Version: 9

Date of last update: 02.10.2024

CUSTOMER privacy policy

Information regarding processing of personal data

incl. within My Rimi loyalty program, Rimi Online store and Rimi mobile application

We care about your privacy

Your trust is important to us. Our aim is that you feel safe when you share your personal data with us. Personal data is any information that can be used to identify an individual.

We take appropriate measures to ensure that your personal data always is safe with us. It involves, e.g., controls of physical access to data processing facilities, training of people involved in personal data processing, continuous security risks assessments and follow-ups, access rights management, as well as technological security such as use of encryption, safe data transfers etc. We take appropriate measures to ensure that the processing of your personal data is compliant with present data protection laws, our internal policies, guidelines and routines. We have also assigned a Data protection officer whose task is to monitor that we follow these laws, guidelines and routines.

It is important for us to be transparent with how we handle your personal data. In this information text, we therefore describe how and where we process personal data when you are our customer, incl. in the context of My Rimi loyalty program, Rimi Online store and use of Rimi mobile application. Information about other personal data processing activities that you might also be interested in is easy accessible on our website under section “Privacy policy”(EE: https://www.rimi.ee/privaatsuspoliitika LV: https://www.rimi.lv/privatuma-politika, LT: https://www.rimi.lt/privatumo-politika).

If you do not agree to the processing of personal data as described in this information text you cannot create an account, place order or receive benefits or services that My Rimi loyalty program, Rimi Online store and Rimi mobile application offer.

Depending on how you use our services, e.g., whether you are a member of Rimi loyalty program or just a user of our mobile application or if you use our services just as a guest etc., the amount of data processing may vary. We process only the data necessary for the specific purpose.

Which categories of personal data do we collect and why

· Manage registration and membership

We process your personal data in order to create your Rimi profile and administer your membership. Created Rimi profile might be used in all Baltic countries to place order in Rimi Online store, to get personalized offers and suggestions, to use self-scanning solution, to take advantage of other My Rimi loyalty program or Rimi Online store offered benefits.

In order for us to be able to create an account for you and manage your membership it is necessary that you provide personal data required for the conclusion and fulfilment of the agreement. In the registration process mandatory required fields are marked with a star (“*”). If you do not provide the necessary personal data, you will not be able to create an account with us. If you are not able to fill in some of the mandatory fields, you should contact Customer Service Center.

Setting preferences and filling in other data in your Rimi profile is up to your discretion. For example, you can indicate which is your favorite store, which is your default delivery address, save credit card details for faster checkout in Rimi Online store etc.

It is your responsibility to provide only valid and genuine personal data and only such data as is appropriate and necessary for the purpose of fulfilling the objectives mentioned in this information text. By creating Rimi profile you acknowledge that your indicated personal data are accurate and correct. If personal data is inaccurate, you must immediately correct them.

Your data will be used to create or access your Rimi profile and show respective information in it, incl. to process “My Rimi” discount (money) information received via our partners in relation to services and offers you have chosen to use, to ensure your access to Rimi owned IT solutions (e-commerce websites, Rimi Loyalty portal etc.) by user authentication and authorization services, to respond to your requests, to ensure that your information is accurate and updated, to verify your registration or replace your My Rimi card, to identify you or link you as respective My Rimi card user (when necessary) as well to contact you in cases we need to reach you and provide necessary information (e.g., changes in Terms and Conditions, you forgot your purchases, etc.).

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Contact details, e.g., email, phone number, address etc.
  • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Customer benefit information, e.g., My Rimi money, birthday discounts, period of validity etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Purchase history, e.g., information about previously purchased products and amounts etc.
  • Order details, e.g., order ID, ordered items, product prices, delivery method etc.
  • Transaction information, e.g., transaction date and place, purchased items, amount of purchase, receipt ID etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc .
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Connection data , e.g., device type, operation systems and version, time zone, type of browser etc.

To conclude and fulfill agreement with you.

Consent – to save credit card details in your Rimi profile

See section For how long are my personal data stored?

We are using your contact details (e.g., your mobile phone number or email) to contact you on matters when it is essential to reach you immediately, for example, delivering crucial information or solving important issues. To provide to you information, e.g., regarding My Rimi loyalty program, Rimi Online store, Rimi mobile application etc. (e.g., changes in system, Terms and Conditions, this privacy policy, sending approval for registration in events where you have expressed desire to participate etc.) or when you log in your Rimi profile via other platforms (e.g., web page, terminal, mobile application) we are using your email. Phone number and email are also used for verification of registration and to replace My Rimi card.

