IDENTITY & CONTACT DETAILS OF THE CONTROLLER & THE DATA PROTECTION OFFICER
State Bidco Limited is the owner of tastecard and Ello Media (Taste Marketing Limited), gourmet society (Simard Limited), hi-life (Hi-Life Diners Club Limited). State Bidco are committed to protecting and respecting your privacy whilst remaining compliant with The General Data Protection Regulation (EU GDPR) and the Data Protection Act (DPA). In order for us to drive compliance, we have a Personal Information Management System which is compliant with BS 10012:2017.
State Bidco are the Data Controller and have an appointed Data Protection Officer whom can be contacted via email using the below details. For those who are based in the EU you can contact our EU representative whose details are below.
PURPOSE OF THE PROCESSING AND THE LEGAL BASIS FOR THE PROCESSING
In order for State Bidco to fulfil its contractual and customer obligations, there is a requirement to collect specific personally identifiable information relating to our customers. There are a couple of legal bases for the processing of such personally identifiable information. If you sign up on our website or one of our landing pages, then personal information is processed on the basis that we have a legitimate interest in doing so and to fulfil a contract with yourselves.
For marketing communications, we use the legitimate interest of provide marketing communications where you have bought/registered with one of our products or negotiated the purchase/registration of one of our products. However, you will always have the option of unsubscribing from these emails.
In other cases (for example, receiving employee benefits) we will be processing your personal information using the lawful basis of fulfilling a contract with the third-party benefit provider or the employer (not applicable to VuePass).
LEGITIMATE INTERESTS OF STATE BIDCO OR THIRD PARTY
State Bidco have a legitimate interest in further processing the information which is provided by customers at the point of sale for marketing purposes.
We may also use your information for other specific legitimate purposes such as:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have either explicitly consented to or we believe you have a legitimate interest in.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
We may also use your data, or permit selected third parties, to use your data to provide you with information about goods and services which may be of interest to you and we may contact you using electronic means (e-mail, SMS, Push, Phone) or post.
We do not sell, rent or lease customer lists to third parties for the purpose of them to market to you. We may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party.
In addition, we may share data with trusted partners to help us perform affiliate marketing, statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to us, and they are required to maintain the confidentiality of your information.
We will only contact you by electronic means (e-mail, SMS, Push, Phone) or post with information about goods and services similar to those which were the subject of a previous sale to you, where you have consented to this or we believe there is legitimate interest.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
- Information that you provide by filling in forms on one of our sites (www.tastecard.co.uk, www.gourmetsociety.co.uk, www.hi-life.co.uk or www.hi-life.ie, www.vuepass.co.uk) such as;
- User name and password – If we collect a user name and password, this is so we can keep your information secure and so that we can have your information to hand each time you visit us.
- Name, address and postcode – Without this we won’t know where to send your order or to whom, we also use postcodes to quickly get your full address to save you typing it out and, in some cases, to identify whether we deliver or offer services in your area. If you have location services enabled on your smart device, we may also use this to recommend restaurants / applicable services in within the area you are in.
- Email address – We send confirmation of your orders via email and will send you informational messages as well as offers which may interest you.
- Telephone numbers – If there are any problems with your order or we need to check anything, we need to be able to contact you quickly.
- Date of Birth – We may request this to verify your age.
- Membership Numbers (Only applicable if a corporate partner has referred you to us or you have signed up via a third party) – So that we can allow the organisation who has referred you to us to verify memberships created and used
- If you contact us, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of your visits to our site and the resources that you access.
- App usage data – including location services - this is currently not applicable to VuePass members.
- Details of where and how you have used the product, including your savings made (this is currently not applicable to VuePass members).
RECIPIENTS OF THE PERSONAL DATA
State Bidco is required to transfer the personal information provided by its customers to third parties in order to fulfil contractual obligations. The following link provides information on data recipients who we use to allow us to provide the service we offer. The document will explain which processors work on which brand and what safeguards we have in place:
All information you provide to us is stored on our secure servers. Any payment transactions are encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We may disclose your personal information to any member of our group (State Bidco Limited), which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We will not disclose your information to any of the relevant third parties listed above for marketing purposes.
We can provide you with contact details of our third parties upon request if required. You are able to do this by contacting us using the details in the ‘Contact’ section.
