Vanilla Active Limited is registered in England and Wales under registration number 06672476 and our registered office is at Ground Floor Unit 501 Centennial Park, Centennial Avenue, Elstree, Borehamwood, Hertfordshire, United Kingdom, WD6 3FG We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. At Vanilla Active, we are committed to respecting your privacy and have set high data protection standards to comply with applicable data protection and privacy laws. Scope Please read the following policy carefully, as it gives you the details of how we collect and process your personal data and it applies to all services provided by us to you which includes any information that you may provide to us through our website when you engage our services or sign up to our newsletter and sets out how we seek to protect personal data. This Policy applies to all employees of Vanilla Active and should be read in conjunction with our Terms & Conditions of Use and our Cookie Policy. You give us your information either through this website or by any other means. Any and all personal data passed to us by any third party will be treated in accordance with this policy.
We may use your personal data for business purposes that may include the following:

In connection with the services offered by our business including on this website which include website design, digital campaigns, hosting services, promotional web design including instant wins, prize draws, prize allocation and fulfilment, coupon microsites, loyalty schemes, collating real time statistics, reporting on results of promotions, maintaining subscriber lists and API integration
Compliance with our legal, regulatory and corporate governance obligations and general good practice
Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
Ensuring business policies are adhered to (such as policies covering email and internet use)
Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring
Investigating complaints
Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
Monitoring staff conduct, disciplinary matters
Marketing our business through our newsletter
Improving our services through knowledge of what is used and how

Our Data Compliance Officer has overall­­ responsibility for the day-to-day implementation of this policy.

1. What We Do To Protect Your Data

1.1 Fair and lawful processing

We will always seek to process personal data fairly and lawfully in accordance with the rights of the individuals’. This generally means that we will not process personal data unless the individual whose details we are processing has consented.

The processing of all data must be:
  • Necessary to deliver our services and the services that we deliver on behalf of our clients
  • In our legitimate interests and not unduly prejudice the individual’s privacy
  • In most cases this provision will apply to routine business data processing activities.

1.2 Sensitive personal data

In the situation where we collect and process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

1.3 Your personal data

You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Compliance Officer so that we can update your records.

1.4 Data security

We keep personal data secure against loss or misuse. We are committed to protecting the confidentiality and security of your information and we have taken all reasonable measures to secure your information, including encryption, third party audits, access controls and security testing. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know the data. Where other organisations process personal data as a service on our behalf, our Data Compliance Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

Storing data securely
In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it
Printed data will be shredded when it is no longer needed
Data stored on a computer will be protected by strong passwords which are frequently changed
The Data Compliance Officer will approve any cloud used to store data
Servers containing personal data will be kept in a secure location, away from general office space
Data will be regularly backed up in line with the company’s backup procedures
Data will never be saved directly to mobile devices such as laptops, tablets or smartphones
All servers containing sensitive data will be approved and protected by security software and strong firewall.

1.5 Transferring data internationally

There are restrictions on international transfers of personal data. Your personal data will not be transferred anywhere outside the UK without first consulting the Data Compliance Officer. Where we do transfer your personal data outside the European Economic Area (EEA) we will do our best to ensure a similar degree of security of data by transferring to countries with a similar degree of protection for your personal data, or, we may use specific contracts or codes of conduct or certification which gives personal data the same protection as it has in Europe.

1.6 Processing data in accordance with the individual’s rights

We will abide by any request from an individual not to use their personal data for direct marketing purposes and notify the Data Compliance Officer about any such request. We will not send direct marketing material to anyone electronically (e.g. via email) unless they have given us positive consent to receiving our marketing material and that consent will be recorded and stored or it is in our legitimate interest to do so.

1.7 Training

New staff will receive training as part of the induction process. Further training will be provided whenever there is a substantial change in the law or our policy and procedures.

2. Privacy Statement

Being transparent and providing accessible information to individuals about how we will use their personal data is important for us. The following are details on how we collect data and what we will do with it:

2.1 What information do we collect?

  • Identity Data including – Full name, marital status, title, date of birth and gender
  • Contact Data including – billing address, delivery address, email address and telephone numbers
  • Financial Data including – your bank account and payment card details
  • Transaction Data including – details about payment between us and other details of purchase made by you
  • Technical data including – login data, internet protocol addresses, browser type and version, browser plug-in types and version, times zone setting and location, operating and platform and other technology on the devices that you use to access this site
  • Profile Data including – username and password, purchase orders, your interests, preferences, feedback and survey responses
  • Usage Data including – information about how you use our website, products and services
  • Marketing and Communications Data including – your preferences in receiving marketing communications from us and your communication preferences

2.2 How is it collected?

We may collect personal data in a variety of different ways

  • When we meet you in person
  • When we speak to you by telephone
  • When you correspond with us by email
  • When you provide us with a business card or fill in forms and questionnaires either for Vanilla Active directly or for promotions that we are administering or promotional services that we are carrying out
  • When you visit our website or create an account on our website or when you visit one of our online hosting services
  • When you order our services
  • When you subscribe to our services or publications
  • We may receive personal data about you from a third party in a legitimate manner eg a finacial provider

2.3 How will we use it?

We use the information we collect in order to fulfil our contractual obligations with you and understand your needs and provide you with a better service and in particular for the following purposes:

  • To carry out our obligations arising from any contracts entered into between you and us which includes providing quotes prior to a contract being in place but following an enquiry from you
  • Where it is necessary for our legitimate interest as long as it does not override your interests
  • Where we need to comply with a legal or regulatory obligation
  • To communicate with you to enable you to access the benefits and services of our business and of this website
  • To allow you to participate in interactive features of our service, when you choose to do so
  • To notify you of changes to our service
  • Internal record keeping
  • To improve our products and services; provide relevant offers and fulfil transactions
  • Protect you, provide you with customer service, prevent fraud, operate this website on your behalf and respond to your request
  • To send promotional emails and updates about new products, special offers or other information we may think is of interest to you
  • To contact you for market research purposes, we may contact you by email, phone or mail and we may use the information to customise the website according to your interests
  • To understand the visiting patterns to our online sites. Our Cookie Policy provides further information on this.
  • Performance of a Contract

If you register as a new customer or place an order with us, you are providing us with a lawful basis to process your data necessary for the performance of a contract, including processing and delivering to you and contacting you about the order.