For general communication we also use other platforms (e.g., web page, terminal, mobile application etc.).

· Manage registration and membership of Business accounts in Rimi Online store

We process your personal data in order to create your Business account and administer your membership. Created Business account might be used in Rimi Online store in all Baltic countries to place order in Rimi Online store, to receive Advance Invoice and Final Invoice with business information, to view your previous order history, save baskets and to take advantage of other Rimi Online store offered benefits.

In order for us to be able to create Business account and manage your membership it is necessary that you provide personal data required for the conclusion and fulfilment of the agreement. In the registration process mandatory required fields are marked with a star (“*”), e.g., first name and last name of the company representative, company name, company registration number, contact information. If you do not provide the necessary personal data, you will not be able to create an account with us. If you are not able to fill in some of the mandatory fields, you should contact Customer Service Center.

Setting preferences and filling in other data in your Business account is up to your discretion. For example, you can indicate which is your default delivery address, save credit card details for faster checkout in Rimi Online store etc.

It is your responsibility to provide only valid and genuine personal data and only such data as is appropriate and necessary for the purpose of fulfilling the objectives mentioned in this information text. By creating Business account you acknowledge that your indicated personal data are accurate and correct. If personal data are inaccurate, you must immediately correct them.

Your data will be used to create or access your Business account and show respective information in it, to respond to your requests, to ensure that your information is accurate and updated, to verify your registration, to identify you as well to contact you in cases we need to reach you and provide necessary information (e.g., changes in Terms and Conditions, this privacy policy etc.).

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Company information, e.g., name of the company, person’s job title etc.
  • Contact details, e.g., email, phone number, address etc.
  • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Order details, e.g., order ID, ordered items, product prices, delivery method etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc .
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.

To conclude and fulfill agreement with you.

Consent – to save credit card details in your Business account

See section For how long are my personal data stored?

· Manage postpaid and prepaid billing method for Business accounts in Rimi Online store

In addition to the management of registration and membership of Business account in Rimi Online store, in order to be able to create and manage postpaid or prepaid billing method for you, it is necessary that you provide personal data required.

By submitting the application form you agree on the data processing that is necessary for verification and decision evaluation and re-evaluation of future cooperation, incl. evaluation of the information you have provided when submitting application, information about our previous and existing cooperation, information what is available in registers of enterprises, other publicly available databases etc., to make sure that we have all the information needed to make a proper decision on the cooperation. We might ask for additional information for the assessment, which can include information about financial situation of the company etc.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Company information, e.g., name of the company, person’s job title etc.
  • Contact details, e.g., email, phone number, address etc.
  • Data related to sanction lists, e.g., is person or company included in sanction lists etc.
  • Data related to Politically exposed person status
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.

· Other data, according to the previous and existing cooperation with Business customer, necessary for the particular purpose

To conclude and fulfill agreement with you.

See section “For how long are my personal data stored?”

· Manage purchases in Rimi Online store

We process your personal data in order to manage your purchases in Rimi Online store. Your personal data are processed to handle your order, payment, send invoice, credit note, communicate with you regarding the order and order status, deliver your order and carry out similar activities related with order fulfilment.

In order for us to be able to fulfill your order it is necessary that you provide personal data required for the conclusion and fulfilment of the agreement. For example, you need to provide payment details to pay for the order, if you wish to receive home delivery we need to know the address to which the order should be delivered.

In order to place order in Rimi Online store it is not mandatory to create an account. There is also possibility to check-out as Guest user by providing only personal data that is necessary to complete the order, e.g., first name, last name, contact information, date of birth. Personal data provided as Guest user will not be used to create account, but it will be saved and processed with the order and order related documents (for example, invoice, credit note).

We use your mobile phone number and email for communication with you in relation with your placed order. For example, we use your mobile phone number to contact you if any issues occur with your placed order, to contact you when delivering your order to your place, to send PIN code for order collection etc. We use your e-mail to inform you about your order statuses (order confirmed, ready for delivery, delivered, cancelled, failed, waiting for pick-up after failed delivery, etc.), send PIN code for order collection etc.

For delivery purposes Rimi can use contractors or offer to use the service of other delivery companies to execute express or any other delivery. For these purposes limited amounts of personal data can be shared with our partner who acts as separate data processor or controller, for example, your identity information, contact details, order details and delivery details. If information is shared with other separate data controller, their privacy policy or privacy statement might also be applicable.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Contact details, e.g., email, phone number, address etc.
  • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Order details, e.g., order ID, ordered items, product prices, delivery method etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • Transaction information, e.g., transaction date and place, purchased items, amount of purchase, receipt ID etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc.