For members of VuePass
DETAILS OF TRANSFERS TO THIRD COUNTRIES & SAFEGUARDS
State Bidco has two systems that requires them to transfer personally identifiable information to a third party located in a third country, e.g. USA, controls are in place to ensure that the level of protection is not undermined and that security controls are at a level to commensurate with the type of information being transferred.
We also use an external IT service provider, who is located outside of the EEA, to assist us with the management of our IT systems and ensuring that our systems are secure. We do not transfer data to this organisation however they will have access to our systems to enable them to complete maintenance and IT support.
Where we transfer personal data to third countries, we will always ensure that we have the appropriate safeguards which one or both of the following:
- EU Standard Contractual Clauses; and/or
- Compliance against the EU-US Privacy Shield framework
Details of the safeguards can be located in the following link:
State Bidco retain all customer information for 5 years after they last interacted with us. Where there has been a period of 5 years after the end of membership and where has been no interaction between the organisation and the customer within this time, their information is erased and securely disposed of.
RIGHTS OF DATA SUBJECTS
You have the right to make a Subject Access Request to State Bidco’s Data Protection Officer in the event that you wish to determine what information we hold on you. We welcome these requests and aim to complete all requests within 30 days of verifying the request.
You have the right to request your data to be erased. This can be done by contacting us using the details in the ‘Contact’ section.
Please bear in mind this is not an absolute right and there maybe instances where we cannot completely erase your data (e.g. When the personal data is required for the exercise of legal claims), if an exception does come up this will be discussed with you when you make the request.
You have the right to rectification. If you notice that any of your details are incorrect, please contact the customer service team who will be more than happy to rectify this. We will also send transactional reminders to request that you notify us of any changes to your personal data so that we can keep your data up to date.
You have the right to portability. This is where you would like to transfer your data to another organisation. To request this, please contacting us using the details in the ‘Contact’ section. We will provide this within a structured CSV file for you to provide to a third party.
You also have a right to lodge a complaint with the Supervisory Authority (Information Commissioners Office in the UK), should you feel that we have not handled your information in line with legislative and regulatory requirements.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.
We also use an external IT service provider that is based outside the EEA to assist us with the management of our IT systems and ensuring that our systems are secure. We do not transfer data to this organisation however they will have access to our systems to enable them to complete maintenance and IT support.
You can get an explanation of our safeguards by contacting us using the details in the ‘Contact’ section.
AUTOMATED DECISION MAKING, INCLUDING PROFILING & INFORMATION ABOUT HOW DECISIONS ARE MADE, THE SIGNIFICANCE OF THE CONSEQUENCES
We use location services through both our applications and websites for us to tailor our marketing material to your specific behaviour and activities, e.g. the types of restaurants which you regularly visit. We use email monitoring services to monitor the emails which we send to users. We also collect usage data through the use of our cards, systems and membership apps. In doing this, we obtain information such as but not limited to:
- Time of receipt
- Time of opening
- Device user to open
- Location it was opened in
- Purchases made on our website(s)
- Savings made
- Restaurants/Cinemas visited
- Which parts of the email you interacted with
We use systems that enable us to link your social media accounts to your account if registered with the same email address. This enables us to tailor our promotions and products as best as possible.
Where you have provided us with a mobile number, we may market to you using SMS and Push notification interactions.
Our systems are set up to enable us to collect information on your usage/order history and spending history inclusive of savings made, we link this data to your profile so that we can determine what other deals or informational emails may be of interest to you.
The use of our cards also involves a level of automated decision making. This is in relation to when the physical cards are used the card is used in some of the restaurants’ tills it will automatically determine whether the card is valid to receive the discount or not. (Please note this is not applicable to VuePass)
You have the ability to stop this profiling activity and the automated decision making by contacting us using the details in the ‘Contact’ section. Please be aware that by objecting to some of this data collection we may not be able to provide the product to you.
We may collect information about your computer, including where available your IP address, geographic location (if you allow when prompted by your browser), operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns.
In the event that you wish to alter your Privacy settings or opt-out, you are able to do this by contacting us using the details in the ‘Contact’ section.
If you are a resident of EU (excluding the UK) please contact GRCI Law. We have appointed GRCI Law to act as our EU Representative in the event of the UK’s departure from the European Union. All requests, questions and comments should either be emailed to firstname.lastname@example.org or addressed to c/o Head of Data Privacy Manager Service for GRCI Law, IT Governance Europe, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682