of our websites and social media pages (“Digital channels”), and individuals communicating with us.

Cloetta is committed to protect and respect your privacy. Therefore, you are encouraged to carefully read this policy. If you have any concerns, please contact us as set out below in section 9.

1. WHAT IS PERSONAL DATA?

1.1 Personal data is all information that directly or indirectly (i.e. together with other information) may identify an individual. This means that a wide range of data, such as names, contact details, IP addresses, and behaviour and choices made online are personal data.

1.2 Data processing is any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, blocking, erasure or destruction of personal data.

2. how do we process your personal datA?

2.1 Visitors to our websites and Digital channels

When you visit our websites and Digital channels we may process:

• Information you have volunteered, such as name, date of birth and contact details;
• details of your visits to our websites and Digital channels, this may include search terms you use, likes, shares;
• campaign traffic data;
• sales via this website;
• personal information that does not identify you (“Grouped Data”). Grouped Data may include gender, region, household and age;
• technical data, which may include URL information, cookie data, your IP address, the types of devices you are using to access Cloetta websites; and
• if you have consented to the use of cookies we will apply the “Facebook Pixel” of Facebook and we may process Facebook ID (the data remains anonymous and cannot be used to draw any conclusions about the identity of the user). Please see section 7.

We process your data for the following purposes:

• To monitor and improve our products and services, e.g. in order to optimize the website and our digital channels, make it more user friendly and for follow up; [and statistical purposes, if applicable];
• to measure the performance of an advertising/digital campaign;
• to target and reach audience online;
• to communicate with you, e.g. through our Digital channels, monitor social posts, brand sentiments and newsletters;
• to analyse information for individual profiling in order to offer personalized ads, offers and other customized information; and
• for the purposes related to our use of cookies, please see section 7.

2.2 Customers buying our products online

When you are a customer buying our products online we may process:

• Information you have volunteered, such as name, gender, home and/or delivery address, telephone number, e-mail address, data of birth, demographical information, interests, preferences, payment information;
• historical order information; and
• product you bought.

We process your data for the following purposes:

• To handle our customer relation e.g. identifying you as a customer; and
• to fulfil the contractual obligations e.g. provide services.

2.3 Subscribers to newsletters or to marketing contests

Consistent with the permission you have given us by opt-in and by consenting to our terms and conditions we may process:

• Name, gender, telephone, address and email address;
• date of birth; and
• depending on the price (value in [SEK]), we may also collect your social security number.

We process your data for the following purposes:

• Direct marketing purposes including providing you with newsletters, offers and promotions on products and services by email, if you have requested such information. You can opt-out from these by clicking a link in each message sent through email (unsubscribe);
• to fulfil contest; and
• to comply with legal obligations, e.g. report contests to the Swedish National Tax Board (Sw: Skatteverket [insert other local authorities/government agencies or national legislation if applicable]).

2.4 When you communicate with us, for example via customer service

When you communicate with us we may process:

• Information you have volunteered such as your name, home and/or delivery address, telephone number, e-mail address, data of birth, demographical information, interests, preferences, payment information and case information;
• when we administer a complaint or claim from you concerning an injury, we may also process sensitive personal data that you have provided to us, i.e. data concerning health, medical certificate and records from insurance companies concerning injuries. By providing us with such information, you consent to Cloetta’s use of it for the purpose of handling your complaint or claim.

We process your data for the following purposes:

• To fulfil a request from you or respond to your inquiries e.g. to resolve customer complaints; and
• to administer your claim properly.

In addition, we may process anonymized data in relation to customer cases (i.e. not personal data concerning injuries) for statistical purposes.

3. LEGAL GROUND for our processing

Cloetta processes personal data in accordance with applicable personal data protection legislation. Within the EU/EEA, the general data protection regulation (“GDPR”) will apply from 25 May 2018.¹

We will process your personal data when it is necessary to (i) fulfil a request from you or respond to your inquiries (ii) comply with a legal obligation and (iii) consistent with your consent given by providing us with personal data, such as sensitive data, in relation to a complaint or claim, we will process your data in order to handle the complaint or claim. Your data may also be processed when it is necessary for the purposes of a legitimate interest for Cloetta, inter alia, to market, improving our services. If a certain data process requires your prior consent, we will collect such consent before carrying out the processing in question.

Personal data that we request from you and indicated as mandatory is required to be provided in order for us to provide the service, e.g. for statutory, contractual, administrative or technical reasons.

