Privacy Policy

Policy date – 05 March 2020 (Last update – 20 July 2023)

Thanks for visiting our website! We are Serokell, and here we explain why and how we collect, use, disclose and store your personal data when you are browsing our website.

About us

Our business name is Serokell OÜ, and we are registered as a private limited company in the Republic of Estonia under Estonian laws with company registration number: 14049961. Place of our business is at Pille tn 7/5-13, Kesklinna linnaosa, Tallinn, Harju maakond, 10135, Estonia.

By “Serokell”, “us”, and “our”; we mean Serokell. By “website” we refer to the website located at www.serokell.io. We also have a Serokell Shop, which is located at www.shop.serokell.io Basically, the conditions of collecting and processing of your personal data are the same for the website and Serokell Shop, but there are some differences that we have specified in this policy.

We are your personal data controller – that means that we determine the purposes and means of the processing of your personal data. The legal basis for each category of personal data is indicated in the respective sections of this policy.

Updating

We may update this policy by posting the updated version on this page. Unfortunately, we cannot notify you about any changes personally, so you should check this page from time to time. The effective date of this privacy policy is stated at the top.

Personal data

Personal data means any information related to an identified or identifiable natural person. You may find more details about personal data definition in Article 4 and Recital 30 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

We do not knowingly collect any other personal data except stated in sections “User-provided information” and “Data processors”, so we encourage you not to provide any other personal data except the stated below if it is not related to our website or shop. Please do not provide sensitive personal information.

User-provided information

We collect your personal information provided by you in cases described in this section:

“Let’s Have a Chat” form

We may collect your Personal Data that you provide to us when you contact us via the “Let’s Have a Chat” form on our website. Through this form you provide to us your name and email address, which is necessary for us to contact you and answer your request. We have a legitimate interest in processing and responding to your request.

We do not knowingly collect any other Personal Data except stated above, so we encourage you not to provide any other Personal Data except stated above, if it is not related to your request.

Newsletter

Our blog posts (available at https://serokell.io/blog) contain a “Subscription” button, which allows you to subscribe to our mailing list. By subscribing to our newsletter you provide us with your email address and we may upon occasion send you emails. In this case, we will share your email with The Rocket Science Group LLC d/b/a Mailchimp to include you into the mailing list in order to send you emails. You may find more information about Mailchimp GDPR compliance here and learn about their Privacy Policy here. You may unsubscribe from our newsletter at any moment by managing your preferences with a special link provided in any newsletter email.

Serokell Shop

If you visit www.shop.serokell.io (“Shop”), we collect certain information about your device, your interaction with the Shop, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support.

Information we collect at the Shop:

  • Device information

    • Purpose of collection: to load the Site accurately for you, and to perform analytics on Shop usage to optimize our Shop.
    • Source of collection: Collected automatically when you access our Shop using cookies, log files, web beacons, tags, or pixels.
    • Disclosure for a business purpose: shared with our processor Shopify.
    • Personal Information collected: version of web browser, IP address, time zone, cookie information, what sites or products you view, search terms, and how you interact with the Shop.

  • Order information

    • Purpose of collection: to provide products or services to you to fulfill our contract, to process your payment information, arrange for shipping, and provide you with invoices and/or order confirmations, communicate with you, screen our orders for potential risk or fraud, and when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
    • Source of collection: collected from you.
    • Disclosure for a business purpose: shared with our processor Shopify.
    • Personal Information collected: name, billing address, shipping address, payment information (including credit card numbers, PayPal and Stripe details), email address, and phone number.

  • Customer support information

    • Purpose of collection: to provide customer support.
    • Source of collection: collected from you
    • Disclosure for a business purpose: no
    • Personal Information collected: the data you provide to us when you contact

Data processors

Data processor processes personal data on our behalf. Third-party services integrated into the pages of our website and Serokell Shop also may store some information that can be considered personal data. You can find more details about them in the corresponding section below.

Google Analytics

We use Google Analytics to get a better understanding of how people use our website. It allows us to collect various statistical data, such as the number of users visiting and their geographic distribution. We have a legitimate interest in making our website operate efficiently.

We do not share any of this data with Google or other third-parties and we do not use Remarketing or Advertising Reporting Features. Neither do we use User-ID. Also, we have configured Google Analytics to anonymise your IP address.

We believe this configuration restricts the information collected to the bare minimum required for us to obtain meaningful statistical data. Neither we, nor other parties use it for targeting ads or any equally evil marketing purposes.

