Privacy Notice

Thank you for visiting our website. We respect your privacy and your desire to understand how your information will be handled and used. Protecting your privacy is important to us, whether you engage with us as an Itsapark member, subscriber of newsletters, contacting our customer service or just browsing our website.   

This Privacy Notice sets out how and why we collect, store, process and share your personal data. We will be as transparent as possible with you about what we do with your personal data.

This Privacy Notice also tells you what your rights you have in relation to the personal data you give to us or obtained by us by other means. 

1. Who we are?

Itsapark is a brand of H & M Hennes & Mauritz GBC AB, a limited liability company registered under Swedish law and an affiliate of the H&M Group. References in this Privacy Notice to "we", "us" “our”, and "Itsapark" refers to H & M Hennes & Mauritz GBC AB, who is the data controller and responsible for protecting your privacy in relation to your personal data collected, used, stored etc. by us unless we inform you otherwise. If you have any questions about this Privacy Notice, please contact:

H & M Hennes & Mauritz GBC AB Mäster Samuelsgatan 46 106 38 Stockholm Sweden

Itsapark and Tipser AB are to some extent acting as joint controllers for specific processing activities in connection with the fulfilment of orders in our online shop. They have concluded agreements stipulating which of them fulfils which data protection obligations. Itsapark will provide you with the essential provisions of these agreements upon request.

We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer at dataprotection@itsapark.com .

2. When do we collect your personal data?

We collect your personal data either directly from you or from someone else with whom you have shared your personal data, when you

More detailed information on the individual data processing operations can be found below under the respective heading.

3. Why do we process your data?

3.1. Data Security and Use of the Website

Why do we use your data? We need data to improve the quality of our website and to ensure the security of the data, for example by early detection of attacks on our website. We also use an encryption process on our website to ensure secure data transmission. You can recognise this by the lock symbol in the status bar of your browser.

What data is used and how? We process the following data for the above purposes: 

What is the legal basis? Except for the IP address, the processed data is anonymous. The IP address is processed on the basis of art. 6 para. 1 lit. f) GDPR in the legitimate interest of being able to recognise, limit and eliminate attacks on our website.

How long do we retain your personal data? Your IP address will be deleted or anonymised after 180 days.

3.2. Performance Monitoring 

Why do we use your data? Itsapark operates a performance-based business model. Our revenues come inter alia from commissions claimed and paid by our Brand Partners in consideration of our contributions to their actual sales. A “Brand Partner” is a brand, trademark or company affiliated to Itsapark. Every time you place a purchase order with a Brand Partner, we use your personal data to claim our commissions. We also analyse this information on an aggregate level (not on a personalised level) to improve our overall operational performance and efficiency.

What data is used and how? From our Brand Partners we obtain any relevant information necessary for us to claim commission, including (if applicable) your member identification number, order identification number, time of purchase, purchased items, quantity, price and returns.

What is the legal basis? The legal basis for data processing for the above purposes is our legitimate interest pursuant to art. 6 para. 1 lit. f) GDPR in generating our income through which we finance our services.

How long do we retain your personal data? We only store your data for as long as they are needed to fulfill the above-mentioned purposes. Since the data is processed for our commission claims, there may be statutory retention and limitation periods for which we must store your data.

3.3. Creating curated content

Why do we use your data? Itsapark contributes to smart content curation. This means that we gather information from you and from our Brand Partners to make the website more relevant to your preferences and areas of interest, ultimately adding value to your Itsapark membership.  For the same purpose we use information collected through cookies or other website tracking technologies. For further information, please read the Cookie Policy section.

What data is used and how? To make content more relevant to you we use personal data obtained from you when you registered for membership, created a personal profile, from cookies or other online tracking technologies, or from our Brand Partners (e.g. product pictures, headlines or descriptions). 

What is the legal basis? Processing your personal data is necessary for us to provide content curation services and hence fulfilling our contractual obligations to you. The provision of the data is necessary for the fulfillment of the contract. The legal basis is art. 6 para 1 lit. b GDPR.

The use of cookies or other online tracking technologies we would require your consent pursuant to art. 6 para 1 lit. a, 7 GDPR. You can withdraw your consent at any time. You will find more details on this under the point "Your rights". The provision of this data is not obligatory for you. However, if you do not provide us with this information, we may not be able to show you products that are tailored to your interests. 

