Privacy Policy
The Privacy Policy governs the processing of users' personal data and ensures protection against unauthorized access by any third party.
The company respects each user’s visit to its controlled website and the interest that the user shows to the products placed on the website.
Based on the above-mentioned, the company takes responsibility to ensure the security of the user’s personal data, to use the data only to achieve a legitimate purpose, and to ensure strict compliance with the personal data protection legislation.
The terms of personal data processing when using the website are defined by this privacy policy.
Definitions
Managing Company/Company - LLC “Kenari” (I/N: 404392224) (Limited Liability Company registered in accordance with the legislation of Georgia, date of registration: 17/12/2010) having its registered office at Georgia, Tbilisi, Didube district, Lubliana st., I lane, N4; Actual address: Georgia, Tbilisi, Didube district, Lubliana st., I lane, N4; E-mail: info@kenari.ge; hotline: 0322307950.
Website -The website operated by the company kenari.ge.
Personal data (data) – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his/her name, surname, identification number, location data and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics.
Special categories of data – data connected to a person’s racial or ethnic origin, political views, religious, philosophical or other beliefs, membership of professional unions, health, sexual life, status of an accused, convicted or acquitted person or a victim in criminal proceedings, conviction, criminal record, diversion, recognition as a victim of trafficking in human beings or of a crime under the Law of Georgia on the Elimination of Violence against Women and/or Domestic Violence, and the Protection and Support of Victims of Such Violence, detention and enforcement of his/her sentence, or his/her biometric and genetic data that are processed to allow for the unique identification of a natural person.
Data concerning health − data related to the physical or mental health of a data subject, including the provision of health care services, which reveal information about his/her physical or mental health.
Processing of data − any operation performed on personal data, including collecting, obtaining, accessing, photographing, video monitoring and/or audio monitoring, organizing, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying, and disclosing by transmission, publication, dissemination or otherwise making available.
Automated data processing − the processing of data by means of information technologies.
Semi-automated data processing − the processing of data without using information technologies.
Data subject – any natural person whose data are being processed.
Consent of the data subject – consent freely and unambiguously expressed by a data subject after the receipt of the respective information, by an active action, in writing (including in electronic form) or verbally, to the processing of data concerning him/her for specific purposes.
Written consent of the data subject − consent, signed or otherwise expressed by a data subject in writing (including in electronic form) after the receipt of the respective information, to the processing of data concerning him/her for specific purposes.
Controller – a natural person, a legal person, or a public institution, who individually or in collaboration with others determines the purposes and means of the processing of data, and who directly or through a processor processes data.
Processor − a natural person, a legal person, or a public institution, which processes data for or on behalf of the controller. A natural person who is in labor relations with the controller shall not be considered a processor.
Third party − a natural person, a legal person, or a public institution, other than a data subject, the Personal Data Protection Service, a controller, a processor, a special representative and persons who, under the direct authority of the controller or processor, are authorized to process data.
Direct marketing − the direct and immediate delivery of information to a data subject by telephone, mail, email or other electronic means to generate and maintain interest in, sell and/or support a natural and/or legal person, product, idea, service, work and/or initiative, as well as image and social issues. The provision of information by a public institution to a natural person shall not be considered direct marketing if the provision of such information is compatible with any of the grounds for data processing as provided for by Articles 5 and 6 of this Law.
Data depersonalization − the processing of data in such a manner that the data cannot be attributed to the data subject or attributing them to the data subject involves disproportionate effort, expense and/or time.
Blocking of data − the temporary suspension of data processing (except storing).
Incident − breach of security of data leading to the unlawful or accidental damage or loss of data, or the unauthorized disclosure, destruction, alteration of or access to data, or the collection/obtaining of data, or other unauthorized processing.
Personal Data Protection Officer - A person appointed by the managing company who is responsible for fulfilling the rights and duties outlined in Article 33 of the Law of Georgia “On Personal Data Protection” and overseeing the company's personal data processing activities.
1. Parties to the processing of the personal data
1.1 The subject of personal data processing is the user who, by registering and logging in to the website and/or purchasing goods, consents to the processing of his/her personal data for the purposes outlined in this privacy policy.
1.2 A Controller is: LLC “Kenari” (I/N: 404392224) (Limited Liability Company registered in accordance with the legislation of Georgia, date of registration: 17/12/2010) having its registered office at Georgia, Tbilisi, Didube district, Lubliana st., I lane, N4; Actual address: Georgia, Tbilisi, Didube district, Lubliana st., I lane, N4; E-mail: info@kenari.ge; hotline: 0322307950.
