privacy policy
Grotto Aesthetics Privacy Notice
Last Update Date: 01-APR-2022
Grotto Aesthetics and its group entities d/b/a Grotto Wax (“Grotto”) is committed to protecting your privacy. Throughout this notice, the terms “we”, “us”, “our” or “ours” refer to Grotto. And the terms “you”, “your” or “yours” refer to YOU (as the Data Subject). Subscriber refers to any customer or business that uses or subscribes to any Grotto software or services, including but not limited to Subscriber’s employees, advisors, contractors, agents, consultants, or others acting on behalf of the Subscriber. Guest refers to our Subscriber’s customer.
This privacy notice (“Privacy Policy”) describes how Grotto collects, stores, uses, shares, and otherwise processes information relating to individuals (“Personal Data”). It also describes the rights and choices available to you regarding your Personal Data.
This Privacy Policy applies to the processing of Personal Data collected by us when you (i) visit www.grottowax.com and our other websites that display or link to this Privacy Policy; (ii) Receive communications from us, including emails, phone calls, texts or fax; (iii) Use our products and services, including the Grotto platform, as an authorized user where we act as a “controller” of your Personal Data as that term is defined under the General Data Protection Regulation 2016/679 (“GDPR”); and (iv) apply directly through the Grotto careers page. For the purposes of the GDPR and other applicable data protection legislations, the data controller for Personal Data we collect under this Privacy Policy is Grotto.
This Privacy Policy only applies to Grotto’s processing of your Personal Data by us or on our behalf. This Privacy Policy does not apply to:
Personal Data collected by third parties during your communications/dealings with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control).
Personal Data processed, stored, or hosted by us when we act as a data processor on behalf of our Subscribers in the course of providing our services, in which case the privacy notice of the relevant Subscriber(s) will apply, and our data processing agreement with such Subscribers will govern our processing of your Personal Data.
What Personal Data We Collect and Process?
The Personal Data we collect directly from you includes identifiers, contact information, professional or employment-related information, commercial information, and internet activity information. We collect such information in the following situations:
If you use our “Contact Us” option on the website; request a demo; sign up for an event, webinar or contest; sign up for a referral program; download certain content such as eBook, case study; enter information in the landing pages used by Marketing teams; use our “Ordering Device” section on the website, we may require that you provide to us your contact information, such as your first name, last name , full name, email, phone, location, country, business name and shipping address.
If you interact with our websites or emails, we automatically collect information about your device and your usage of our websites or emails (such as Internet Protocol (IP) addresses or other identifiers, which may qualify as Personal Data using cookies, web beacons, or similar technologies.
If you use and interact with our services, we automatically collect information about your device and your usage of our services through log files and other technologies, some of which may qualify as Personal Data.
If you communicate with us via a phone call from us, we may record that call.
If you voluntarily submit certain information to our services, such as filling out a survey about your user experience, we collect the information you have provided as part of that request.
If you apply directly through the Grotto online recruitment system and careers page, we collect identifiers (including personal and contact details), professional and employment related information (including the information contained in your resume or CV), educational information, and personal characteristics (where the collection of such data is allowed by law).
If you provide us with any Personal Data relating to other individuals, you represent that you have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that it may be used in accordance with this Privacy Policy. If you believe that your Personal Data has been provided to us improperly or want to exercise your rights relating to your Personal Data, please contact us by using the information in the “Contact us” section below.
We also collect information about you from other sources including third parties and from publicly available information. We may combine this information with Personal Data provided by you. This helps us update, expand and analyze our records and create more tailored advertising to provide services that may be of interest to you.
Subscriber Data
Some of our services include processing of data, including the Personal Data of Guests, on behalf of our Subscribers and Vendors in relation to applications, tools or software that we provide. The Personal Data we collect and process on behalf of our Subscribers may include the following:
Demographic & Identity Data: We may collect personal data of the Guest (our Subscriber’s guest or customer) such as first name, last name, email, address, contact number, gender, date of birth, photograph, signature, gift card recipient name, gift card recipient address. Additionally, location & device id, are also collected when using mobile apps.
Financial Data: Data collected from the Guest may include name on the card, last 4 digits of the card number, card expiry date, card scheme, card token no.CVV information is also collected but not stored at our end but shared with the payment processor.
Health and Fitness Data: Data collected from the guest may include patient medical history, skin related details, weight, allergies, medical test reports, photographs of health condition, signatures of patient, signatures of doctor, and any other custom information that may be necessary to be collected for the patient’s treatment.
Employee Information: We may collect personal data of the Employee (our Subscriber’s employees, advisors, contractors, agents, consultants, or others acting on behalf of the Subscriber) such as first name, last name, email, address, contact number, gender, date of birth, photograph, signature. Additionally, location, device id and IP addresses are also collected when using mobile apps.
Save for the limited circumstances set out in this Privacy Policy, we are not the data controller of this information as we do not determine the purposes or the means of the processing.
What is the basis of collecting and processing Your Personal Data?
