Privacy policy
General
About us
BioGaia is the data controller for the Site and is registered with the UK Information Commissioner’s Office under number 13574654.
If you have questions about how we process your personal data, or if you wish to exercise your rights, you can contact us using the contact information below:
BioGaia UK Limited
Unit 5, Albert Edward House
Preston, PR2 2YB
e-mail: gdpr@biogaia.com
What is personal data, and what is processing?
Personal data is information that, either directly or indirectly, can identify a physical person. Personal data can thus be names, addresses, e-mail addresses, personal identification numbers, IP addresses, and so on.
‘Processing’ is everything we do with your personal data. For example, processing can be collection, storage, registration, sorting, revision, transfer or erasure of data.
What personal data do we collect, and why?
BioGaia collects personal data only for specific purposes. Those purposes, together with our legal basis for processing the data, and the relevant data retention periods, are set out below:
Customer administration and subscription and purchasing products from our e-commerce platform
When you create a customer account with us, purchase products and/or begin a subscription, we collect your name, e-mail address, postal address and telephone number.
Purpose: We will use your personal data to fulfil our obligations for completing a purchasing agreement with you and to fulfil our legal obligations.
Legal basis: The processing is necessary to enter into and complete agreements with you. We are also required to keep certain financial information in accordance with applicable accounting regulations.
Storage period: We retain your customer account information while you remain a customer with us, and one year after your customer account is closed. Purchase information is retained for 36 months in order to facilitate returns. Where specific accounting regulations apply, we keep information for 7 years plus the current accounting year.
Marketing via newsletter
When you sign up for our newsletter, we collect data regarding your name and e-mail address in order to provide you with relevant information about BioGaia and our products.
Purpose: Letting you know about our products that could be of interest to you.
Legal basis: Processing occurs by virtue of the consent you submitted in conjunction with previous purchases you made from us.
Storage period: We store the personal data for this purpose until you withdraw your consent, which you are always provided the opportunity for through a link in the mailing.
Marketing via e-mail
When you make a purchase from us, we collect your name and e-mail address for the purpose of sending out marketing materials for our products and operations to you.
Purpose: Provide marketing of our products that could be of interest to you.
Legal basis: Mailing of newsletters is supported by our legitimate interest in providing you with information about our operations.
Storage period: Your personal data is stored until you unsubscribe from our newsletter, and for two months afterwards.
Analysis, development and operations of biogaia.co.uk and our services
For the purpose of developing our operations, we collect data about your user behaviour such as your purchasing history with us (the products you purchased, how many, the price and the date).
Purpose: We do this in order to: i) evaluate, develop and identify how you use biogaia.co.uk; ii) detect, prevent and investigate fraud and security monitoring; and iii) develop and improve our business operations.
Legal basis: Processing is necessary in order to satisfy our legitimate interest in developing and operating biogaia.co.uk.
Storage period: Personal data is stored for two years.
We also use cookies to collect personal data about your behavior on biogaia.co.uk. For more information about cookies, please see below.
Who do we share personal data with?
BioGaia may share your personal data with third parties. These parties are either
Data processors
These are allowed to process personal data only for the specific aims and purposes defined by us. Our processors, and the data they receive, include:
- Platform and technology suppliers: IP addresses, contact information and purchase history
- Logistics companies: Contact information
- Research firms: Purchase history
Data controllers
These companies use personal data for their own purposes and are independently responsible to you for the personal data processing they carry out. BioGaia shares data with other personal data controllers only when it is necessary to receive payment for products sent to you from our online shopping platform. We distribute your personal data in the form of contact information and name (for the purpose of completing payment) to Shopify payment, whose privacy notice can be found here.
BioGaia may also share your personal data with:
- other companies in the BioGaia Group, if required for completion of the purposes and the legal basis indicated above; and
- government agencies, to the extent that it results from law or other legal obligation incumbent upon us.
On rare occasions, we may share personal data when we believe it is necessary to comply with the law, regulation or legal request (including a court order or government inquiry), or to enforce or apply our terms of use or other agreements. In addition, we may use, make available or transfer personal data to third parties in conjunction with reorganisation, merger, sale, joint venture, conveyance, transfer or other disposition of all or part of our operations, assets or shares (including in conjunction with bankruptcy or similar proceedings).