How long do we retain your personal data? We only retain and use your personal data for as long as you are a member of Itsapark. The membership automatically expires if you have not logged on a single time during a period of 24 months upon which all personal data is permanently erased. Exceptions to the above are if we are compelled by mandatory law or regulations to keep it or for the establishment, exercise and defense of a legal claim.

3.4. Registration and Managing your Membership

Why do we use your data?  We must use your personal data to be able to process your membership registration form, grant you certain membership rights and benefits and to manage your account according to the Terms & Conditions. 

We also you use your personal data to ensure the confidentiality and integrity of your membership and account. We process your personal data to verify that you are you whenever you sign-in to your account and to prevent others (including bots) to unlawfully access your account and information, or unlawfully use or misuse your log-in credentials.

What data is used and how? The first time you register for membership you will provide us with a minimum set of data including your name, e-mail address and age (for ensuring your legal capacity). 

When you register your membership and account you are also asked to create a personal profile. Creating a personal profile is optional and not a requirement unless you want to receive personalised offerings and promos (direct marketing) based on your personal attributes, such as country of residence, gender, interests, etc.   

It might be convenient for you to register a membership with us or sign-in to your account via Apple, Facebook or Google (“Social login”). When using Social login, we will receive only such data from the Social login provider necessary for us to create a membership or authorise access to an existing account and which you already have shared with the Social login provider. No information will be shared with any Social login provider during the registration or sign-in procedure or thereafter, unless you have been explicitly informed and the data protection regulations are fulfilled.

To protect our web forms from automated requests, we use so-called captchas of third party providers (Sendgrid, auth0). Within the captcha function you may be asked to solve tasks or click on checkboxes. The user input made in this context and possibly also the mouse movements are used to estimate whether the input is from a human or an automated program. Since the function is provided by a third party, the display of the captcha leads to the reloading of content from the third party. Through this, the third party provider receives the information that you have called up our site as well as the usage data technically required in this context. We have no influence on the further data processing by the third party provider.

What is the legal basis? Your personal data is necessary for us to manage your membership request, your benefits and otherwise fulfill our obligations under the membership agreement you have concluded with us. The legal basis for this is art. 6 para 1 lit. b) GDPR. The provision of your data is necessary for the conclusion and fulfillment of the contract.

If you also provide voluntary information in your user profile, data processing is based on your consent in accordance with art. 6 para. 1 lit. a), 7 GDPR, which you can revoke at any time. You can find more details on this under "Your rights".

The integration of captchas is based on art. 6 para. 1 lit. f) GDPR in our legitimate interest of protection against spam and abuse.

How long do we retain your personal data? We retain and use your data for as long as you are a member of Itsapark. The membership automatically expires if you have not been logged on during a period of 24 months, upon which all personal data are permanently erased. Exceptions to the above are if we are compelled by mandatory law or regulations to keep it or for the establishment, exercise and defense of a legal claim.

3.5. Fulfilment of orders in our online shop

Why do we use your data? We process your data jointly with our partner Tipser AB for the fulfilment of orders in our online shop. This includes the delivery of goods, the handling of payments, the granting of discounts, the use of vouchers and the processing of returns and claims for defects. You will be kept up to date on the receipt of an order and its status by e-mail.

What data is used and how? Jointly with our partner Tipser AB, we process data about your purchases (billing address, delivery address, contact details) as well as data for the handling of payments.

What is the legal basis? Your data is necessary so that we and our partner Tipser AB can manage your orders and fulfil the obligations from concluded sales contracts. The legal basis for this is art. 6 para 1 lit. b) GDPR. The provision of your data is necessary for the conclusion and performance of a contract.

How long do we retain your personal data? Your data will be stored for the duration of legal retention periods or the data is absolutely necessary for the establishment, exercise or defence of legal claims.

3.6. Providing Newsletters

Why do we use your data? If you are a subscriber to newsletters, we must collect and use certain information concerning you. This because we must ensure that we send the newsletter to the right recipient, to the right address and with the right content reflecting your personal preferences and interests. After registering for the newsletter, you will receive a confirmation e-mail to the e-mail address you provided, in which you must click on the verification link (so-called double opt-in procedure).

