The Swedish company - H & M Hennes & Mauritz GBC AB is responsible for your personal data under the General Data Protection Regulation (EU) 2016/679 and the applicable national data protection law. The US company H&M Hennes & Mauritz L.P is the personal data processor. Your personal data is stored and maintained in Sweden and processed within the H&M group in a few cases outside the European Economic Area (“EEA”). By using the Sites, you consent to the transfer of your data overseas and across borders, and from your country or jurisdiction to other countries or jurisdictions around the world. For transfers outside the EEA, H&M will use Standard Contractual Clauses and EU-US Privacy Shield Framework as safeguards for countries without adequacy decisions from the European Commission. The laws governing data in your home country may differ from those in the countries to which data is transferred. By accessing and using the Sites, you consent to the transfer of your data in this manner.
How do we use your data?
In providing your personal data you consent to H&M using the data collected in order to meet our commitments to you and to provide you with the service you expect. We need your personal data for the following purposes:
- To create your personal account at hm.com (e.g. your name and email address)
- To process your orders (e.g. your name, address, date of birth and bank details)
- To be able to send text message notifications of delivery status (e.g. your mobile phone number)
- To be able to send you marketing offers such as newsletters and our catalogues (e.g. your email address, your name and your postal address)
- To be able to contact you in the event of any problem with the delivery of your items (e.g. telephone number, address)
- To enable us to answer your queries and to inform you of new or changed services (e.g. your email address)
- To notify the winners in promotions (e.g. your email address, name, home address and telephone number)
- Managing your account by carrying out credit checks (e.g. name, address, date of birth)
- To be able to analyse your personal data to provide you with relevant marketing offers and information (e.g. name, buying habits)
- To be able to validate that your are of legal age for shopping online (e.g. date of birth)
We will only keep your data for as long as necessary to carry out our services to you or as long as we are required by law. After this your personal data will be deleted. We cannot remove your data when there is a legal storage requirement, such as book keeping rules or when there is a legal ground to keep the data, such as an on-going contractual relationship.
Non-personal data is used as described above and in other ways as permitted by applicable laws, including combining non-personal data with personal data.
By using Google’s Business Messages, your information will be transmitted to both H&M and Google.
What are your rights?
You have the right to request information about the personal data we hold on you. If your data is incorrect, incomplete or irrelevant you can ask to have the information corrected or removed. Annually, you also have the right to request written documentation, free of charge, on the personal information we have on you on our account files. To request this document please write in to H&M Customer Service. You can withdraw your consent to us using the data for marketing purposes at any time (i.e., sending catalogues, Newsletters or offers). If you have any questions, please vontact Customer Service.
Who has access to the data?
We do not sell your information to third parties. We do, however, share data with third parties when necessary to fulfill a transaction, complete a service, for administrative purposes, or when required by law. Any data that is forwarded to third parties is used to meet H&M’s commitments to you. H&M may also supply your personal data to organizations such as credit reference or debt collection agencies for the purposes of credit checks, identity checks, monitoring credit rating and debt collection. Additionally, we will share your data if such sharing is required by law or to protect against potential or suspected fraud. Also, if H&M Hennes & Mauritz AB undergoes a merger, corporate reorganization, or all or part of our assets are sold or acquired by another party, your personal data may be shared. If you do not want us to share your personal data in these manners, please do not provide it to us.
How do we protect your data?
No data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us and you understand that any information that you transfer to us is done at your own risk. That said, once we receive your transmission, we have technical and organizational measures in place to help protect your data from loss, manipulation, unauthorised access, etc. We continually adapt our security measures in line with technological progress and developments. At H&M we protect your data using encryption using Secure Sockets Layer (SSL). SSL is a function that encrypts all information sent between buyer and seller, including card information, so that card details cannot be read by external parties.
For card purchases we work with an authorised payment agent that helps us to check directly with your bank that the card is valid for purchases. Our payment agent processes your card details in line with the PCI DSS requirements. When you pay by card we reserve the right to carry out an identity check.