Third country transfers
We will share your personal data with our third party provider(s) - including cookie providers and social media platforms - whose servers are located outside of the EEA and the UK. Where we transfer personal data outside of the UK or the EEA to a country that has not received a UK or EEA ‘adequacy’ decision in respect of its privacy laws, we protect your data by entering into specific contracts with the relevant service provider to ensure that your data enjoys the same protection that it would in the UK. You can read more about the EU Commission’s standard contractual clauses here, and the UK version of the standard contractual clauses can be found here.
More information on blocking cookies is available on your browser’s help pages. You can also read more about cookies in our cookie notice; see below.
How is your personal data protected?
All personal data you provide to us is protected using both organisational and technical security measures. These measures are used to store, process and communicate the data securely. In the event that you would like to know which security measures we apply, you can contact us using the contact information above.
Your rights
Right to access (register excerpts)
You can always request access to your personal data. This includes the right to request information on where we retrieved the data from, the scope and legal basis of our processing, and with which recipients (or categories of recipients) your personal data has been shared.
Right to erasure
You have the right, in certain circumstances, to require us to erase some or all of your personal data, provided that it is not necessary for us to retain this data in order to fulfil our legal obligations. You have the right to request that your data be erased if:
- your personal data is no longer necessary for the purpose behind the processing;
- you withdraw your consent on which the processing is based;
- you object to the processing and we are not considered as having a legitimate interest; or
- the personal data has been processed unlawfully.
Depending on the circumstances, we may need to retain some data until we are no longer obligated to process it.
Right to correction
You have the right to have erroneous personal data concerning you corrected without unnecessary delays. If you discover errors in the data that we hold about you, please notify us via e-mail (gdpr@biogaia.com). You also have the right to supplement incomplete data that we have on you.
To help us keep our information accurate and up-to-date, please provide us with correct data and inform us in the event your data changes.
Right to limitation
You have the right, in some circumstances, to require that we limit our processing of your personal data. A limitation can be imposed for several reasons:
- If you believe that the data we have on you is incorrect and request correction, you can request limited processing during the time we take to check whether the personal data is correct.
- If you have objected to processing based on BioGaia’s legitimate interests, you can request limited processing during the time we take to check how our and your legitimate interests are balanced.
- If we no longer need the data, but you require that we keep the data in relation to a legal claim.
- If our processing is unlawful, but you oppose our deletion of the data, you can request limited processing of the data instead.
Data portability
Under certain conditions, you have the right to receive your personal data in a structured, generally used and machine-readable format so you can transfer it to another personal data controller.
Right to object
Where we are processing your data based on the public interest or BioGaia’s legitimate interests, you have the right to object to that processing. However, we may continue the processing in question if we can demonstrate a legitimate reason for it. You also have the right to object to direct marketing.
Right to withdraw consent
In the event we base our processing on your consent, you can withdraw your consent at any time.
Right to complaint
You also have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”), which is the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, be grateful if you would contact us in the first instance so we can endeavour to deal with your concerns direct. The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO website: https://www.ico.org.uk
Contact information
If you wish to exercise any of your rights, please contact us via e-mail at gdpr@biogaia.com.
Minors
Our Site is not aimed at persons under the age of 18 years, and we do not knowingly process personal data that could be linked to minors.
Changes
We may amend or update this privacy notice from time to time. If we do so, we will publish an updated notice on the site, and we may notify you if any changes are particularly significant.
This privacy notice was updated on 19 August 2022.
Cookie notice
Biogaia.co.uk use cookies. Some are essential to deliver our services, and others help us to improve your experience of our website. We use both first party cookies and third-party cookies.
What are cookies
Cookies are small text files containing information, which are downloaded to your computer or mobile device by websites that you visit. They can improve your experience of using a website, for example, by remembering your preference settings and tracking your use of a website so that it can be improved to meet your needs.
How do Biogaia.co.uk use cookies?
Biogaia.co.uk uses cookies for technical reasons, to enable our Site to function (for example, so you can add goods to your shopping basket). We also use cookies for marketing and to help us to improve your experience of our Site. Some cookies on our website are controlled by third parties independently.
If you choose “Accept” on our cookie banner, you accept this and consent to our use of cookies (including third party cookies) for marketing and analytics purposes. If you choose “no” we will only you cookies that are strictly necessary to enable to website to work.
