LULUROX is committed to ensuring that your privacy is protected. This privacy policy covers all services for LULUROX customers. In privacy policy, we are calling this entity “the Services”. This privacy policy applies to any online and mobile website, application and and digital service (“the services”) of LULUROX (“we, “us”, “our”) and explains what information we collect, how we process it and the procedure we have in place to safeguard your privacy-as well as what are the obligations and rights concerning the personal data processing, for both LULUROX and the user of the Services.

In all processing of personal data LULUROX complies with EU General Data Protection Regulation, the Data Protection Act and other applicable legislation.

Personal data is information from where an individual person can be directly or indirectly identified. Later in this privacy policy we refer to personal data by the word ”user”.

If you do not agree to the following policy you may wish to cease from using/viewing this website.

1 Controller

The controller is LULUROX (Business ID: 2653859-7) and the user can contact LULUROX using the following contact information:

Phone: +358 451 057 998


2 What User Personal Data Do We Collect?

We collect personal data for the purposes mentioned in section 4 of this privacy policy. The collected information may vary in both purpose and source of information. In section 3 you can read more about how and from where we collect personal data.

Data provided to LULUROX by the user:

  • identification data, such as name, age, date of birth
  • contact information, such as address, phone number and e-mail address
  • registration information of LULUROX account, such as user code and encrypted password
  • billing and payment information collected during payment
  • ordering information, as well as cancelling information
  • customer feedback and other contacts, such as customer calls and e-mails
  • interest data provided by the user
  • language of contact
  • purchase history, areas of interest based on purchase history and wish-list
  • consents, authorisations and prohibitions (also related to third party services)
  • data provided for surveys and studies
  • customer service calls, e-mails and customer service interaction in different service channels

We collect information about the use of the Services, and about technical characteristics of devices used.

Other data than the data provided by the user:

  • IP address (and location country)
  • cookies
  • actions and their durations in the Services (such as information on programs watched in the Services, and used sites with their times)
  • unique identification numbers used by devices (computer ID)
  • information of the device used, type of operating system and software versions
  • browser type and language settings
  • logon information through third party services (Facebook, Google, Instagram, Pinterest)

We can combine data provided by the user and/or other data than the data provided by the user, and save it in the user segments e.g. according to the areas of interest concluded from the purchase history.

3 Where Do We Get the User Information from?

We collect personal data primarily from the user. Thus, by ordering products by registering as a user on LULUROX account, the user shares information with us. In addition, data is collected later during customer-ship, when the user contacts us or using our Services.

We can also receive personal data from third parties. Such third parties are:

  • social media services that the user uses to log on to the Services (Facebook, Google, Instagram, Pinterest)
  • companies of the same corporate group
  • public and private address registers

4 What Purposes Is the Data Used for?

We process personal data for the following purposes:

  • to order and deliver products and to create LULUROX accounts
  • to produce, maintain, protect and develop the Services, as well as for personification and recommendations personalised customer service concerning the Services and targeted customer communication
  • for direct marketing
  • for targeting in marketing, based on use of services, areas of interest, viewing history, demography information, and location data
  • to create and target market and other studies, analysis, segments and reports
  • to ensure the usability and functionality, as well as to prevent and investigate abuses
  • for business planning and product development

The basis to use personal data is primarily the agreement between LULUROX and the user, which is created when:

  • the user orders or buys products sold by LULUROX
  • the user registers to use LULUROX account

Processing personal data in orders and purchases is also based on legal obligations, among others, the Accounting Act.

Personal data is processed in order to take care of customer relations, and for direct marketing purposes, and is based on the legitimate interest of LULUROX.

Processing of personal data for direct marketing purposes can also be based on consent given by the user, meaning that the user can subscribe to the LULUROX newsletter without buying or ordering anything from LULUROX. In this case, the data is used solely for direct marketing.

5 How LULUROX Stores Personal Data?

We store personal data to provide and ensure the Services, as well as to fulfil the duties of accounting and reporting.

According to the Accounting Act, the storing period is six years after the end of the year. Thus, information about the order placed today will be removed after six years at the end of the year.

For direct marketing purposes, we can store personal data for more than six years, if during the last six months the user has opened at least one newsletter sent by LULUROX.

The user can at any time prohibit the use of personal data for marketing purposes.

6 How is Personal Data Protected?

In LULUROX, the personal data is processed by the employees of LULUROX and the offices. All who process data are bound by professional secrecy.

Personal data is properly protected with technical and organisational measures, including encryption and anonymization of personal data. We also ascertain fault tolerance and data recovery.

Protective measures include, among others, control of user rights, access control, firewalls and password protection.

We will immediately notify directly the authorities and the users concerned about the possible security breaches, in accordance with applicable legislation.

7 Cookies and Tracking Technologies in LULUROX Services

In LULUROX Services we use cookies, scripts, web bugs, and other similar technologies to identify terminal devices, to track and to analyse the users, usage and user habits of the Services. We use the data collected using these technologies to develop and target Services, as well as to target advertising and other marketing.