To conclude and fulfill agreement with you

See section For how long are my personal data stored?

· Administration of personal offers and other advantages

Within your membership we process your personal data in order to administer personal offers, personalized suggestions and other advantages, e.g., benefits in name days, birthdays, participation in special clubs (e.g., children’s club, wine club, pet club etc.), invitation to special events. We are only processing personal data that is necessary for specific advantage.

If we will introduce additional benefits or offers where we will ask you to provide additional personal data or we would like to use already provided data for other purposes we will provide to you respective information about personal data processing upon requesting new personal data or upon introducing new purposes.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Customer benefit information, e.g., My Rimi money, birthday discounts, period of validity etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Purchase history, e.g., information about previously purchased products and amounts etc.
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.

To fulfill agreement with you

See section For how long are my personal data stored?

In accordance to Terms and Conditions we have an obligation to present you with personal offers and personalized suggestions, custom-made for you, as well as other advantages.

We use automated decision making, including profiling, in order to provide to you personalized offers, personalized suggestions and other advantages. To be able to do it we analyze your provided personal data and data that we deduct based on your behavior (e.g., your shopping transactions, places where My Rimi card used, access to Rimi profile etc.) by using a general rule or by specific algorithms, prediction models. Our performed activities do not cause legal or similar significant effect on you.

For us to be able to provide to you basic advantages we use automated decision making that is based only on general rule, applied to all customers who have Rimi profile. It is not based on your preferences, behavior or similar attributes and we do not predict or evaluate any aspects of your behavior or preferences to provide such advantages. For example, automated decision making is used when we allocate to you respective amount of My Rimi money based on calculation that takes in mind the amount of your transaction and what items you purchased. Based on the rule that My Rimi money is not accrued for purchase of alcohol items, the system automatically detects such items in the basket and omits it from calculation of My Rimi money. Based on the date of birth that you have entered, the system determines when the birthday benefits are applicable to you. Based on what advantages you are or are not using we determine other to you available advantages that we offer.

For us to be able to provide you with personalized offers and personalized suggestions (and, sometimes, other benefits) it is necessary for us to profile you, i.e., to use specific algorithms, prediction models to analyze your preferences, behavior or similar attributes. For example, specific algorithms analyze your provided personal data and your shopping transactions (e.g., place where purchase made, items bought etc.) to create personalized offers, made only to you personally. Based on your shopping transaction we might also create personalized suggestions for you regarding other available advantages that we offer.

Because personalized offers, personalized suggestions and advantages are the very substance and fundamental objective of the membership, you cannot become a member if you do not wish to be a subject of automated decision making, including profiling. If you have any questions, please contact us and our specialists will process your request.

· Direct marketing

We process your personal data in order to send to you marketing information, e.g., personalized offers, personalized suggestions, information about discounts, benefits, sales, special campaigns, including those of our cooperation partners, our news, newest items in assortment etc. to your chosen communication channel, e.g., sms, e-mail, push notifications in mobile application etc.

We may process data on your interaction with information that we provide you, e.g., has information reached you successfully, when information was opened etc.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Contact details, e.g., email, phone number, address etc.
  • Company information, e.g., name of the company, person’s job title etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Customer benefit information, e.g., My Rimi money, birthday discounts, period of validity etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Purchase history, e.g., information about previously purchased products and amounts etc.
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Connection data, e.g., device type, operation systems and version, time zone, type of browser etc.
  • Communication data , e.g., metadata, content of e-mail, phone call, voice mail etc.

Your consent

Until you withdraw your consent for receiving direct marketing

We use automated decision making, including profiling, in order to ensure personalized and effective direct marketing communication to you. To be able to do it we take in consideration your provided personal data and/or data that we deduct based on your behavior (e.g., store where you make purchases). For example, information about new service in our specific store might be of interest only to those customers who shop in respective store. Therefore, we can make decision to send communication only to those customers who have shopped in respective store. Our performed activities do not cause legal or similar significant effect on you.

· Administer use of mobile application

If you choose to become a user of Rimi mobile application - we process your personal data in order to ensure that you can use our mobile application and all mobile application functionality. We process your personal data what you provided to us by enabling features that requires us to process your personal data for you to be able to use specific mobile application functionality, e.g., determine your location, scan QR code, send shopping list to a friend, stay logged in your account etc.

