-578x447.png "lathihong")
This Privacy Policy, prepared in accordance with the EU General Data Protection Regulation (GDPR), sets out the rules governing the collection, processing, storage, and transfer of personal data of EU residents by KANHA UK TRADING LTD (hereinafter referred to as "we"), as well as the rights of data subjects and our compliance commitments. This Policy applies to all EU residents with whom we conduct business.
1. Scope of Application
This Policy covers the personal data of EU residents processed by us in the following scenarios:
Website (lathihong.com) visits, registrations, and use;
Apparel product ordering, payment, delivery, and after-sales service;
Customer inquiries, feedback, and complaint handling;
Market research, new product promotion, and personalized service provision;
Collaboration with business partners and suppliers (when personal data is involved).
Regardless of where the data is stored, any personal data processed involving EU residents is subject to this Policy and the GDPR.
2. Collection and Processing of Personal Data
(I) Types of Personal Data Collected
Depending on the business scenario, the data we collect includes, but is not limited to:
Identity and Contact Data: Name, gender, age, email address (e.g., [email protected]), phone number, mailing address, zip code, etc.;
Transaction Data: Order number, ordered product model/quantity, payment amount, payment method, logistics tracking information, etc.;
Website Usage Data: IP address, browser type, access time, page browsing history, cookie preferences, etc.;
Preference Data: Clothing style preferences, size information, purchase frequency, feedback content, etc.;
Compliance Data: Contact person qualifications and tax information for corporate customers (required to fulfill legal obligations).
(II) Lawful Basis for Data Processing
All our data processing activities are based on the lawful grounds set forth in the GDPR:
Obtaining the data subject's explicit consent: e.g., consent to receive new product promotional emails and permission to use cookies on the website;
Necessary for contract performance: e.g., collecting shipping addresses and contact information to fulfill clothing orders;
Meeting legal obligations: e.g., retaining transaction records in accordance with tax regulations;
Protecting legitimate interests: e.g., verifying order information to prevent fraud and analyzing access data for website security.
(III) Purpose Limitation of Data Processing
We only process personal data for the following specific, explicit purposes; any additional processing requires renewed consent:
Completing clothing order processing, payment, delivery, and after-sales support;
Providing customer inquiry response and problem-solving services;
Optimizing website functionality and user experience;
Providing personalized product recommendations based on customer preferences (requires separate consent);
Complying with relevant EU and UK laws and regulations.
3. Core Principles of Data Processing
We strictly adhere to the seven core principles of GDPR in all our data activities:
Fairness, Transparency, and Lawfulness: We refrain from misleading or discriminatory data processing practices and disclose data usage in clear and understandable language.
Purpose Limitation: Data is used only for the purpose we previously provided, and no changes to that purpose will be made without consent.
Data Minimization: We collect only data necessary for our business. For example, we don't collect physical addresses when purchasing e-books, and we don't collect sensitive information unrelated to the transaction when ordering clothing.
Accuracy: We regularly review data, and customers can request corrections for inaccuracies (e.g., changes of address) at any time.
Storage Limitation: Data retention will not exceed the time necessary to fulfill the purpose for which it was intended. Transaction data will be retained for no more than seven years from the date of fulfillment (considering both EU and Chinese compliance requirements). After this period, it will be anonymized or deleted.
Integrity and Confidentiality: We implement measures such as encrypted storage and access control to prevent data leakage, loss, or unauthorized alteration.
Accountability and Compliance: We maintain a data processing record system to readily demonstrate the compliance of our processing activities.
4. Data Subject Rights
Under the GDPR, EU residents, as data subjects, have the following rights:
Right of Access: You have the right to request information about whether we process your personal data, the type of data, and the purpose of processing;
Right of Correction: You have the right to request immediate correction of inaccurate or incomplete data;
Right to Erasure (Right to Be Forgotten): You have the right to request deletion of data (unless required to be retained by law or regulation) when the data is no longer necessary, consent has been withdrawn, or processing is unlawful;
Right to Restrict Processing: You can request the suspension of data processing (for example, if the accuracy of the data is disputed);
Right to Data Portability: You have the right to request access to your personal data in a structured format or to request its transfer to another data controller;
Right to Withdraw Consent: You can withdraw previously granted consent at any time (without affecting any lawful processing based on consent prior to withdrawal);
Right to Complain: You may lodge a complaint with an EU member state data protection authority regarding your data processing.
To exercise any of these rights, please contact us at [email protected] and we will respond within one month. 5. Data Security and Breach Notification
(I) Security Protection Measures
We implement both technical and organizational safeguards:
Technical: encrypted data storage, SSL secure transmission protocol, regular security vulnerability scanning, and access log audits;
Organizational: employee data protection training, hierarchical access rights management, and data protection agreements with suppliers;
Compliance: regular data protection impact assessments (for high-risk processing activities).
(II) Data Breach Notification
If a high-risk data security breach occurs, we will notify the relevant data protection authority within 72 hours of discovery. If the breach may compromise the rights of data subjects, we will also notify affected EU residents and explain the appropriate response measures.
6. Data Transfer and Sharing
(I) Cross-Border Transfers
We ensure that cross-border transfers of EU residents' personal data comply with GDPR requirements through the following methods:
Transfers to countries/regions that have received an EU "adequacy determination";
Entering into EU Standard Contractual Clauses (SCCs) with the recipient. (II) Third-Party Sharing
Data sharing is only permitted in the following circumstances, and in all cases, third parties are required to comply with GDPR and confidentiality obligations:
Logistics providers: Name, address, and contact information are required to complete delivery;
Payment institutions: Transaction-related information is required to process payments;
Compliance requirements: Necessary data is provided upon regulatory request;
Business collaboration: Only necessary, non-sensitive data is shared with business partners (a data processing agreement is required).
We do not sell personal data to third parties without consent.
7. Cookie Policy
Our website (lathihong.com) uses cookies for the following functions:
Necessary cookies: Ensure basic website operation (such as shopping cart functionality) and do not require consent for use;
Analytical cookies: Count visit data to optimize the website experience (such as page dwell time);
Marketing cookies: Used for personalized recommendations and advertising.
You can manage or disable non-essential cookies through your browser settings, but this may affect the functionality of some features.
8. Compliance Responsibilities and Penalties
We are fully aware of the stringent requirements of the GDPR. Violations of this Policy and the GDPR may result in the following penalties:
Minor violations: A fine of up to 2% of global annual turnover or €10 million (whichever is greater);
Serious violations (such as violations of data minimization principles or failure to protect data subject rights): A fine of up to 4% of global annual turnover or €20 million (whichever is greater).
We have established a compliance review mechanism to regularly assess our data processing activities to mitigate the risk of non-compliance.
9. Policy Updates and Inquiries
This Policy will be updated as necessary based on GDPR revisions and business changes. Updates will be notified to EU residents via website announcements and emails. Updates will be effective from the date of publication.
If you have any questions about this Policy or need to exercise your data subject rights, please contact us through the following methods:
Email: [email protected]
Website: lathihong.com (You may leave a message in the "Contact Us" section)