Your Account Information
You can access your personal account to update your personal data. Please note, however, that your personal account information is protected by your user name and password. It is your responsibility to maintain the security of your username and password as any actions taken while logged into your account will be your responsibility.
We do not collect any personal data directly from individuals under the age of 13. If we discover that any such information is in our possession, we will delete it.
What data do we collect?
This policy applies only to information collected on the Sites. We collect two types of information from visitors to the Sites: (1) Personal data and (2) Non-personal data.
“Personal data” is information that identifies you personally, such as your name, address, telephone number, email address, and sometimes your Internet Protocol (IP) address. We may collect this information when you create a profile on our Sites, visit our Sites, or complete a purchase.
“Non-personal data” can be technical in nature. It does not identify you personally. Examples of non-personal data include the following:
- Web Beacons (also known as "clear gifs," "web bugs" or "pixel tags") -- "Web Beacons" are tiny graphics with a unique identifier, similar in function to cookies, and are used to allow us to count users who have visited certain pages of the Sites and to help determine the effectiveness of promotional or advertising campaigns. In contrast to cookies, which are stored on a user's computer hard drive, web beacons are embedded invisibly on web pages.
- Demographic Information -- "Demographic Information" may be your gender, age, zip code, geolocation data and interests, which you voluntarily provide to us on and through the Sites. We use this information to provide you with personalized services and to analyze trends to ensure the information provided by the Sites meet your needs. Please note that we also consider aggregated information, which is not personally identifiable, to be non-personal data.
The above list provides an example of the non-personal data that is collected via the Sites
Please note that our Sites do not support “Do Not Track” browser settings and do not currently participate in any “Do Not Track” frameworks that would allow us to respond to signals or other mechanisms from you regarding the collection of your personal or non-personally identifiable information.
The Sites may include links to other websites which don't fall under our supervision. We cannot accept any responsibility for the protection of the privacy or the content of these websites, but we offer these links to make it easier for our visitors to find more information about specific subjects.
We communicate with users who subscribe to our services on a regular basis via email. For example, we may use your email address to confirm your request, to send you notice of payments, to send you information about changes to our products and services, and to send notices and other disclosures as required by law. Generally, users cannot opt-out of these communications, but they will be primarily informational in nature rather than promotional.
However, we provide you the opportunity to exercise an opt-out choice if you do not want to receive other types of communication from us, such as emails or updates from us regarding new services and products offered on the Sites. The opt-out choice may be exercised by ticking or un-ticking the appropriate box if such checkbox is available at the points where personal data is collected or by contacting us. We will process your unsubscribe as soon as possible, but please be aware that in some circumstances you may receive a few more messages until the unsubscribe is processed. You also may opt-out of receiving such emails by clicking on the "unsubscribe" link within the text of the email.
By using the Sites and providing your mobile phone number, you hereby consent to receive autodialed and/or pre-recorded telemarketing calls and text messages from or on behalf of us at the mobile number that you provide at sign-up. You understand that consent to receiving messages on your mobile device is not a condition of purchase and understand that message and data rates may apply. Additionally, should you choose to stop receiving such messages, please contact Customer Service directly or reply STOP to a text messages once it is received. However, you hereby consent to receiving a confirmatory message in response to your STOP request.
California Privacy Rights
California Civil Code Section 1798.83 permits our visitors who are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact Customer Service.
H&M Hennes & Mauritz AB. All rights reserved. All materials contained within this website are protected by copyright belonging to H&M Hennes & Mauritz AB.
International Transfer of Data
You understand that the controller of personal data submitted through the Sites may be contacted at the information below:
Controller of personal data
H & M Hennes & Mauritz AB GBC
Mäster Samuelsgatan 46
106 38 Stockholm
Telephone: +46 (0)8 796 55 00
Fax: +46 (0)8 24 80 78
Companies register: Bolagsverket/Swedish Companies Registration Office
Company registration number: 556070-1715
Authorised representative: Helena Helmersson
VAT registration number: VAT NO. SE556070171501