To ensure easy and convenient use of our mobile application, certain functions in our mobile application may be provided by other providers. For example, the map service function for store search may be provided by operating system of your mobile device and your data may be processed according to the operating system provider’s privacy policy. Here is more information about, e.g., Google maps(https://maps.google.com/help/terms_maps/) and its privacy policy(https://policies.google.com/privacy) and Apple maps (https://www.apple.com/legal/internet-services/maps/terms-en.html)and its privacy policy(https://www.apple.com/legal/privacy/en-ww/).

For instance, if you choose to access links, available in our mobile application, to other external websites or applications that are operated by other providers, your personal data may be processed in order to comply with your request to visit the respective website or application. We encourage you to review the corresponding privacy policy of each website or application you will be redirected to in order to understand what information will be processed about you by the particular provider.

In order to administer our mobile application, incl. to provide functionality in sufficient quantities and appropriate quality so that users can fully enjoy the benefits of our mobile application, we may use mobile application management tools, e.g., provided by Google(https://policies.google.com/privacy), to manage the processes regarding visiting and technical operation of the mobile application.

Categories of personal data

Legal basis

Retention period

  • Identity information , e.g., name, surname, username, customer ID etc.
  • Customer choice data,e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data , e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Connection data, e.g., device type, operation systems and version, time zone, type of browser etc.
  • Location information, e.g., country, GPS coordinates, geo-fenced area etc.

To conclude and fulfil agreement with you

Legitimate interests in relation to availability of mobile application functionality

Consent – e.g., in relation to location for your store search in map; in relation to consent based cookies etc.

See section “For how long are my personal data stored?”

We use automated decision making, including profiling, in order to provide featured deal offers and other advantages. To be able to do it we with specific algorithms analyze your provided personal data and your preferences. Our performed activities do not cause legal or similar significant effect on you.

If you do not wish to be a subject of automated decision making, including profiling, you cannot use our mobile application.

· Law requirement fulfilment

We process your personal data in order to fulfil number of law requirements to which we are subject e.g., accounting requirements, product liability and product safety. For example, we use your personal code number to validate your identity and verify age for orders containing alcoholic beverages in Rimi Online store. We retain transaction information and documentation related with your Rimi Online store order (e.g., order data, invoices, credit note, return data etc.) for the time period set in law.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Order details, e.g., order ID, ordered items, product prices, delivery method etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc.
  • Other data necessary For fulfillment of legal obligation

To fulfil our legal obligation

According to requirements laid down by applicable laws

See section For how long are my personal data stored?

· Fraud prevention and management of legal claims

We may process your personal data in order to defend, establish and exercise legal claims, including to prevent and/or stop fraudulent or criminal activity, gather evidence concerning detected issues and manage the situation, as well as stop misuses of our products or services.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Contact details, e.g., email, phone number, address etc.
  • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
  • Company information, e.g., name of the company, person’s job title etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Customer benefit information, e.g., My Rimi money, birthday discounts, period of validity etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Purchase history, e.g., information about previously purchased products and amounts etc.
  • Order details, e.g., order ID, ordered items, product prices, delivery method etc.
  • Transaction information, e.g., transaction date and place, purchased items, amount of purchase, receipt ID etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc .
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Connection data, e.g., device type, operation systems and version, time zone, type of browser etc.
  • Communication data, e.g., metadata, content of e-mail, phone call, voice mail etc.
  • Information about situation , e.g., type of situation, time and date when situation occurred, description of situation, accompanying documents etc
  • Audio-visual material , e.g., photo, movie, audio file, CCTV etc.
  • Other data necessary For management of legal claims

Our legitimate interest to prevent fraud, stop fraudulent or criminal activity and misuses of our products

See section For how long are my personal data stored?

We might use your provided contact details to contact you in case we identified possible issues with your account, My Rimi card, your use of our products or services, e.g., we identified issues in transaction, detected that you forgot to hand over self-scanning device etc.

In case of self-scanning solution we use automated decision making, incl., profiling. It is based on defined general rules applied to all self-scanning solution users, e.g., specific activity by the user, results of previous accuracy checks etc. If the defined rule is met then system triggers partial or full accuracy check for basket that is scanned by you. Such activity does not produce any significant effect on you. Result of such activity is that your basked will be rescanned by store employee. If you do not wish to be a subject of such automated decision making, including profiling, you cannot use self-scanning solution.

In relation to cooperation by using postpaid/prepaid billing method we can provide data to third parties, e.g. we can provide data to debt collection companies to ensure debt collection or to transfer our claim rights to third persons.