You may opt-out of making your site activity available to Google Analytics by using the Google Analytics Opt-out Add-on.

Leadfeeder

We use Leadfeeder (https://www.leadfeeder.com/) to collect the visitor IP address to detect the company and geographic location. Leadfeeder only shows company visits; it automatically filters out all users visiting from residential IP addresses. All visit data is aggregated at the company level.

Leadfeeder automatically collects the following data:

  • pages accessed;
  • time of visit;
  • time of last visit;
  • name of the owner of the IP address;
  • reverse domain of the IP address;
  • referring site, application, or service, including the relevant search queries that led you to Leadfeeder’s website;
  • browser information;
  • operating system and device information;
  • IP address (from users signing in to the service, for security purposes).

You may find a detailed description of Leadfeeder GDPR compliance here.

Shopify

We share your Personal Data with Shopify to help us provide our services and fulfill our contracts with you, as described above. For example:

  • We use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here.
  • We may share your Personal Data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

Usage data

We collect some default information about usage of our service: log data (including its date and time), IP address, browser type, some browser settings and browser plugins, device information (your screen resolution, operating system, device settings etc.).

Any website may work differently depending on your device. We use this information in order to make our website work as designed on your device.

Payment getaways

All payments are made via PayPal and Stripe (secure third-party online payment gateways). We do not have access to your card number, its period of validity and CVC code. If you wish to learn more about payment transactions, see:

Your financial information is kept private, and every payment is followed by an email confirming your transaction.

Shopify may receive partial data about a successful payment in order to facilitate cooperation between the website and payment system.

Personal data disclosure

We do not sell your Personal Data.

We will not disclose or share any of your Personal Data with third parties except:

  1. We have a legitimate interest:

    • We will share your personal data provided to us to our employees or contractors who are responsible for contacting you, if you contact us via the “Let’s Have a Chat” form on our website.
    • We also will share your personal data with our successor in case of transferring the rights.

  1. Based on your consent:

    • If you give us your consent to receive emails from us, we will share your email with The Rocket Science Group LLC d/b/a Mailchimp to include you into the distribution list in order to send you emails. You may find more information about Mailchimp GDPR compliance here and learn about their Privacy Policy here.

  1. In order to fulfill a contract of sale:

    • If you place an order on www.shop.serokell.io, we will store your name, shipping address and email address in our personal account in the Shopify system, in order to fulfill your order.

  1. If disclosure is required by law or court order.

Personal data storage and transfer

Personal data collection and storage

Website (www.serokell.io)

The website server is located in Ireland. However, your personal data may be transferred outside the European Union, since it is not possible to ensure the normal operation of the website without using international services.

Serokell Shop (www.shop.serokell.io)

When you place an order through the Shop, we will retain your Personal Data for our records unless and until you ask us to erase this information. For more information on your right of erasure, please see the “Your Data Protection Rights” section below.

Personal data transfer

Where is your data transferred:

Google

Your personal data provided via “Let’s Have a Chat” is stored on Google’s servers, as we use the Google Mail service to process emails.

Our email server supports TLS encryption to ensure the security of sending and receiving emails. However to take advantage of it, your email service provider needs to support it too.

If you contact us via email, your message will be stored on Google servers which may be located in various countries, so your data can be transferred to other countries outside the EU, but Google is using the European Commission’s Standard Contractual Clauses (SCCs).

You can find more information about Google Cloud GDPR compliance here and here.

Mailchimp

Mailchimp is headquartered in and has offices in the United States. Our servers are also located in the United States. This means data we process may be transferred to, stored, or processed in the United States. Mailchimp ensures reliable transfer and storage of personal data. For more information, read Mailchimp and European Data Transfers.

Leadfeeder

Leadfeeder Tracker collects data to their Amazon Web Services infrastructure. All data is encrypted on transfer and at rest. Leadfeeder has an EU Commission Standard Contractual Clauses agreement in place with Amazon Web Services, as a part of Leadfeeder Data Processing Agreement with them. More information about security measures taken by Leadfeeder may be found here.

Hotjar

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. More information about security measures taken by Hotjar may be found here and here.

Cookies

Cookies are files that are downloaded to your device when you visit a website. You can learn more about how we use cookies and similar technologies here.

We do not support the Do Not Track browser option.

We use the following cookies:

First-party cookies

We use:

This cookie stores your previous visited page URL and expires at the end of your session.

