(a) if you are located in the EU or EEA, the General Data Protection Regulation (EU) 2016/679) (EU GDPR); or
(b) if you are located in the United Kingdom (“UK”) the retained version of the EU GDPR in the UK and the Data Protection Act 2018, (together referred to in this GDPR Policy as the “GDPR").
If there is any inconsistency or conflict between this GDPR Policy and our Master Policy, this GDPR Policy shall prevail.
This GDPR Policy was updated on 5/22/23.
Gumball.com is the controller and responsible for your Personal Information (collectively referred to as "Gumball.com", we, us or our in this GDPR Policy).
If you have any questions about this GDPR Policy or our privacy practices, please contact our data privacy responsible person in the following ways:
- Full name of legal entity: Gumball.com, Inc.
- Mailing Address: PO Box 1029, Newport Beach, CA 92659
- Email address: email@example.com
- Telephone Number: +1-214-550-5020
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk), or the relevant EU member state supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the ICO/supervisory authority so please contact us in the first instance.
Lawful Basis of Processing
We will only process the Personal Information subject to the GDPR as it is described in this GDPR Policy if we have a lawful basis for doing so. Most commonly, we will use your Personal Information in the following circumstances:
Generally, we do not rely on consent as a lawful basis for processing your Personal Information.
Purposes For Which We Will Use Your Personal Information
In the table below, we outline all the ways we intend to utilize your Personal Information, and the legal foundations we rely upon to do so. We have also identified our legitimate interests, where applicable.
Note that we may process your Personal Information for more than one lawful ground depending on the specific purpose for which we are using your Personal Information . Please contact us if you need details about the specific legal ground we are relying on to process your Personal Information where more than one ground has been set out in the table below.
|Categories of Data Subjects||Categories of Personal Information||Purpose of Processing||Lawful Basis for Processing (and Lawful Basis for Processing Special Categories of Personal Information, if applicable)|
|Gumball.com customers/consumers (including website users)||Personal details including name and contact information.||
|User activity details and user preferences.||
|Browser history details.||
|Electronic identification data including IP address and information collected through cookies.||
|Credit card information and payment details.||
|Contractual details including the goods and services provided.||
|Special categories of Personal Information including data relating to health, genetics, race, ethnicity and religious beliefs.||
|Gumball.com suppliers and distributors||Name and contact information.||
|Financial and payment details.||
We do not market directly to data subjects within the EU or UK. If we plan to change our approach to marketing to data subjects within the EU or UK we will update this GDPR Policy to reflect that.
We are a United States of America company, accordingly when you share your Personal Information with us, this will involve transferring your Personal Information outside the UK and the EU/EEA.
Many of our external third parties are based outside the UK and EU/EEA so their processing of your Personal Information will involve a transfer of data outside the UK and EU/EEA.
Gumball.com discloses Personal Information to the following categories of recipients, some of which are located in countries outside of the UK and EEA:
- Business partners
- Auditors and professional advisors, such as lawyers and consultants
- Law enforcement officials
- Third-party service providers, such as providers of:
(a) IT system management
(b) information security
(c) marketing agencies
- Gumball.com transfers Personal Information (including Special Categories of Personal Information) to the following countries (some of which are known as "third countries" under the Data Protection Legislation):
(a) United States of America
Whenever we transfer your Personal Information out of the UK and EU/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your Personal Information to countries that have been deemed to provide an adequate level of protection for Personal Information. For further details, see:
- in relation to transfers out of the UK:https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/
- in relation to transfers out of the EU/EEA: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/
- Where we use certain service providers, we may use specific contracts approved for use in the UK which give Personal Information the same protection it has in the UK and/or EU/EEA. For further details, see:
- in relation to transfers out of the UK: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
- in relation to transfers out of the EU/EEA: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Information out of the UK or EU/EEA.
Access to Information and Your Rights
For United Kingdom and EU residents subject to the GDPR, you have certain rights relating to your Personal Information, subject to local data protection laws. These rights may include:
- To access your Personal Information held by us (right to access)
- To rectify inaccurate Personal Information and, taking into account the purpose of processing the Personal Information, ensure it is complete (right to rectification)
- To erase/delete your Personal Information, to the extent permitted by applicable laws (right to erasure; right to be forgotten)
- To restrict our processing of your Personal Information to the extent permitted by law (right to restriction of processing)
- To transfer your Personal Information to another controller or processor, to the extent possible (right to data portability)
- To object to any processing of your Personal Information carried out on the basis of our legitimate interests (right to object). Where we process your Personal Information for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection. Please note that we do not currently market to data subjects within the UK and EU/EEA
- To the extent we base the collection, processing, and sharing of your Personal Information on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
Please submit your specific request by using the Information in the Contact section above to exercise these rights.
Timeframe for Responding to Requests
Gumball.com will respond to your request within thirty (30) days of receipt. The response period may be extended if your request is particularly complex or you have made a number of requests. In that event, we will inform you of the reason and extension period in writing, and keep you updated.
Required Information for Responding to Requests
Gumball.com may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, in which case we will charge a reasonable fee. Alternatively, we could refuse to comply with your request in these circumstances.