If you visit our stores or other business premises please see also our CCTV privacy policy .(LV: https://www.rimi.lv/privatuma-politika/apmekletajs/videonoverosanas-datu-apstrades-privatuma-politika

EE: https://www.rimi.ee/privaatsuspoliitika/kulastaja/videovalve-isikuandmete-tootlemine

LT: https://www.rimi.lt/privatumo-politika/patalpos-ir-aiksteles/vaizdo-stebejimo-cctv-privatumo-politika

)

· Statistical, analytic and market research purposes

We process your personal data for the purposes of reporting and statistics, to monitor, evaluate, improve and expand our services (for example, how many on-time deliveries we have made, etc.). For these purposes, personal data are processed only to the extent necessary for the preparation of statistics. The aggregate statistical information will not contain your name, contact information or any other directly identifiable information that may directly identify you as a specific person.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., customer ID, card number.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Order details,e.g., order ID, ordered items, product prices, delivery method etc.
  • Purchase history, e.g., information about previously purchased products and amounts etc.
  • Delivery details, e.g., delivery date and time, delivery address, comments etc.
  • Customer choice data,e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.Transaction information, e.g., transaction date and place, purchased items, amount of purchase, receipt ID etc.
  • Payment details, e.g., payment type, bank account number, payment card number, payment purpose description etc.
  • User generated personal data, e.g., information about activities within our information systems, behavior in digital channels, saved shopping list, favorite store etc.
  • Feedback dataConnection data, e.g., device type, operation systems and version, time zone, type of browser etc.
  • Location information , e.g., country, GPS coordinates, geo-fenced area etc.

The processing is necessary to meet our legitimate interest to improve and expand our services.

See section “For how long my personal data are stored?”

To provide relevant offer information on our store communication channels, e.g., digital screens, instore audio etc., such as general (non-personalised) information on new products, discounts, seasonal or special offers, including on products and services provided by our partners, or other cooperation partner information that may be useful to our customers, we may cooperate with our partners based on statistical information that helps to make decision about relevant offer information, that in-store customers might be interested in and information visibility in our stores. Statistical insights can be shared with our partners. For this purpose, in cooperation with partners only information in aggregated (statistical) format is used.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., customer ID.
  • Transactioninformation, e.g., transaction date and place, purchased items, amount of purchase, receipt ID etc.
  • Demographic data, e.g., age, gender.

The processing is necessary to meet legitimate interests to provide relevant offer information to customers in stores.

As long as it is needed for us to be able to meet legitimate interests

· Surveys

We might process your personal data in order to ask you to participate in surveys to gather customer feedback for the purposes to improve and expand our services. If you have agreed to receive marketing information we might send the survey to your chosen communication channel. In other cases we might publish our survey in our webpage, mobile application, store terminals etc. where you can access them and upon your own free will participate in the survey.

Participation in surveys is up to your discretion.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Demographic data, e.g., date of birth, gender, citizenship etc.
  • Contact details, e.g., email, phone number, address etc.
  • Membership information, e.g., date of becoming a member, status of customer, type of customer etc.
  • Household information,e.g., number of people in household, information about offsprings, animals in the household etc.
  • Customer choice data, e.g., subscription to notifications, subscription to loyalty program clubs, set language settings etc.
  • Feedback data

Your consent

See section “For how long my personal data are stored?”

· Lotteries

We process your personal data in order to administer lotteries, if you have expressed your desire to participate in lotteries. We process your personal data to determine and announce the winner, identify you when issuing lottery prizes, and also for including your name and surname in lottery protocol according to legal obligation.

Please be informed that by expressing your desire to participate in lotteries you agree that your My Rimi card number will be included in our and our supplier organized automatic lotteries without additional notification to you. Information about suppliers who organize automatic lotteries and with whom we share your personal data (e.g. My Rimi card number or your contact information) is available - Estonia: here -https://www.rimi.ee/privaatsuspoliitika/osaleja/kampaaniamangude-isikuandmete-tootlemine ,Latvia: here-https://www.rimi.lv/piedavajumi,Lithuania: here-https://www.rimi.lt/organizatoriai..Your identity will be checked when the prize is issued and in case of inconsistencies it will not be issued.