Third-party cookies

Google Analytics

We use Google Analytics which sets its own cookies:

Cookie Purpose Expiry
_ga Used to distinguish users. 2 years
_gid Used to distinguish users. 1 day
_gat Controls throttling requests to Google servers. 1 day

Google Analytics does not collect information that identifies the visitor. You can find more details about these cookies in Google’s own guide.

Any private data that Google stores on their servers is deleted and any cookies that they set in your browser expire after the period shown in the table above.

Leadfeeder

Leadfeeder also sets its own cookies:

Cookie Purpose Expiry
_lfa Used for identifying the IP address of devices
visiting the website.
1 year

The cookie collects information such as IP addresses, time spent on website and page requests for the visits. This collected information is used for retargeting multiple users routing from the same IP address.

More information about cookies set by Leadfeeder may be found here.

Shopify

The following third party Cookies may be placed on your computer or device by Shopify:

Cookies Necessary for the Functioning of the Shop
Cookie Purpose Expiry
_ab Used in connection with access to admin. 2 years
_secure_session_id Used in connection with navigation through a storefront. 24 hours
_shopify_country Used in connection with checkout. session
_shopify_m Used for managing customer privacy settings. 1 year
_shopify_tm Used for managing customer privacy settings. 30 min
_shopify_tw Used for managing customer privacy settings. 2 weeks
_storefront_u Used to facilitate updating customer account information. 1 min
_tracking_consent Tracking preferences. 1 year
c Used in connection with checkout. 1 year
cart Used in connection with shopping cart. 2 weeks
cart_currency Used in connection with shopping cart. 2 weeks
cart_sig Used in connection with checkout. 2 weeks
cart_ts Used in connection with checkout. 2 weeks
cart_ver Used in connection with shopping cart. 2 weeks
checkout Used in connection with checkout. 4 weeks
checkout_token Used in connection with checkout. 1 year
dynamic_checkout_shown_on_cart Used in connection with checkout. 30 min
hide_shopify_pay_for_checkout Used in connection with checkout. session
keep_alive Used in connection with buyer localization. 2 weeks
master_device_id Used in connection with merchant login. 2 years
previous_step Used in connection with checkout. 1 year
remember_me Used in connection with checkout. 1 year
secure_customer_sig Used in connection with customer login. 20 years
shopify_pay Used in connection with checkout. 1 year
shopify_pay_redirect Used in connection with checkout. 30 min, 3w or 1y depending on value
storefront_digest Used in connection with customer login. 2 years
tracked_start_checkout Used in connection with checkout. 1 year
checkout_one_experiment Used in connection with checkout. session
Reporting and Analytics
Cookie Purpose Expiry
_landing_page Track landing pages. 2 weeks
_orig_referrer Track landing pages. 2 weeks
_s Shopify analytics. 30 min
_shopify_d Shopify analytics. session
_shopify_s Shopify analytics. 30 min
_shopify_sa_p Shopify analytics relating to marketing & referrals. 30 min
_shopify_sa_t Shopify analytics relating to marketing & referrals. 30 min
_shopify_y SShopify analytics. 1 year
_y SShopify analytics. 1 year
_shopify_evids SShopify analytics. session
_shopify_ga Shopify and Google Analytics. session

Hotjar

Hotjar sets its own cookies:

Cookie Cookie Description & Expiry
_hjSessionUser_{site_id} Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjid This is an old cookie that we do not set anymore, but if a user has it unexpired in their browser, we will reuse its value and migrate to _hjSessionUser_{site_id}. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjFirstSeen Identifies a new user’s first session. Used by Recording filters to identify new user sessions. 30 minutes duration, extended on user activity. Boolean true/false data type.
_hjHasCachedUserAttributes Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not. Session duration. Boolean true/false data type.
_hjUserAttributesHash Enables us to know when any User Attribute has changed and needs to be updated. 2 minutes duration, extended every 30 seconds. Content hash data type.
_hjUserAttributes Stores user viewport details such as size and dimensions. Session duration. UUID data type.
_hjSession_{site_id}
  • Holds current session data.
  • Ensures subsequent requests in the session window are attributed to the same session.
  • 30 minutes duration, extended on user activity.
  • JSON data type.
    _hjSessionTooLarge
    • Causes Hotjar to stop collecting data if a session becomes too large.
    • Determined automatically by a signal from the server if the session size exceeds the limit.
    • Session duration.
    • Boolean true/false data type.
      _hjSessionResumed
      • Set when a session/recording is reconnected to Hotjar servers after a break in connection.
      • Session duration.
      • Boolean true/false data type.
        _hjCookieTest
        • Checks to see if the Hotjar Tracking Code can use cookies. If it can, a value of 1 is set.
        • Deleted almost immediately after it is created.
        • Under 100ms duration, cookie expiration time set to session duration.
        • Boolean true/false data type.
          _hjLocalStorageTest
          • Checks if the Hotjar Tracking Code can use Local Storage. If it can, a value of 1 is set.
          • Data stored in _hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.
          • Under 100ms duration.
          • Boolean true/false data type.
            _hjSessionStorageTest
            • Checks if the Hotjar Tracking Code can use Session Storage. If it can, a value of 1 is set.
            • Data stored in _hjSessionStorageTest has no expiration time, but it is deleted almost immediately after it is created.
            • Under 100ms duration.
            • Boolean true/false data type.
              _hjIncludedInPageviewSample
              • Set to determine if a user is included in the data sampling defined by your site’s pageview limit.
              • 2 minutes duration, extended every 30 seconds.
              • Boolean true/false data type.
                _hjIncludedInSessionSample_{site_id}
                • Set to determine if a user is included in the data sampling defined by your site’s daily session limit.
                • 2 minutes duration, extended every 30 seconds.
                • Boolean true/false data type.
                  _hjAbsoluteSessionInProgress
                  • Used to detect the first pageview session of a user.
                  • 30 minutes duration, extended on user activity.
                  • Boolean true/false data type.
                    _hjTLDTest
                    • We try to store the _hjTLDTest cookie for different URL substring alternatives until it fails.
                    • Enables us to try to determine the most generic cookie path to use, instead of page hostname.
                    • It means that cookies can be shared across subdomains (where applicable).
                    • After this check, the cookie is removed.
                    • Session duration.
                    • Boolean true/false data type.

                      This website may contain links to third party websites, which are governed by their own privacy policies. We are not responsible for the content or privacy of third-party websites, so we encourage you to check third parties’ privacy and security policies before providing them with any information.

                      Automatic decision-making

                      If you are a resident of the EEA, you have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.

                      We do not engage in fully automated decision-making that has a legal or otherwise significant effect using customer data.

                      Our processor Shopify uses limited automated decision-making to prevent fraud that does not have a legal or otherwise significant effect on you.

                      Services that include elements of automated decision-making include:

                      • Temporary blacklist of IP addresses associated with repeated failed transactions. This blacklist persists for a small number of hours.
                      • Temporary blacklist of credit cards associated with blacklisted IP addresses. This blacklist persists for a small number of days.

                      Children

                      Our website is not directed at children under 16, and we do not knowingly collect Personal Data from children under 16. If a child under the age of 16 has provided us with personal data, the child’s parent or guardian may contact us and request that such information be deleted.

                      Your data protection rights

                      General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) provides data protection rights for each user. Here they are:

                      • Right to access – you have the right to request from us a confirmation as to whether or not any personal data concerning you has been processed. You also can request a copy of your personal data that we hold.
                      • Right to rectification – you have the right to request us to correct your personal data you believe is inaccurate or incomplete.
                      • Right to erasure – in certain circumstances, you can ask for your personal data we hold to be erased.
                      • Right to restriction of processing – in certain circumstances, you can request us to limit the way we use your personal data.
                      • Right to data portability – in certain circumstances, you can request us to transfer your personal data to another company.
                      • Right to object – you have the right to challenge certain types of processing, such as direct marketing.

                      CCPA

                      If you are a resident of California, you have the right to access the Personal Data we hold about you (also known as the ‘Right to Know’), to port it to a new service, and to ask that your Personal Data be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information below.

                      If you would like to designate an authorized agent to submit these requests on your behalf, please contact us at the address below.

                      Contact

                      If you would like to access, erase, update, or rectify any of your personal data that we hold, or exercise any other of your data protection rights, please contact us:

                      Murad Murzaev <[email protected]>
                      Serokell
                      Pille tn 7/5-13
                      Tallinn, 10135
                      Estonia
                      

                      Data Protection Authority

                      If you wish to lodge a complaint, you may contact Estonian Data Protection Inspectorate:

                      [email protected]
                      +372 627 4135
                      39 Tatari St.
                      Tallinn, 10134
                      Estonia