What data is used and how? To be able to send you newsletters by e-mail we need at least your name and e-mail address. When signing up for newsletters you have the option to add reading preferences. By doing so you give us the opportunity to personalise the content and make it even more relevant to your personal preferences and interests. 

What is the legal basis?  We collect and use your personal data for the purpose of producing and distributing newsletters only after receiving your consent pursuant to art. 6 para 1 lit. a), 7 GDPR. You can withdraw the consent at any time, e.g. over the link for the unsubscription in each newsletter. You can find more information on this under the point "Your rights".

The data processing for the proof of the newsletter order can include the storage of the complete IP address at the time of the order or the confirmation of the newsletter, as well as a copy of the confirmation e-mail sent by us. This is done on the basis of art. 6 para. 1 lit. f) GDPR in the legitimate interest of being able to account for the legality of the newsletter dispatch.  

How long do we retain your personal data? We retain and use your data for as long as you subscribe to our newsletter. If you no longer are a subscriber any and all personal data you provided to us when you signed up for the newsletter is permanently erased. Exceptions to the above are if we are compelled by mandatory law or regulations to keep it or for the establishment, exercise and defense of a legal claim.

3.7. Customer Service

Why do we use your data? We will use your personal data to manage your queries and to handle complaints and technical support matters through available communication means, such as e-mail, our chat function or through social media. We will also analyze communication data in order to gain insights in customer preferences, expectations and trends etc. Any such data is analysed on an aggregated level, not possible to single out the identity of individuals.

We may also reach out to you through email, telephone, social media or any other means to request your participation in a survey, which is however voluntary.

What data is used and how?  We will process any data you provide to us, including name and contact information and all correspondence in the matter. For surveys, we process your contact data as well as your answers and survey results.

What is the legal basis? The processing of your personal data is based on our legitimate interest to provide state-of-the-art customer experience. Data that you provide us which is not absolutely necessary to answer your inquiry will be processed by us on the basis of your consent in accordance with art. 6 para. 1 lit. a), 7 GDPR.

Contact for the purpose of conducting voluntary surveys is made on the basis of your consent in accordance with art. 6 para. 1 lit. a), 7 GDPR.

Insofar as your data provided in the context of the inquiry is processed on the basis of art. 6 para. 1 lit. f) GDPR, you can object to the processing at any time. In addition, you can revoke your consent to the processing of the voluntary information at any time. You will find more details on this under the heading "Your rights".

How long do we retain your personal data?  We will keep your data no more than necessary for fulfilling the purpose, in no event more than 100 days for e-mail logs and correspondence and maximum for 12 months for case management. Survey results and tracking data are stored for 24 months.

3.8. Social Plugins and Links

Why do we use your data?  We enable you to use social plugins (Instagram / Facebook, Inc. and YouTube / Google, Inc.) to contact us on our social media channels and to be informed about the latest trends. In addition, if you are interested in a product, you will be forwarded to the corresponding website of our brand partner by clicking on the display image.

What data is used and how? Due to data protection, we only integrate the social plugins we use in a deactivated form, so that no data is transmitted to the social media services when you open our website. Only when you actively click on the respective icon, you activate the plugin so that your browser establishes a connection to the servers of the social media service. In this case, the social media service will receive your IP address in particular, as well as information about your visit to our website. This happens regardless of whether you have an account with the respective social media service. If you are logged in, the data can also be assigned directly to your social media profile.

Overall, we have no influence on whether and to what extent the respective social media service processes personal data after activation. However, it is likely that it will create user profiles from your data and use them for purposes such as personalised advertising.

If you click on a link of one of our Brand partner’s websites, we only transfer your URL.

What is the legal basis?  The embedding of the social plugins is based on your consent in accordance with art. 6 para. 1 lit. a) GDPR, provided you give your consent by clicking on the preview image. If you no longer wish data processing by the activated social plugins, you can prevent future processing by no longer clicking on the symbol of the respective social plugin.

How long do we retain your personal data? We do not store any data about you with the social plugins.

3.9. Application Portal

Why do we use your data? We offer you the opportunity to apply online via our application portal on the website. In order to contact you, to carry out the application procedure and to possibly establish a working relationship, the processing of various personal data is essential.