We collect and process your Personal Data by relying on one or more of the following bases:
The processing is necessary for the purpose of performance of the contract we have with you OR our Subscribers or Vendors on whose behalf we are serving you.
You have explicitly agreed to/consented to us processing your Personal Data for a specific purpose.
The processing is necessary for purposes of informing, promoting, and selling our services to you.
The processing is necessary for Purposes of Employment that you may seek with us.
The processing is necessary for the purpose of protecting the Grotto data from threats, violations, and breaches if any.
How Do We Use Your Personal Data?
We use your Personal Data for the following purposes:
To verify your identity
To deliver our products and services to you and on behalf of our Subscribers and Vendors
To communicate with you regarding existing products and services availed by you, including notifications of any alerts or updates
To evaluate, develop and improve our products and services
For market analysis, and product analysis and market research
To send you information about our other products or services which may be of interest to you
To handle enquiries and complaints
To comply with legal and/or regulatory requirements
To investigate, prevent, and/or take action regarding illegal activities, suspected fraud and situations involving potential threats to the safety of any person
Grotto has a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable provisions of the Terms of Use Agreement, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Grotto, its users or the public as required or permitted by law.
If we need to collect and process Personal Data by law, or under a contract we have entered into with you, and you fail to provide the required Personal Data when requested, we may not be able to perform our contract with you.
With whom your Personal Data may be shared?
We DO NOT SELL your personal data.
We share your information only in the ways that are described in this Privacy Policy, and only with parties who adopt appropriate confidentiality and security measures. We may share your Personal Data with the following for the purposes and pursuant to the legal bases described above:
Affiliates: We may share your Personal Data with the Grotto group entities
Sub-processors: We may use third parties in the provision of our products and services to you. We may share your Personal Data with such third parties. Vendors of such third parties / sub-processors may also have access to your information.
Third Parties Involved in a Corporate Transaction: If Grotto becomes involved in a merger, acquisition, or any form of sale of some or all its assets, then, in accordance with applicable laws, Grotto will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party.
Subscribers With Whom You Are Affiliated: If you use our services as an authorized user, we may share your Personal Data with your affiliated Subscriber responsible for your access to the services to the extent this is necessary for verifying accounts and activity, investigating suspicious activity, or enforcing our terms and policies.
Grotto may share with third-parties certain pieces of aggregated, non-personal data, such as but not limited to the number of users who clicked on an advertisement on the Site, the number of users that clicked on any page within the Site or aggregated business performance data across a geographical region.
We may also share your personal data with Law enforcement authorities, government authorities, courts, dispute resolution bodies, regulators, auditors, and any party appointed or requested by applicable regulators to carry out investigations or audits of our activities.
Security of Information
Grotto takes all appropriate security measures to protect your personal data.
Cross-Border Data Transfer
All Personal Data we hold about you may be transferred, processed, and stored anywhere in the world, including but not limited to, the United States, India, or other countries, which may have data protection laws that are different from the laws where you live. Our endeavor is to safeguard your personal data consistent with the requirements of applicable laws. Therefore, your Personal Data may be processed outside your jurisdiction, and in countries that are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the European Economic Area. We ensure that the recipient of your Personal Data offers an adequate level of protection and security, for instance by entering into the appropriate back-to-back agreements and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission or other applicable regulator. Where required by applicable law, we will only share, transfer, or store your Personal Data outside of your jurisdiction with your prior consent.
Use of Cookies and Other Tracking Mechanisms
We may use cookies, web beacons, pixels, and other tracking mechanisms on our website and other digital properties to collect data about you. When you visit our websites, we, or an authorized third party, may place a cookie on your device that collects information, including Personal Data, about your online activities over time and across different sites. Cookies allow us to track use, infer-browsing preferences, and improve and customize your browsing experience.
We also use web beacons and pixels on our websites and in emails. For example, we may place a pixel in marketing emails that notify us when you click on a link in the email. We use these technologies to operate and improve our websites and marketing emails.
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Please note, however, that by blocking or deleting cookies and similar technologies used on our websites, you may not be able to take full advantage of the websites.
Your Privacy Rights
You have the following Privacy Rights, and we commit to provide you with the same:
Right of Access: You have the right to get access to your Personal Data that is with us along with other supporting information.
Right to Rectification: You have the right to ask us to rectify your Personal Data that is with us that you think is inaccurate. You also have the right to ask us to complete your Personal Data that you think is incomplete.
Right to Erasure: You have the right to ask us to erase your Personal Data that is with us under certain circumstances.
Right to Restriction of Processing: You have the right to ask us to restrict the processing of your Personal Data under certain circumstances.
Right to Data Portability: You have the right to ask that we transfer the Personal Data you gave us to another organization, or to you, under certain circumstances.
Right to Object: You have the right to object to the processing of your Personal Data under certain circumstances.
Right to not be subjected to Automated individual decision-making: You have the right to not to be subjected to automated individual decision-making including profiling. Automated decision-making currently does not take place on our websites or in our services
Right to lodge a complaint with the Supervisory/Regulatory Authority: You have the right to lodge a complaint with the appropriate supervisory/regulatory authority.