Unless the cookie is a strictly necessary cookie, you can withdraw your consent to our cookies at any time even if you have previously consented. You can also set your browser to prevent cookies from being accepted. Please bear in mind that if you restrict or disable cookies it can limit functionality and prevent the website from working properly at all.
Cookies from third parties
| Cookie | Description | Duration | |
| Klaviyo | __kla_id | Tracks when someone clicks through a Klaviyo email to your website | 2 years |
| KL_FORMS_MODAL | Tracks when someone subscribes (opts in) to a form | ||
| Shopify | _landing_page | Track landing pages. | 2w |
| _orig_referrer | Track landing pages. | 2w | |
| _s | Shopify analytics. | 30min | |
| _shopify_d | Shopify analytics. | session | |
| _shopify_fs | Shopify analytics. | 30min | |
| _shopify_s | Shopify analytics. | 30min | |
| _shopify_sa_p | Shopify analytics relating to marketing & referrals. | 30min | |
| _shopify_sa_t | Shopify analytics relating to marketing & referrals. | 30min | |
| _shopify_y | Shopify analytics. | 1y | |
| _y | Shopify analytics. | 1y | |
| _shopify_evids | Shopify analytics. | session | |
| _shopify_ga | Shopify and Google Analytics. | session | |
| _fbp | Facebook Pixel Tracking | 3 months | |
| Google Analytics | _ga | Google Analytics Session | 2 years |
| _gat | Google Analytics bot filter | 1 minute | |
| _gid | Google Analytics - storing page views | 1 day | |
| Hotjar (edited) | _hjSessionUser{site_id} | Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. | 365 days |
| _hjSession{site_id} | A cookie that holds the current session data. This ensues that subsequent requests within the session window will be attributed to the same Hotjar session. | 30 minutes | |
| _hjClosedSurveyInvites | Hotjar cookie that is set once a user interacts with an External Link Survey invitation modal. It is used to ensure that the same invite does not reappear if it has already been shown. | 365 days | |
| _hjDonePolls | Hotjar cookie that is set once a user completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in. | 365 days | |
| _hjMinimizedPolls | Hotjar cookie that is set once a user minimizes an On-site Survey widget. It is used to ensure that the widget stays minimized when the user navigates through your site. | 365 days | |
| _hjShownFeedbackMessage | Hotjar cookie that is set when a user minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if the user navigates to another page where it is set to show. | 365 days | |
| _hjSessionTooLarge | Causes Hotjar to stop collecting data if a session becomes too large. This is determined automatically by a signal from the WebSocket server if the session size exceeds the limit. | Session | |
| _hjSessionRejected | If present, this cookie will be set to '1' for the duration of a user's session, if Hotjar rejected the session from connecting to our WebSocket due to server overload. This cookie is only applied in extremely rare situations to prevent severe performance issues. | Session | |
| _hjSessionResumed | A cookie that is set when a session/recording is reconnected to Hotjar servers after a break in connection. | Session | |
| _hjid | Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. | 365 days | |
| _hjRecordingLastActivity | This should be found in Session storage (as opposed to cookies). This gets updated when a user recording starts and when data is sent through the WebSocket (the user performs an action that Hotjar records). | Session | |
| _hjTLDTest | When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed. | Session | |
| _hjUserAttributesHash | User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated. | Session | |
| _hjCachedUserAttributes | This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. Collected attributes will only be saved to Hotjar servers if the user interacts with a Hotjar Feedback tool, but the cookie will be used regardless of whether a Feedback tool is present. | Session | |
| _hjLocalStorageTest | This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created. | Under 100ms | |
| _hjIncludedInPageviewSample | This cookie is set to let Hotjar know whether that user is included in the data sampling defined by your site's pageview limit. | 30 minutes | |
| _hjIncludedInSessionSample | This cookie is set to let Hotjar know whether that user is included in the data sampling defined by your site's daily session limit. | 30 minutes | |
| _hjAbsoluteSessionInProgress | This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie. | 30 Minutes | |
| _hjFirstSeen | This is set to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions. | Session | |
| _hjViewportId | This stores information about the user viewport such as size and dimensions. | Session | |
| _hjRecordingEnabled | This is added when a Recording starts and is read when the recording module is initialized to see if the user is already in a recording in a particular session. | Session |