2. Basis of Data processing
2.1 Data processing by the Company shall be admissible, when one of the following grounds exists:
2.1.1 the data subject has given consent to the processing of data concerning him/her for one or more specific purposes;
2.1.2 to fulfill the obligations under an agreement with the data subject or to enter into an agreement at the data subject's request;
2.1.3 data processing is necessary for the controller to perform his/her statutory duties;
2.1.4 data processing is necessary to provide services to the data subject;
2.1.5 data processing is necessary to protect important legitimate interests pursued by the managing company;
2.1.6 data processing is necessary to perform tasks falling within the scope of public interest as defined by the legislation of Georgia;
2.1.7 the data subject has given consent to the processing of the special category data for one or more specified purposes.
2.2 The user is neither legally nor contractually obligated to provide personal data to the company. However, failure to provide such data may prevent the user from entering into or executing a purchase contract with the company on the website, participating in the loyalty program, or accessing certain services offered by the company's website.
2.3 If the processing of personal data is based on the consent of the data subject, the company assumes that the data subject provides this consent freely, voluntarily, and in their own interest upon reading this policy. The consent must be specific, informed, conscious, and unambiguous.
2.4 Consent is considered valid when the checkbox labeled "I agree to the Privacy Policy" is checked, indicating that the data subject agrees to the terms of personal data processing outlined in the Policy.
2.5 The Consent to the processing of personal data is not required where other grounds for processing apply.
3. The purpose of data processing
3.1 User registration on the website requires the user to provide their name, surname, personal identification number, email address, and mobile phone number. Consequently, the company is authorized to process above-mentioned Personal data of the Data subject in order to deliver complete and effective services.
3.2 The user is permitted to purchase goods on the website kenari.ge, operated by the company, without registering, by providing his/her: name, surname, mobile phone number, and email address. If the user chooses this method for making a purchase, the company is authorized to process the provided personal data to ensure complete and effective service.
3.3 When purchasing contact lenses and optical glasses through the website operated by the managing company, the customer is additionally required to provide Data concerning health, specifically their visual acuity (basic acuity and prescription number). This personal data is necessary for fulfilling the agreement with the customer. By providing data concerning health in the order form, the user confirms that their consent to the processing of this information is informed, specific, and non-discriminatory.
3.4 When utilizing the delivery service offered by the company, the user must provide their address. Without sharing this information will prevent the customer from accessing the delivery service.
3.5 The operational website of the company does not process personal data related to banking transactions. In case of performing such operations, the user’s personal data will be processed by the relevant financial institution.
3.6 To effectively fulfill the obligations outlined in the agreement between the Company and the Data Subject, including legal requirements, the Company processes personal data for the following purposes:
3.6.1 To manage communication with the Data Subject;
3.6.2 To introduce new products and services;
3.6.3 To develop and implement effective marketing activities;
3.6.4 To provide information about purchases made by the user;
3.6.5 To provide the user with information about the Company’s services and products;
3.6.6 To adapt the Website and its components to the needs of the user;
3.6.7 To protect users and prevent fraudulent activity;
3.6.8 To improve the Company's service quality;
3.6.9 To fulfill the Company’s legal and contractual obligations effectively and properly;
3.6.10 To receive users’ feedback and respond to complaints;
3.6.11 To test new products, systems, or services;
3.6.12 To manage risk of the Company and Users;
3.6.13 To execute and manage payments of the Data subject;
3.6.14 To send status messages to the Data subject about his/her purchase on the Website , such as successful completion of the purchase;
3.6.15 To provide to the competent state bodies in case stipulated by law;
3.6.16 For other legitimate purposes defined by the Law of Georgia “On Personal Data Protection”.
4. Rights and obligations of the Data subject
4.1 The Data subject is obliged to provide the company with complete and correct information about them in order to receive a service.