You can read more about how we handle your personal data if you participate in our lotteries - Estonia: here - https://www.rimi.ee/privaatsuspoliitika/osaleja/kampaaniamangude-isikuandmete-tootlemine ,Latvia: here - https://www.rimi.lv/privatuma-politika/dalibnieks/loteriju-spelu-unvai-konkursu-privatuma-politika ,Lithuania: here- https://www.rimi.lt/privatumo-politika/renginiai-ir-parama/zaidimu-privatumo-politika .

· Management of customer complaints

We process your personal data in order to handle your inquiries and complaints. For more information on how we process and store your personal data with regards to inquiry and complaint handling, please see - Estonia: here - https://www.rimi.ee/privaatsuspoliitika/klient/kliendi-pretensioonide-lahendamise-privaatsuspoliitika ,Latvia: here - https://www.rimi.lv/privatuma-politika/klients/pretenziju-unvai-pieprasijumu-izvertesanas-privatuma-politika ,Lithuania: here - https://www.rimi.lt/privatumo-politika/apsipirkimas/pirkeju-paklausimu-nusiskundimu-privatumo-politika.

· Ensuring IT environment security

We process your personal data in order to manage our information security, incl., identify potential threat, illegal or unauthorized activities, violations of terms of use in our IT solutions and to protect our IT environment and data from unauthorized changes and maintain consistency.

We record and store activities (audit) performed with your Rimi profile in our IT environment, such as time stamp of your activity, what applications used, what activities are performed (e.g., payment), what profile data are updated and similar. For example, we log (”audit log”) when you access mobile application, make change to data or carry out other activities within mobile application.

We use your personal data in processes that ensure our IT network and IT solution security, such as firewalls, security certificates and other technical background processes.

Categories of personal data

Legal basis

Retention period

  • Identity information, e.g., name, surname, username, customer ID etc.
  • Authentication information, e.g., information on electronic signature, a password, a secret question, a verification code etc.
  • User generated personal data, e.g., information about activities within our information systems, behaviour in digital channels, saved shopping list, favourite store etc.
  • Connection data, e.g., device type, operation systems and version, time zone, type of browser etc.
  • Other data necessary for ensuring IT environment security

Our legitimate interests in relation to IT security monitoring & audit

See section “For how long my personal data are stored?”

To ensure stable access to our public IT resources for customers we or our service providers create backup copies of IT solutions. All your personal data provided to us and stored in Rimi information systems, are included in backup copies that are used to restore systems in specific cases.

Categories of personal data

Legal basis

Retention period

  • All data categories listed in this Privacy Policy above

Our legitimate interests in relation to IT systems maintenance and operations

See section “For how long my personal data are stored?”

From which sources do we collect personal data?

· Yourself

We collect personal data you provide to us directly and indirectly. For example, when you create account, place an order, contact us, use My Rimi card, our systems, platforms and tools.

· Rimi partners

We can receive information you provide via our partners that collaborate with us in relation to service provision, e.g., in the scope of the “My Rimi” loyalty program etc. For example, in order to give you “My Rimi” discount (money), incl. deposit amount, depending on the specific offer, we can receive, e.g., transaction volume and datetime etc. In relation to services and offers provided by our partners as separate controllers additional terms and conditions might be set by partners and their privacy policy might be applicable.

Sharing of personal data

· Service providers

We might share your personal data with companies that provides services to us, such as:

· information system development and maintenance services;

· web/ mobile application development and maintenance services;

· customer call center services;

These companies can only process your personal data according to our instructions and not use them for other purposes. They are also required by law and our cooperation agreement to protect your personal data.

· External advisors and insurance companies

If it is necessary for the protection of our company´s rights and interests, we might transfer your personal data to insurance companies or external advisors, e.g., auditors, law firms or other independent advisors who act as separate data controllers and whose activities are regulated by law.

· Group companies

We might share your personal data with relevant Rimi Baltic group companies if it is necessary for achieving defined purposes.

· Law enforcement authorities, state and local government institutions

To fulfil our legal obligation we may transfer your personal data to law enforcement authorities, state and local government institutions upon their request. We may also transfer your personal data to law enforcement authorities, state and local government institutions in order to meet our legitimate interest in establishing, exercising and defending legal claims.

· Organizers of automatic lotteries

We might share some of your personal data (e.g. My Rimi card number, your contact information) with our cooperation partners who organize automatic lotteries where you have expressed desire to participate. About such lotteries you can read in chapter “Lotteries” under section “What categories of personal data we collect and why”.

· Other companies

For delivery purposes Rimi can offer to use the service of other delivery companies to execute express or any other delivery. For these purposes limited amounts of personal data can be shared with our partner who acts as data controller, for example, your identity information, contact details, order details and delivery details. If information is shared with a separate data controller, additional terms and conditions and privacy policy set by such controller might be applicable. Different retention rules can apply.

