Updated on 3 March 2021
This policy governs the privacy policies for all POS8 Services as defined below. It is intended to cover policies for both end-user customers (“Customers”) of our mobile applications (“Application(s)”), and “Venue(s)” which are individual businesses (in plural “Companies” consisting of multiple Venues) under a Sales Agreement and are contracted to operate POS8 Services.
About the Company
POS8 LIMITED, with company number 11071470, whose registered office is at Printing House, 66 Lower Road, Harrow, HA2 0DH, United Kingdom, a corporation registered and existing under the laws of England and Wales (“POS8”, “We”, “Us”, “Our”). POS8 is a private limited company registered in England and Wales and is the owner and operator of fetchmyorder.com.
Norse Starlit Limited, is a private limited company registered in Ireland, and is wholly owned by POS8 Limited by shares with registered office at 50A Rosemount Park Drive, Rosemount Business Park, Ballycoolin Dublin 11, Dublin 11, Dublin, Ireland, and registered number: 669369, and is the owner and operator of Bambooapp.ie.
Mobile applications "FETCH" and "Bamboo App", along with websites www.pos8.com, www.fetchmyorder.com and www.bambooapp.ie are applications and websites owned, developed, and operated by POS8.
About the Policy
This policy governs the privacy policies (“Policy”, “Policies”) for all POS8 Services as defined below. It is intended to cover policies for both end-user customers (“Customers”) of our mobile applications, Venue(s) which are individual businesses that are contracted to operate POS8 Services (generally “You”, “Your”).
We are committed to protecting the privacy of all users of our Services, websites and mobile applications (together, the “Sites”). Please read this policy which explains how we use and protect your information. We are the “data controller” of the information we process, unless otherwise stated.
All Services and Agreement(s) are bound by these published Policies. We retain the right to periodically update these Policies and it is the responsibility of you to periodically review these Policies.
These Policies are published on www.fetchmyorder.com/privacy on our website(s).
General Data Protection Regulation (“GDPR”) policies and information are contained within these Policies. our Data Controller is contactable below.
Please read these Policies carefully before you start to use our Services. Continued use of our Services or Site(s) by you or any Venue following the posting of changes to our Policies mean you accept and agree to the changes and accept all terms in these Policies. If you do not agree to this Policy, do not use access our Services.
These Policies are also bound and must be read in conjunction with our “End User License Agreement - EULA” (www.fetchmyorder.com/eula) as published on our Site(s), which governs the use of all “Service(s)” delivered by us which are defined as software applications including our “Application(s)” available on application stores to be used on mobile devices, website and related services supplied directly or contracted by us to supply Services to our contracted Venues and their Customers.
By contacting our general customer services team at: firstname.lastname@example.org.
By contacting our Data Protection Officer: email@example.com.
For the purpose of the General Data Protection Regulation (“GDPR”) our Data Controller is Julian Dabbs (firstname.lastname@example.org).
As we are based in the United Kingdom, we have appointed Julian Dabbs to be our representative within the European Economic Area. Their contact details are email@example.com.
Data Storage and Processing
We store and process data securely using Amazon Web Services (AWS) and their data centre. aws.amazon.com/security.
AWS utilizes commercially reasonable measures to prevent unauthorized or unlawful access to, acquisition of, use of, or disclosure of that data. These measures include policies, procedures, employee training, physical access and technical elements relating to data access controls. In addition, AWS uses standard security protocols and mechanisms to facilitate the exchange and the transmission of sensitive data.
As per the ‘bridging mechanism’ rules and treaties set forth and reached between the EEA-UK as a result of “BREXIT”, our services utilize AWS set at the UK region. The bridging mechanism recognizes that AWS UK services may continue to process personal data until 30 June 2021 or until a permanent adequacy agreement has been reached between the UK and EEA. As a result, our services will remain with AWS UK region until such time and we are proactively monitoring the situation and take corrective actions as required, including but not limited to moving to a EU-based AWS region. Please reference https://aws.amazon.com/compliance/gdpr-center/brexit/
We store and process data using encryption methods and additional advanced data processing methods.
We have access to personal information provided by Customers as part of using our Services. This information may include names, email addresses, phone numbers and physical addresses and will only be used for servicing Customer online ordering requirements.
How We Collect Your Information
We collect your personal information when you interact with us or use our Services, such as when you use our Application to place an order. We also look at how visitors use our Sites and Applications, to help us improve our services and optimize the customer experience.
We collect information:
· When you create an account with us or you change your account settings;
· When you place an order with us and during the order process;
· When you give us your consent to contact you via email, phone, post, message or via our chat function to send you marketing campaigns, or to invite you to participate in surveys about our services, or our partners’ services;
· When you contact us directly via email, phone, post, message or via our chat function; and
· When you browse and use our Sites (before and after you create an account with us).
We also collect information from third party sites, such as advertising platforms and our fraud detection provider.
Information We Collect From You
As part of our commitment to the privacy of Customers and visitors to our Sites more generally, we want to be clear about the sorts of information we will collect from You.