Cookies are text files that the browser saves on the user’s device. We can associate data collected by cookies to identified users and the data we have collected about them related to, among others, user ID, targeting and analysing.

Services may include cookies and similar technologies from third parties. These third parties are measuring and monitoring services, such as Google Analytics, and ad networks, such as Facebook, Instagram. These third parties can thus download cookies on the user’s device when our Services are being used.

The user can at any time empty or block cookies and all other tracking we are using in the settings of the browser or the device. Removal of cookies changes the user identifier, used by cookies to form a user profile. Removal of cookies will not entirely stop the collecting of data.

If the user does not want cookies to be saved on the device, the user can, before using LULUROX Services or at any time during the use, set the browser to disable cookies. These settings are called incognito or private browsing settings. The removal of cookies and tracking could affect the functionality of the Services.

Third parties, such as advertisers and ad networks, can benefit from cookies and similar tracking technologies to conclude the user’s probable areas of interest and to target advertising and marketing based on these conclusions.

We also benefit from this information in targeting our own advertising and marketing in third parties’ services.

For third party services, their own data protection practices and terms of use are applicable, and LULUROX is not responsible in any way of the data processing by them. The user should familiarise with the data protection practices and the terms of use of all the services used.

8 With Whom Can We Share Personal Data?

LULUROX uses external service providers to produce Services. These external service providers are processors of LULUROX personal data register, and they process all personal data for LULUROX according to this privacy policy.

LULUROX has made sure that the data is processed correctly with on data protection agreements.

Personal data is processed, among others

  • Credit card companies
  • Analysis services
  • Mailchimp

Personal data can also be disclosed for justified purposes, such as to our partners for customer communication. We aim to inform about the disclosures beforehand on the sales website of tickets, merchandise, artwork and services.

In disclosures, we always comply with existing legislation.

Personal data can be shared for marketing purposes, such as direct marketing, to target digital marketing, and for surveys and market studies, data updates and other such reports to our partners.

For marketing purposes, we disclose only information of such users, who have given their consent during an order or a purchase.

Personal data can be disclosed to competent authorities or other such entities in accordance with their requirements, or to monitor an ensure that the terms of use of the Services are followed, as well as to guarantee the security of the Services. In possible corporate transaction, asset deal or merger, in outsourcing, as well as when a group relationship or other economic interest grouping is formed, all personal data can be transferred to their parties.

Personal data can be transferred within the same group.

Personal data concerning the production and offering of the Services may be transferred outside the EU or the EEA area. When we transfer personal data outside the EU of the EEA area, we will make sure all data is protected, among others, by agreeing on confidentiality of personal data and on all matters related to the processing the manner provided by the data protection legislation, and using standard contractual clauses approved by the European Commission.

9 What are the User’s Rights over the Collected Data?

The user has the right to check the collected user information.
The user can contact LULUROX and request to see all the data collected on the user.

The user has the right to ask the user information to be corrected or erased.
The user has the right to ask LULUROX to correct and to complete collected false information. The user has also the right to request LULUROX to erase all the user information.

LULUROX will erase the information upon request within reasonable time unless there is a legitimate obligation to keep the data in store or a legitimate right for the storage, e.g. related to the duties and obligations concerning the Services.

The user has the right to request transfer of personal data
The user has the right to request the stored user information LULUROX’s register to be transferred to another controller.

The user has the right to request limiting of the processing of personal data
The user can request LULUROX not to use the collected user data for certain purposes, such as direct marketing.

The user has the right to refuse direct marketing
The user can at any time cancel the sending of marketing messages either directly using a cancel link in the message or by informing LULUROX about the refusal. Refusing direct marketing will not block LULUROX from sending the user customer communication, such as emails concerning the user’s LULUROX account, Services offers or LULUROX business.

If processing of personal data is based on the user’s consent, such as ordering a newsletter without use of Services, direct marketing can be cancelled in the manner mentioned above.

Blocking the targeting of advertisement

The user can request LULUROX not to combine collected user information to create profiles and to use them for direct marketing and advertisement targeting. Profiling prohibition can be requested by contacting LULUROX.

The user can also block automatic advertisement targeting by changing the settings of the browser of mobile device. In applications, you can block advertisement targeting in application settings. In different applications and devices these settings are found in different places. More information from the developers of the applications and the devices.

The user can manage the third parties’ marketing and targeting related to browser use and cookies either as whole or by company on Your Online Choices site.

Disabling location data
The user can disable the use of the location data for targeted marketing in the settings of the applications used.

In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, the company will limit the access to data.

10 LULUROX has the Right to Amend this Privacy Policy

From time to time, we may update this notice. We will notify you about any upcoming material changes by either sending you an email to the email address you most recently provided to us or by prominently posting a notice on our Services.

We encourage you to periodically check back and review this notice so that you know what personal data we collect, how we use it, and with whom we share it.