If you are, e.g., a user of our mobile application and choose to access, e.g., tools or links provided by third-party providers, your personal data might be processed by such providers who may act as a separate controller. In such a case their privacy policy and terms and conditions may be applicable.

Where do we process your personal data?

We always aim to process your personal data within EU/EEA.

Your personal data might be transferred or processed in a country outside the EU/EEA by contracted service provider. To ensure adequate protection of your personal data when transferring data outside the EU/EEA we make sure that adequate safeguards for the protection of your personal data are in place. For example, decision of EU Commission that respective country ensures adequate level of personal data protection, standard contractual clause etc. You can receive information about used introduced personal data safeguards by providing written request to us. Countries with an adequacy decision can be found https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en and the standard contractual clauses issued by the European Commission can be found https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

For how long are my personal data stored?

All personal data that are acquired from you directly or indirectly are stored in your account as long as you have an account with us. If we do not have need for specific data to be identifiable we do not retain such data for full period and delete or anonymize them sooner.

When you have not used your My Rimi card for purchases or if you have not logged in Your My Rimi account for 1 (one) consecutive year, after the 1 (one) year period has passed and all accrued My Rimi money and digital stickers have expired, your Rimi profile (incl. My Rimi card) will be blocked and all personal data associated with you will be deleted immediately or anonymizedin a secure way so it can no longer be connected to you .

Your Business account will be deleted if you have not logged in your Business account for 1 (one) consecutive year. After the 1 (one) year period has passed your Business account will be deleted and all personal data associated with you will be deleted immediately or anonymizedin a secure way so it can no longer be connected to you .

In relation to evaluation of prepaid/ postpaid billing method information will be kept not longer than 3 years in Latvia, 7 in Estonia and 10 in Lithuania unless longer period required by applicable law.

Full purchase history is available for up to 3 calendar years. Certain purchase data necessary for aggregation may be processed for up to 5 years. Documentation related to purchases, e.g., order data, invoices, advance invoices, credit note, return data etc., are retained according to local laws - 7 years for Rimi Eesti Food AS customers, 5 years for SIA Rimi Latvia customers, 10 years for UAB Rimi Lietuva customers.

In your account saved credit card details – while your account is active or until you withdraw your consent.

Data for direct marketing purposes will be processed until you withdraw your consent for receiving direct marketing.

Data for purposes to administer use of mobile application are stored up to one month after mobile application is uninstalled/deleted. In relation to consent - until you withdraw your consent.

In case of legal claim data will be processed while investigation, settlement and implementation of legal claim takes place. If violation is not discovered within investigation, data will be retained for 1 (one) year after the decision to close investigation. If violation discovered, data will be retained for 3 (three) years after the decision to close investigation or until final implementation of court decision.

Data for statistical and market research purposes will be retained as long as it is needed for us to be able to meet our legitimate interests.

Survey data are retained for up to 1 (one) year from date of filling in the survey.

Data for information IT environment security purposes are stored up to 18 calendar months, unless the law requires longer retention time.

Data in backup copies are retained for maximum 3 calendar months.

Your rights

Data protection laws give you a number of rights with regards to the processing of your personal data.

In relation to mobile application, please be informed that we do not have aim to identify you unless you are logged in your My Rimi account or it is needed for purposes mentioned in this privacy policy.

· Access to personal data

You are entitled to request confirmation from us if we process personal data relating to you, and in such cases request access to the personal data we are processing about you. You can log into your Rimi profile or Business account at any time to see certain information we have about you. You can use also mobile application functionality to see certain information we have about you. As well to carry out the mentioned right you can provide a written request to us or to our Data Protection Officer.

· Rectification of personal data

Furthermore, if you believe that information about you is incorrect or incomplete, you have the right to correct it yourself or ask us to do it. You can update some information about yourself in Rimi profile, Business account or by calling Customer Service Center. You can update some information about yourself by logging in to the My Rimi profile in mobile application as well.

· Withdrawal of consent

To the extent that we process your personal data based on your consent, you are entitled to, at any time, withdraw your consent to the personal data processing. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can change your preferences and withdraw your consent in your Rimi profile, mobile application settings, Business account or by calling Customer Service Center.

· Objection against processing for direct marketing purposes

You also have the right to object to your personal data processing for direct marketing purposes at any time. You can unsubscribe from direct marketing by changing settings in your Rimi profile, mobile application settings, Business account or by calling Customer Service Center.