For more information on exercising your Privacy Rights please contact us at info@Grottowax.com
As described above, we may also process Personal Data submitted by or for a Subscriber to our cloud products and services. To this end, if not stated otherwise in this Privacy Policy or in a separate disclosure, we process such Personal Data as a processor on behalf of our Subscriber (and its affiliates) who is the controller of the Personal Data. We are not responsible for and have no control over the privacy and data security practices of our Subscriber, which may differ from those explained in this Privacy Notice. If your Personal Data has been submitted to us by or on behalf of a Subscriber and you wish to exercise any rights you may have under applicable data protection laws, please inquire with them directly. Because we may only access a Subscriber’s data upon their instructions, if you wish to make your request directly to us, please provide us the name of the Subscriber who submitted your Personal Data to us by writing to us at info@grottowax.com. We will refer your request to that Subscriber and will support them as needed in responding to your request within a reasonable time frame.
Links to Other Websites
Our website may contain links to websites of other organizations. This privacy notice does not cover how those organizations process your Personal Data. We encourage you to read the privacy policies on the other websites you visit.
Marketing / Promotional communications and Opt-out
If we process your Personal Data for the purpose of sending you marketing communications, You may choose to stop receiving these communications by following the unsubscribe instructions included in these emails or by replying back with your unsubscribe request or by contacting us at info@grottowax.com. Please note that opting out of marketing communications does not opt you out of receiving important business communications related to your current relationship with us, such as communications about your subscriptions or event registrations, service announcements or security information.
Retention of Personal Data
We retain your personal data for as long as it is required for the purposes stated in this Privacy Policy. Sometimes, we may retain your data for longer periods as permitted or required by law, such as if required in connection with a legal claim or proceeding, to enforce our agreements, or to comply with other legal obligations. When we no longer have a legitimate need to process your data, we will delete or anonymize your data from our active databases.
Children
Our websites and online services are not directed at children. We do not knowingly collect Personal Data from children under the age of 16 or such other applicable age of consent for privacy purposes in relevant individual jurisdictions. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us by using the information in the “Contact Us” section below and we will take steps to delete their Personal Data from our systems.
Notification of Changes
We regularly review and update our Privacy Notice to ensure it is up-to-date and accurate. Any changes we may make to this Privacy Notice in future will be posted on this page. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you directly, or where required under applicable law and feasible, seek your consent to these changes.
Contact Us
If there are any questions regarding this privacy notice, you may contact us at [email protected] or at the below mentioned address
Address: 2205 W 136th Ave Ste 412 Broomfield, CO 80023
You may also contact our Data protection officer / Privacy officer in relation to any privacy or data protection issues through the above email address ([email protected]).
Additional Disclosures for California Residents
The California Consumer Privacy Act (“CCPA”) requires businesses to disclose whether they sell Personal Data. As a business covered by the CCPA, we do not sell Personal Data. We may share Personal Data with third parties or allow them to collect Personal Data from our sites or Services if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such Personal Data, or if you use our Services to interact with third parties or direct us to disclose your Personal Data to third parties.
Consistent with the CCPA, job applicants, current and former employees and contractors, and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered consumers for purposes of this section or the rights described herein.
California law requires that we detail the categories of Personal Data that we disclose for certain “business purposes,” such as to service providers that assist us with securing our services or marketing our products, and to such other entities as described in this Privacy Policy. We disclose the following categories of Personal Data for our business purposes:
Identifiers;
Commercial information;
Internet activity information;
Financial information;
Professional and employment-related information;
Education information; and
Inferences drawn from any of the above information categories.
California law grants state residents certain rights, including the rights to access specific types of Personal Data, to learn how we process Personal Data, to request deletion of Personal Data, and not to be denied goods or services for exercising these rights.
If you are a California resident under the age of 18 and have registered for an account with us and has posted content or information on or through the services, you can request that such information be removed by contacting us using the information in the “Contact Us” section above. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another user.
For information on how to exercise your rights, please refer to the “Your Privacy Rights” section above. If you are an authorized agent wishing to exercise rights on behalf of a California resident, please contact us using the information in the “Contact Us” section above and provide us with a copy of the consumer’s written authorization designating you as their agent. We may need to verify your identity and place of residence before completing your rights request.
Shine the Light
California law permits customers in California to request certain details about how their personal information is shared with third parties, and in some cases affiliates, if personal information is shared for those third parties’ or affiliates’ own direct marketing purposes. We do not share personal information with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes. Californians may request information about our compliance with this law by contacting us at [email protected] or by sending a letter to:
Grotto Aesthetics
2205 W 136th Ave Ste 412
Broomfield, CO 80023
Attn: Legal Department – Privacy/Shine the Light
Any such request must include your name and “California Shine the Light Privacy Rights Request” in the first line of the description and, if sent by mail, must include your street address, city, state, and zip code.
Please note that “Shine the Light” rights and CCPA rights are granted by different laws and must be exercised separately.