When you visit our Sites or use our Application(s), you are asked to provide information about Yourself including your name, contact details, order details and payment information such as credit or debit card information. We may also collect your date of birth to verify your age when you purchase age restricted items.
We also collect information about your usage of the Sites and Application(s) and information about you from any messages you post to the Sites or when you contact us or provide feedback, including via e-mail, letter, phone or chat function. If you contact us by phone, we may record the call for training and service improvement purposes, and make notes in relation to your call.
We collect technical information from your mobile device or computer, such as its operating system, the device and connection type and the IP address from which you are accessing our Services.
We also collect technical information about your use of our Services through a mobile device, for example, carrier, location data and performance data such as mobile payment methods, interaction with other retail technology such as use of NFC Tags, QR Codes and/or use of mobile vouchers. Unless you have elected to remain anonymous through your device and/or platform settings, this information may be collected and used by us automatically if you use the service through your mobile device(s) via any mobile application, through your mobile’s browser or otherwise.
We process health information about you only where you volunteer and consent to this, for example if you specify any food allergies.
Use of Your Information
We will only process the data we collect about you if there is a reason for doing so, and if that reason is permitted under data protection law.
Where we need to in order to provide you with the service you have requested or to enter into a contract, we use your information:
· to enable us to provide you with access to the relevant parts of the Sites and Applications;
· to supply the services you have requested;
· to enable us to collect payment from You; and
· to contact you where necessary concerning our Services, such as to resolve issues you may have using our Services.
We also process your data where we have a legitimate interest for doing so – for example personalisation of our Service, including processing data to make it easier and faster for you to use our Services. We have listed these reasons below:
· to improve the effectiveness and quality of service that you can expect from us in the future;
· to tailor content that we or our contracted Venues or third party advertising partners display to You, for example so that we can show you restaurants which are in your area or make sure you see the advertising which is most relevant to You, based on characteristics determined by us;
· to enable our customer support team to help you with any enquiries or complaints in the most efficient way possible and to provide a positive customer experience.
· to contact you for your views and feedback on our Services or our partners’ services and/or products;
· to notify you if there are any important changes or developments to the Application, our Sites or our Services, including letting you know that our services are operating in a new area, where you have asked us to do so;
· to send you information by post about our products, Services and promotions (if you do not want to receive these, you can let us know by getting in touch (see Contact Details); and
· to analyse your activity on the Application and Sites so that we can administer, support, improve and develop our business and for statistical and analytical purposes and to help us to prevent fraud.
We also process your data to enforce our contractual terms with you and any other agreement, and for the exercise or defence of legal claims and to protect the rights of Ourselves, Venues, or others (including to prevent fraud).
If you submit comments and feedback regarding the Sites and our Services, we may use such comments and feedback on the Sites and in any marketing or advertising materials. We will only identify you for this purpose by your first name and the city in which you dined. Where you have chosen to receive push notifications from us through our Application, we may send you push notifications relating to our Services that you have requested from us and information about our Services and offers. You can choose to stop receiving push notifications from us at any time by changing your preferences on your mobile device or by getting in touch (see Contact Details).
We do not share this personal information with anyone for promotional purposes, nor do we utilize it for any purposes not expressly consented to by the Customer. We may at times provide non-personal and/or aggregated data and statistics on Customer demographics, application usage or other data for market basket or other analytical purposes to the Company or Venue.
We may also analyse data about your use of our Services from your location data to create profiles relating to you and for You. This means that we may make certain assumptions about what you may be interested in and use this, for example, to send you more tailored marketing communications. This activity is referred to as profiling. You have certain rights in relation to this type of processing.
Where we rely on legitimate interest as a basis for processing your personal information, we carry out a balancing test to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests.
Where we are under a legal obligation to do so we may use your information to create a record of your activities and comply with any legal obligation or regulatory requirement to which we are subject.
A cookie is a small text file stored on your computer, tablet, mobile or similar, for the purpose of recognizing your device if you visit our Site again (such as login, language, font size and other settings). This makes it possible to customize the Site to your browser. A cookie may contain text, numbers or e.g. a date, but generally there are no personal data in a cookie. It is not a program and thus cannot contain a virus.
When you visit our Site, we collect information about you that allows us to identify your device. The information is used to customize and improve our content on the Site and to get statistical information (not personal information), so we can provide you with the best possible experience.
You can modify your browser, so cookies are not stored on your computer, tablet, mobile etc.
We use your mobile device location data to enable Venues to provide better service to you or to allow you to look for more Venues in an area. If you disable or refuse to allow location data to be sent, please note that some parts of our Services may become inaccessible or not function properly.
Where you have given your consent or where we have a justifiable reason for doing so (and are permitted to do so by law) we will use your information to let you know about our other products and services that may be of interest to you and we may contact you to do so by email or phone. You can control your email marketing preferences within the Account section of our Applications.
Automated Decision Making
We may conduct fraud checks on Customers. Where we believe we may detect fraudulent activity we may block you from using all or a portion of our Services or Sites.