What data is used and how? For this purpose, we need your personal details and contact information as well as information that will enable us to determine your professional suitability for the position to be filled (references, qualifications, certificates, etc.). In addition, we process data from your CV, a letter of motivation, if applicable, as well as other data that you voluntarily make available to us as part of your application.

What is the legal basis? The legal basis for the processing of the data that we require to carry out the employment relationship is art. 6 para 1 lit. b) GDPR, art. 88 GDPR and § 26 para. 1 sentence 1 BDSG. The provision of this data is necessary for the conclusion of a possible employment contract. If this data is not provided, we may not be able to consider you in the application process.

If you voluntarily provide us with additional information about yourself, data processing is based on your consent, which can be freely revoked at any time, in accordance with art. 6 para. 1 lit. a) GDPR, art. 88 GDPR and § 26 para 2 BDSG. The provision of this data is neither legally nor contractually required or necessary for the conclusion of a contract. If you do not provide it, you do not have to fear any disadvantages for your chances in the application procedure.

How long do we retain your personal data? In case of a recruitment, your application data will be added to the personal file. In the event of non-employment, we will delete them no later than 6 months after the rejection decision, unless we need them to assert, exercise or defend legal claims.

If we are currently unable to offer you a position, but would like to keep your application documents for future vacancies, we will ask you explicitly whether you agree to a longer data storage (consent to data storage).

4. To whom do we transfer your personal data?

Whenever we share your personal data, we put safeguards in place keeping your data safe. We will never sell any of your personal data to a third party. However, in order for us to provide our services to you, we share your personal data with H&M Group companies and with Brand Partners. Purchase orders in our online shop are processed by our partner Tipser AB. For this purpose, we transfer the necessary data to Tipser AB. Tipser AB processes the data received as the controller in order to fulfil the order.

In addition, we use processors (e.g. IT service providers) for various services, who process your personal data strictly in accordance with our instructions on our behalf and who we have contractually obliged to comply with data protection regulations. In addition, data is transferred in the event of corresponding legal obligations (e.g. to authorities), which we will inform you about in specific cases.

The data that we collect from you or from others is stored within the European Union and the European Economic Area (“EU/EEA”) but may also be transferred to and processed in a country outside of the EU/EEA, where the level of data protection may be lower than in the EU. Any such transfer of your personal data will be carried out in compliance with applicable laws. In case we need to transfer personal data to countries outside of the EU/EEA not qualifying as a safe country by the European Commission we will yet protect your privacy by the use of approved safeguard measures such as Standard Contractual Clauses.

If you like more detailed information about our data transfers, in particular on the adequate safeguards for third country transfers and where they are available, please contact dataprotection@itsapark.com.

5. Your rights

5.1. What rights do you have?

When processing your personal data, the GDPR grants you certain rights:

Right of access You have the right of access to the data processed by you to the extent provided for in art. 15 GDPR.

Right to rectification You also have the right to have your data corrected (art. 16 GDPR) if any of your data is incorrect or no longer current.

Right to erasure (‘right to be forgotten’) You also have the right to have your data deleted ("right to be forgotten") if one of the reasons listed in art. 17 GDPR applies, in particular if we no longer need the data to fulfill the purpose, if you revoke any consent you have given or if you object to data processing for advertising purposes. Exceptions to this are mainly in the case of statutory retention periods and data processing for the exercise and defence of legal claims.

Right to restriction of processing If one of the reasons listed in art. 18 GDPR applies, you can also request that the processing of your personal data be restricted.

Right to data portability In certain cases, which are listed in detail in art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of such data to a third party.

Right to withdraw your consent If the data processing is based on your consent (see above), you can revoke this consent at any time without affecting the lawfulness of the data processing until the time of revocation.

Right to object Furthermore, according to art. 21 GDPR, in the case of data processing pursuant to art. 6 para 1 lit. e) or f) GDPR, you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are verifiable compelling reasons for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right to lodge a complaint with a supervisory authority If you have any complaints regarding the processing and protection of your personal data by the H&M Group, you have the right to lodge a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten - IMY) or any other competent supervisory authority in your country of residence at any time.

5.2. How to exercise your rights?

If you want to exercise your rights, please send an e-mail to our customer service who will help you with your requests to: hi@itsapark.com. We will get back to you as soon as possible.