4. How long do we keep your information?

We will only keep your information for as long as we need it: (i) to provide you with a product/service; (ii) to improve our services; and (iii) for legal and audit purposes. In order to administer injury claims, such as dental claims, we may keep your information for two (2) years after the case is closed (i.e. in order to handle further/additional claims arising out of the initial claim), unless longer storage is required by applicable law. We have routines in place to ensure that personal data is deleted thereafter.

5. How do we share your information?

5.1 Cloetta may engage third parties for the provision of services to Cloetta, such as provision of IT-systems, services and other activities. Your data may be shared with and processed by such service providers on behalf of Cloetta as required for the provision of the services to Cloetta. Within the use and provision of such services, your personal data may be transferred to countries outside the EU/EEA (third countries). In relation to such third country transfers, certain security measures will be taken in order to protect your data and ensure that the data keeps an adequate level of protection, e.g. by entering into a data transfer agreement including model clauses issued by the EU Commission and available on the EU Commission’s website.

5.2 Personal data may be disclosed to a third party if we are required to do so according to applicable laws and regulations or in order to detect and prevent fraud or other security or technical problems.

5.3 Companies which are processing personal data on behalf of Cloetta are obliged to sign an agreement with Cloetta in order to ensure a high level of protection for your personal data.

6. INFORMATION SECURITY

We strive to provide a high level of protection in all our personal data processing. We have therefore taken organisational and technical security measures in order to protect your personal data from unauthorised access, use, alteration and erasure.

[If applicable, your password protects your Cloetta account, so you should use a unique and strong password, limit access to your computer and browser, and log out after having signed in to your Cloetta account.]

7. our use of COOKIES

7.1 The use of cookies

This section describes our use of cookies. For further information about how the information may be used and shared by Cloetta, please see above.

7.2 What are cookies and how do we use them?

A cookie is a small text file that is placed on your computer, mobile phone, or other device when you visit a website. A cookie enables recognition of your computer and the collection of information on what websites and functions have been visited. It helps maintain your settings when you are navigating a website or return to the same website at a later point.

We use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your device for a set period of time or until you delete them). We use the following types of cookies for the purposes explained in this chart:

Name	Type of cookie, information collected by the cookie and the function of the cookie	Retention period	Domain name	Disclosure of information to third parties
Google Analytics	These cookies are tools for analyzing visitor behavior on the site in order to enhance user experience and ensure site functionality. Read more about all cookies from Google Analytics.	1 year	[Cloetta.se Cloettashop.se]	Google has access to the information collected by the cookie.
Google Tag Manager	Google Tag Manager is a tag management system that’s allows us to easily add or update tags, such as the cookies described in this cookie statement. Google Tag Manager is sending the data that is being received from the third party cookies to the third party applications where we can use this data for improving your website experience or make the ads more relevant for you.	1 year	[Cloetta.se Cloettashop.se]	Google has access to the information collected by the cookie
Facebook	The cookie from Facebook on our website is a tracking cookie which provides us with data of the user’s online interaction on our website such as purchases that have been made or if you have visited our website after clicking on one of our ads on Facebook. We use these cookies to serve you with advertisements that may be relevant to you and your interests. The information may also be used to regulate the advertisements you receive and measure their effectiveness.	1 year	[Cloettashop.se]	Facebook has access to the information collected by the cookie
Instagram	Instagram is the same kind of cookie as Facebook, a tracking cookie which provides us with data of the user’s online interaction on our website such as purchases that have been made or if you have visited our website after clicking on one of our ads on Instagram. This will help us to improve our advertisement and content on Instagram.	1 year		Facebook (Instagram) has access to the information collected by the cookie
Youtube	The cookie of Youtube is a tracking cookie which provides us with data of the user’s online interaction on our website such as purchases that have been made or if you have visited our website after clicking on one of our ads on Youtube. This will help us to improve our advertisement and content on Youtube.	1 year		Google (Youtube) has access to the information collected by the cookie
Doubleclick	Doubleclick’s technology enables us to collect information about the user’s online interaction and record conversions. To this end, Doubleclick may also use information of other parties to optimize ads. With Doubleclick technology we are not only able to customize ads, but additionally prevent repetitive ads. The cookies from Doubleclick can be used for different kind of advertisement channels such as, Google Adwords, Youtube and Display. For a more extensive explanation about how Doubleclick uses your (personal) data, please visit their privacy statement.	1 year		Google (Doubleclick) has access to the information collected by the cookie
Mailchimp	Mailchimp is our marketing automation tool where we are sending our newsletters from. The cookie from Mailchimp is also a tracking cookie which is gathering data of our website visitors behaviour such as how many pages do they look at, how long are they on the website, counting the purchases etc. This will give [brand name] a better insight in what content is relevant for our newsletter subscribers and how to improve this content to make it more relevant.	1 Year		Mailchimp has access to the information collected by the cookie
Optimizely	Optimizely is our A/B testing tool for our website. We use Optimizely to test different elements on our website to improve the User Experience for our visitors. Optimizely tells [brand name] which element is performing better (version A or B) based on clicks, conversions etc.	1 year		Optimizely has access to the information collected by the cookie
Magento	Magento is our e-commerce platform where this website is built on. The Magento cookie is a functional cookie which is necessary for a good performing website. Magento is storing all different kind of information about the visitor’s behaviour on our website such as purchases, account information (username, email address, name, age) etc. All this information is used to make it possible for our visitors to buy and order our products.	1 year	[Cloettashop.se]	Magento has access to the information collected by the cookie
Social media buttons	Our website features social media buttons. These buttons are used by the providers of these services to collect your personal data. For example, the Facebook Like button is hosted by Facebook and your browser sends the cookie data to Facebook. We have no access to this information and Facebook does not share the information with us. For more information, please visit Facebook’s privacy statement.		[Cloettashop.se]	Facebook has access to the information collected by the cookie