· Objection against processing based on a legitimate interests

You are entitled to object to personal data processing based on our legitimate interests. However, we will continue to process your data, even if you have objected to it, if we have compelling motivated reasons for continuing to process data. To carry out the mentioned right, please, provide a written request to us or to our Data Protection Officer.

· Erasure

Under certain circumstances, you have rights to ask us to delete your personal data. However, this does not apply if we are required by law to keep the data. You can delete some information yourself by logging into your Rimi account or Business account. As well you can request specific data or your whole Rimi profile or Business account deletion by calling Customer Service Center. To exercise this right in relation to using mobile application, you can erase mobile application and stop using it.

· Restriction of processing

Under certain circumstances, you are also entitled to restrict the processing of your personal data. Please note, that if you request that the processing of your data is limited, it might affect your membership, possibility to use mobile application or possibility to place and fulfill orders in Rimi Online store. To carry out the mentioned right, please, provide a written request to us or to our Data Protection Officer.

· Data portability

Finally, you have the right to receive or transmit your personal data further to another data controller (“data portability”). This right solely covers only data what you have provided to us based on you consent or on a contract and where processing is carried out by automated means. To carry out the mentioned right, please, provide a written request to us or to our Data Protection Officer.

who do i contact if i have any questions?

If you have any questions about the processing of your personal data, please feel free to contact us.

If you are not satisfied with the response you received, you are entitled to file a complaint the relevant Data Protection Authority.

In Latvia: Data State Inspectorate(https://www.dvi.gov.lv/) or in Estonia: Data Protection Inspectorate(https://www.aki.ee/) or in Lithuania: State Data Protection Inspectorate (https://vdai.lrv.lt/)

· Contact details of company in charge of handling your personal data

Your created account is valid for use in all Baltic countries. To ensure this function, we have established joint controllership between all our companies mentioned below and all of them are responsible for handling of your personal data in accordance to this privacy policy and applicable data protection laws. However, each company might as well be individually responsible for handling your personal data, i.e., act as a separate data controller, in cases when respective company processes your personal data for purposes mentioned in this privacy policy independently and separately from other companies, e.g., in relation to local activities, such as management of local marketing offers, local surveys and market research, local fulfilment of orders, local management of customer complains etc.

In relation to joint processing, Rimi companies have therefore entered into an arrangement for the protection of personal data among themselves and each Rimi company involved acting as a joint controller in respect of its own processing of personal data is responsible for establishing a lawful basis; providing necessary personal data processing information, incl. on joint processing; ensuring data subject rights and, when necessary, cooperating among themselves to ensure response to the request received; implem entation of appropriate technical and organizational security measures; taking appropriate measures in case of a personal data breach etc. You may exercise your rights in respect of and against each of the joint controllers. In order to ensure that any request can be handled as swiftly as possible, contact details of Rimi company that is a contact point for you are mentioned below.

Towards you the company in charge of handling your personal data is Rimi company in your respective country.

If you wish to contact us or exercise your rights mentioned in this privacy policy please contact Rimi company in your respective country and we will make sure that all our companies (mentioned below), who might handle your personal data, respects and ensure the exercise of your rights.

SIA Rimi Latvia, reg. No. 40003053029,

Legal address: 161 A. Deglava iela, Riga, Latvia, LV 1021

Phone number: +371 67045409

Email: info.lv@rimibaltic.com

Rimi Eesti Food AS, reg. No. 10263574

Legal address: Põrguvälja tee 3, Pildiküla, Rae vald Eesti

Phone number: +372 6059400

Email: info.ee@rimibaltic.com

UAB Rimi Lietuva, reg. No. 123715317,

Legal address: Spaudos g. 6-1, Vilnius, Lietuva, 05132

Phone number: +370 5 2461057

Email: info.lt@rimibaltic.com

· Contact details of Customer Service Center

SIA Rimi Latvia:

Phone number: + 371 80000180

Email: info.lv@rimibaltic.com

UAB Rimi Lietuva:

Telefono numeris: 8 800 29 000

El. paštas: info.lt@rimibaltic.com

Rimi Eesti Food AS:

Telefoninumber: +372 6 056 333

E-posti aadress: klienditugi@rimibaltic.com

· Contact details of the Data Protection Officer

Email:RimiDPO@rimibaltic.com

You also can contact our Data protection Officer by sending a letter to us at the above mentioned address and addressing it to the Data protection officer.