4.2 User, as the data subject, has the right to:
4.2.1 obtain from the Controller confirmation as to whether or not data concerning him/her are being processed according to the request, no later than 10 working days after the request, to receive his personal data stored with the company free of charge;
4.2.2 request information about the source from which the data were collected/obtained;
4.2.3 receive information about the period for which the data will be stored and, if no specific period can be determined, the criteria used to determine such period;
4.2.4 request information about the legal basis and purposes of the data transfer, as well as the appropriate data protection safeguards;
4.2.5 request information about the identity of the recipients or the categories of recipients, including information on the ground for and purpose of the transfer, if the data are transferred to a third party;
4.2.6 access personal data concerning him/her and to obtain copies of such data;
4.2.7 request the controller to rectify, update and/or complete erroneous, inaccurate and/or incomplete data concerning him/her;
4.2.8 request the controller to terminate the processing of , erase or destroy data concerning him/her.
4.2.9 The Controller reserves the right to refuse the request outlined in Article 4.2.8 if:
a) another grounds of processing provided for in the Article 3.3 hereof or in Articles 5 or 6 of the Law of Georgia “On personal data protection” exists;
b) data are processed for the purposes of substantiating a legal claim or a statement of defence;
c) the processing of data is necessary for the exercise of the right of freedom of expression or information;
d) data are processed for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes, and the exercise of the right to the termination of the processing, erasure or destruction of the data would render impossible or substantially impair the achievement of the purposes of the processing.
4.2.10 request the Controller to block data in such cases:
4.2.10.1 the authenticity or accuracy of the data is contested by the data subject;
4.2.10 .2 the processing of the data is unlawful, although the data subject opposes the erasure of the data and requests their blocking;
4.2.10.3 the data are no longer needed for the purposes of the processing, but they are required by the data subject to lodge a complaint/claim;
4.2.10.4 the data subject requests the termination of the processing, erasure or destruction of the data and this request is being considered;
4.2.10.5 there is a need to retain the data for use as evidence.
4.2.11 Request to stop receiving direct marketing messages and advertisements (if applicable) and withdraw consent for the processing of personal data for direct marketing purposes at any time, in accordance with Article 8 of this Privacy Policy.
4.2.12 Withdraw consent at any time and without explanation by sending an email to info@kenari.ge. The Company agrees to cease data processing no later than 10 working days after receiving such notification. If the user declines to provide personal data or requests a restriction on data processing, it may hinder or render it impossible for the Company to fulfill its obligations to the user, including access to their account/profile or receipt of relevant services.
4.2.13 Submit a complaint regarding personal data processing, including to the Personal Data Protection and/or to a court.
5. Minor persons
5.2 The Company does not knowingly collect or store information from individuals under the age of 18 who have not reached the legal age of majority according to the laws of Georgia. The Company is committed to ensuring the protection of personal information pertaining to minors.
5.3 The Company is unable to verify the accuracy of the information provided by the user. If anyone becomes aware of a purchase of goods or services by a minor on the website operated by the Company, please contact us at the following email address: info@kenari.ge.
6. Data storage period and Security
6.2 The Company ensures consistent and high-quality protection and security of the user’s personal data.
6.3 The Company is responsible for implementing all necessary organizational and technical measures to comply with Georgian law, ensuring the protection of user data against loss and unlawful processing, including destruction, deletion, alteration, disclosure, or misuse.
6.4 The user acknowledges that any data transmission over the Internet or a wireless network cannot be completely secure. The Company employs commercially reasonable security measures to protect personal data and seeks to partner with organizations that responsibly prioritize the protection of personal data. However, the Company cannot guarantee the security of the website or the information transmitted from it.
6.5 The Company ensures the involvement of partner individuals and companies in the processing of personal data, who may process a limited amount of personal information on behalf of the Company. The list of relevant parties is provided in the table below:
Purpose of personal data processing |
Partner individuals/companies involved in the processing of personal data include: |
Sale of goods/services |
A courier company involved in the delivery of goods. An individual providing information technology services. Financial institutions through which banking transactions are conducted. |
Customer claims and return of goods |
A courier company involved in the delivery of goods. |
Marketing activities |
An individual providing information technology services (mail, sms) |
6.6 The Company shall ensure that personal data related to the User is processed and stored in a manner that allows for the User's identification, as long as it is necessary to achieve the purposes of processing specified in this Policy.
6.7 Upon termination of personal data processing for the purposes specified in this Policy by the managing company, the Company shall irrevocably destroy the data in accordance with the procedures and timelines established by law. Destruction will be carried out if at least one of the following conditions has occurred:
6.7.10 Data subject have withdrawn his/her consent to the processing of personal data or have requested the termination of the processing of personal data, if the processing was carried out on the basis of such consent;
6.7.11 The purpose of personal data processing has been achieved;
6.7.12 Illegitimate processing of personal data (Incident) has been identified;
6.7.13 The Company has ceased its business activities.
6.8 The Company shall store the data for the period necessary to achieve the purposes of processing, not exceeding three (3) years.