We may undertake fraud checks on customers because this is necessary for us to perform our Services to our contracted Venues, to ensure that the services provided are duly paid for, and to enable individuals themselves some protection from fraudulent transactions on their cards.
We may use automated systems including third party fraud detection providers, which analyse usage details to make automated decisions as to whether we will accept a request for service. We find this is a more fair, more accurate and a more efficient way of conducting fraud checks.
These checks and decisions look at various components including known industry indicators of fraud which our fraud detection provider makes available to Us, as well as fraud patterns we have detected. When combined, these generate an automated score indicating the likelihood of a fraudulent transaction. If our systems indicate a high score for You, then we may decline servicing your request or even block you from our Services. The specific fraud indicators are dynamic and may change depending on what types of fraud are being detected at any particular time.
Our fraud detection is in place to protect all of our Customers as well as Ourselves.
Retention of Your Information
We will not retain your information for any longer than we think is necessary.
Information that we collect will be retained for as long as needed to fulfil the purposes outlined in these Policies, and in line with our legitimate interest or for a period specifically required by applicable regulations or laws, such as retaining the information for regulatory reporting purposes.
When determining the relevant retention periods, we will take into account factors including:
· Our contractual obligations and rights in relation to the information involved;
· legal obligation(s) under applicable law to retain data for a certain period of time;
· statute of limitations under applicable law(s);
· Our legitimate interests where we have carried out balancing tests;
· disputes; and
· guidelines issued by relevant data protection authorities.
Otherwise, we securely erase your information where we no longer require your information for the purposes collected.
Disclosure of Your Information
The information we collect about you will be transferred to and stored on our servers located within the UK and/or EU.
We share your information within our Services only where necessary for the purposes set out in this Policy.
We may share your information with third party service providers which provide services on our behalf. The types of third party service providers whom we share your information with include for example:
· Payment providers (including online payment providers and fraud detection providers);
· IT service providers (including cloud providers);
· venue partners (that you have been a Customer of);
· customer support partners; and
· Marketing and advertising partners.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with these Policies when it is transferred to third parties.
We may also share your information, if any of the following occur:
· We are acquired or enter into a new business relationship, we may transfer your information to this new partner;
· We may share your information if we are under a duty to disclose or order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation or regulatory requirement. This includes exchanging information with other companies and other organisations for the purposes of fraud protection and prevention;
· In order to enforce our contractual terms with you and any other agreement;
· To protect the rights of Our, partners, or others, including to prevent fraud; and
· With such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police or for health and safety purposes.
International Transfers of Data
In some cases your information might be processed outside United Kingdom or the European Economic Area (“EEA”), such as the United States, and the countries in which we operate.
These countries may not have the same protections for Y information as the UK and EEA has. However, we are obliged to ensure that the personal data that is processed by us and our suppliers outside of the UK or EEA is protected in the same ways as it would be if it was processed within the UK or EEA. Therefore certain safeguards are in place when your data is processed outside of the UK or EEA.
We ensure this similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
· Your personal data is transferred to countries that have been deemed to provide an adequate level of protection for personal data by the GDPR requirements;
· We use the UK or EU approved Standard Contractual Clauses; and
· where your personal data is transferred to third party providers based in the US, data may be transferred to them if they have self-certified under the Privacy Shield framework in relation to the type of data being transferred, which requires them to provide similar protection to personal data shared between the UK / EU and the US.
Please contact us using the contact details above if you want further information on the countries to which personal data may be transferred and the specific mechanism used by us when transferring your personal data out of the UK or EEA.
We use robust technologies and policies to ensure the personal information we hold about you is suitably protected. We take steps to protect your information from unauthorised access and against unlawful processing, accidental loss, destruction and damage.
Where you have chosen a password that allows you to access certain parts of our Services or Sites, you are responsible for keeping this password confidential. We advise you not to share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your data transmitted to our Services or the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Subject to applicable law, you may have a number of rights concerning the data we hold about You. If you wish to exercise any of these rights, please contact our Data Protection Officer using the contact details set out above. For additional information on your rights please contact your respective data protection authority.
Where provided by law, you may withdraw any consent you previously provided to us or object at any time on legitimate grounds to the processing of your personal information, and we will apply your preferences going forward. This will not affect the lawfulness of our use of your information based on your consent before its withdrawal.
You can object by changing your marketing preferences or disabling cookies as previously detailed.
Under the General Data Protection Regulation you have a number of important rights free of charge. In summary, those include rights to:
· access to your personal data and to certain other supplementary information that these Policies are designed to address;
· require us to correct any mistakes in your information which we hold;
· require the erasure of personal data concerning you in certain situations;
· receive the personal data concerning you which you have provided to Us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
· object at any time to processing of personal data concerning you for direct marketing;
· object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect You;
· object in certain other situations to our continued processing of your personal data;
· otherwise restrict our processing of your personal data in certain circumstances.
If you would like to exercise any of those rights, please contact us. We will need enough information to identify you as well as the information to which your request relates.