7.3 About your consent to the use of cookies

When you visit a website, you have the right to receive certain information such as how cookies are used.

Furthermore, you need to consent to our use of cookies. If you do not consent to the use of cookies, it may affect your user experience and you may not get full access to all features and functions on our website.

In case you have given your consent to the use of cookies, you can easily withdraw your consent and choose to block and/or delete the cookies. For more information on how to block/erase cookies, please see section Manage your cookies and other preferences.

7.4 Processing of personal data

Some of our cookies collect personal data, e.g., Facebook as mentioned in the chart above. In case you have signed up to receive our newsletters, we will be able to use the information for the purpose of creating a more personalized online experience for you, e.g. to provide marketing material that is relevant for you.

In case you have not signed up to receive newsletters, the data collected by the cookies will only be used for statistical purposes and to improve our website and we will not be able to identify you through that data.

For more information about how we use your personal data and for information regarding your rights, please see section 2 above.

7.5 Cookies placed by third parties

The website may contain content and sharing tools embedded from various social networks, such as Facebook. These suppliers may use and place cookies on our website. We do not have access to, and cannot control, these cookies or the personal data and information that they may collect.

You therefore need to check the websites of these suppliers to get further information on how they manage cookies and what information their cookies collect.

7.6 Manage your cookies and other preferences

Most web browsers allow you to manage your preferences. You can set your browser to refuse cookies or delete certain cookies. You can find out more about how to manage cookies on www.aboutcookies.org or click help in your browser menu. If you have any questions or comments about our use of cookies, please contact us at the address specified in section 9.

Please note that if you block our use of cookies, you may be unable to access certain areas of our website and certain functions and pages will not work in the usual way.

8. Your rights UNDER APPLICABLE DATA PROTECTION LEGISLATION

According to applicable data protection legislation, you are entitled to certain rights. If you want to exercise any of these rights, please contact us at the address specified in section 9 below.

As specified in applicable data protection legislation, you have the right to:

• Request access to and rectification of the personal data we process in relation to you;

• request erasure of your personal data;

• request that we restrict the processing of your personal data;

• object to the processing of your personal data and, in respect of processing based on your consent, to withdraw your consent at any time; and

• receive personal data about you that you have provided to us.

You are also entitled, at any time, to submit complaints to the relevant supervisory authority if you think that your personal data is being processed in violation of the applicable data protection legislation.

9. Contact information

The entity listed as the responsible entity for the digital channel in question is the data controller for personal data processed in relation to that digital channel. Where applicable, other legal entities within the Cloetta group may furthermore be data controllers for personal data processing in accordance with the terms of the respective service or function. If you have any questions regarding the processing of your personal data or want to exercise any of your rights under applicable data protection regulation, you may reach out to us via the following contact details.

Cloetta AB (publ)

Email: privacy@cloetta.com

Address: Englundavägen 7D, 171 41 Solna, Sweden

10. UPDATES to THE policy

This privacy policy was last updated in [April] 2018. We may update the policy from time to time, e.g. by making new versions available on our website or by providing the update by other appropriate means. You are recommended to visit our website from time to time to learn of any updates.