6.9 After the user deletes their account/profile on the website, their depersonalized data will be stored for a period not exceeding three (3) years, in accordance with the purposes outlined in the Policy, applicable laws, and regulatory documents.
6.10 The company shall store special categories of data related to data subjects, in particular health-related data, for a period of no more than 03 (three) years after providing services to data subjects.
6.11 The controller shall record and keep the date and fact of the data subject’s consent to the processing of data concerning him/her and the withdrawal of such consent for the duration of the direct marketing and for 1 year after the direct marketing has been discontinued.
7. Methods of obtaining and disclosing personal data with third parties
7.2 The Company receives information about personal data when the user completes the registration form and/or purchases goods without going through the authorization process.
7.3 The Company may disclose the user’s personal data to state bodies, regulatory authorities, or any other entity, in accordance with applicable laws, regulations, court rulings, official requests, and instructions issued by a state regulatory body, for the purposes outlined in those documents or as required by any similar process conducted under applicable laws.
7.4 To provide effective and efficient service, the Company is authorized to transfer personal data related to the user to companies or individuals with whom it has a contractual relationship, specifically for the provision of courier and information technology services.
7.5 In the event of a transfer of personal data to companies/individuals with which/whom the Company has a contractual relationship, these companies/individuals are obligated to comply with the requirements set forth by the Law of Georgia regarding the protection and security of personal data.
7.6 The partner courier company, “GEORGIAN EXPRESS” LLC (I/N 404974630), receives the following information about the customer: name, surname, email address, mobile phone number, and address. This information will be used solely for the purpose of delivering the purchased products.
7.7 Sharing data with the company's partner companies, courier companies, subcontractors may be necessary to the extent required to fulfill contractual obligations with the customer.
7.8 The Company does not engage in international data transfers.
8. Direct marketing
8.2 If the data subject consents, the following types of personal data relating to the data subject may be processed for direct marketing purposes, in particular to receive promotional messages from the company, notifications of planned news/promotions/discounts: name, email address, and mobile phone number.
8.3 The user has the right to request at any time to stop receiving marketing messages (if applicable) and to withdraw their consent to the processing of personal data for direct marketing purposes, either by using the same method by which direct marketing was carried out or by sending an email to info@kenari.ge. The company will respect the customer's wishes and will cease using their personal data for direct marketing purposes within a reasonable timeframe, but no later than 7 business days after receiving such notification.
8.4 The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
9. Cookies and similar technologies
9.2 The website operated by the managing company uses so-called “Cookies” to enhance navigation, present information in a preferred format, and improve search settings.
9.3 The Company does not collect or process personal data related to the user through cookies.
9.4 For detailed information on the processing of cookies by the managing company, please refer to the 'Cookie Policy' on the website kenari.ge.
10. Changes to the Privacy policy
10.2 Company reserves the right to amend this privacy policy at any time.
10.3 Any changes to the Privacy Policy will be promptly communicated to registered users via email and/or by posting information on the website.
11. Terms of Use
11.2 By electronically agreeing to the terms and conditions, the user confirms their acceptance of this Privacy Policy and that the information provided is accurate and reliable. This information was submitted at the user's request, and the user affirms that they possess all rights and permissions required by applicable legislation.
11.3 The legal basis for the processing of personal data by the company is the Law of Georgia On Personal Data Protection and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS N 108, Strasbourg, 28 January 1981).
12. Contact
12.2 If the user has any questions or requests related to the processing of personal data, they can contact the Company at the following email: info@kenari.ge; hotline: 0320322307950.
13. Contact the Personal Data Officer
To ensure compliance with the processing of personal data and the Company's Privacy Policy under the Law of Georgia “On Personal Data Protection”, the managing company has appointed a Personal Data Protection Officer- “Legal Group” LLC (I/N: 405326801). The Personal Data Protection Officer oversees the data processing activities of the Company, analyzes applications and complaints related to data processing, and provides relevant recommendations. For inquiries related to personal data, please contact the Personal Data Protection Officer “Legal Group” LLC (I/N: 405326801) via email at legal@legalgroup.ge.