  • Legitimate Interest

The personal data that we collect and process under the legitimate interest basis is done so in the commercial interest of the business and we will use this basis especially in connection with the business eg debt recovery, business management/ growth e.g. to improve our website, products/services and customer relationships and to send you our Surveys, Newsletters, Events and other marketing literature. We will process information in a targeted, proportionate way, which would be reasonably expected for that data and has a minimal privacy impact in accordance with our Legitimate Interest Assessment. As regards direct marketing, you have an absolute right to object to this processing and if you wish to exercise this right contact the Data Compliance Officer, at which time we will stop processing your data.

Consent

Where we rely on consent to process your personal data it will be subject to consent properly obtained and given by you either because we are the Data Controller or by virtue of us fulfilling our role as fulfilment partner for our clients. This consent can be revoked at any time by contacting our Data Compliance Officer.

2.4 Purpose for Use of Data

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for a reason that it was not originally collected for, we will notify you and explain the legal grounds of processing. Your personal data is an important part of our business. We do not sell your information to third parties. We will only share your information as set out below as necessary or with your express consent where appropriate. All information sharing is only done on the basis of being necessary and to fulfil legitimate business purposes. For example:

  • Payment card information may be shared with payment processors to facilitate card transactions
  • Bank account information may be shared with our bank to facilitate payment into your account
  • Information may be shared with third parties to fulfil transactions including passing your delivery address and contact details to our delivery partners; payment information, shipping, and other personal information may be required to fulfil the transaction.
  • Service providers e.g. who provide IT and systems administration services or Professional Advisers eg law firms, bankers, auditors, insurance companies.
  • Public Authorities eg HM Revenue & Customs or other regulators and authorities who require us to report to them
  • Details may be shared with marketing platforms eg Campaign Monitor

If further consent is required to pass your personal data to third parties, you may be contacted in order to give your positive consent for this purpose. We may disclose your personal information to third parties in limited circumstances as follows:

  • Where we engage the business services of a third party to provide services directly to us. We will carry out the necessary due diligence on any third party that we use to ensure that they fully comply with data protection regulations. Any third party will be engaged for a specific purpose and they will be strictly prohibited from using your personal data for any other purposes. If we do share your personal information we will contact you, where appropriate, to inform you of the identity of that third party and to gain positive consent to pass your personal data to the third party specified.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use on this website and other agreements
  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets

2.6 Use of Data Processors

We might be Data Controller or Data Processor. Where we are the Data Controller and engage the services of a Data Processor to provide elements of our business service for us, we will have contracts in place with our data processors and/or sub data processors so that we control your personal data and they cannot do anything unless we have instructed them to do it. They will not share your personal information with any organisation unless they have our explicit permission or where there is a legal obligation to do so. They will hold it securely and retain it for the period that we instruct.

2.7 We retain your data for

We will retain personal data for no longer than is necessary and in any event no longer than [ ] years from the date of last usage. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but will be determined in a manner consistent with our data retention guidelines. We will also need to take into consideration satisfying any legal, accounting or reporting requirements and any regulations that we must fulfil, for example for auditing purposes or for legitimate business purposes and may retain your information after your relationship with us has ended. By law we have to keep basic information about our customers for six years after they cease being customers for tax purposes.

3. Marketing

We would like to send you information, from time to time about our products and services but will only do so where you have requested information from us or purchased goods or services from us and where you have not opted-out of receiving that marketing. Where we use the legitimate interest basis to send you marketing communications, you can object to at any time by emailing the Data Compliance Officer. Where you opt-out of receiving our marketing communications we will cease immediately from sending you any marketing communications as specified by you.

4. Your Legal Rights

4.1 Access your data

You have the right to access information held about you. If you would like a copy of your personal data, please contact the Data Compliance Officer which we will supply free of charge. You can ask us to correct any inaccurate data held about you.

4.2 Accuracy and relevance

We will seek to ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless you have agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you inform the Data Compliance Officer.

4.4 Data portability

Upon request, you will have the right to receive a copy of your data in a structured format. These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. You may also request that your data is transferred directly to another system. This will be done for free.

4.5 Right to be forgotten

You may request that any information held on you is deleted or removed, and any third parties who process or use that data will also comply with the request. An erasure request can only be refused if an exemption applies. We will respond to any request within one month.

4.6 Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Compliance Officer will be responsible for conducting any Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

5. Cookies

Cookies help us to provide you with a good user experience when you browse our website and are used to collect statistics about how visitors interact with the website; which search engine they used to find the site and record statistics such as your browser, IP address, general location and operating system and type of device used to view our site. Please refer to our Cookie Policy

6. Monitoring

Although we take every reasonable step to protect the information that you provide, we cannot guarantee the security or accuracy of the information that we gather. Please be assured that all our staff must observe this policy. The Data Compliance Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to. If you have any questions or concerns about anything in this policy, do not hesitate to contact the Data Compliance Officer.

7. Complaints

If you have a complaint as to how your data is being collected or used, please contact our Data Compliance Officer in the first instance. If you are still not happy with the way your data is being collected and used, you have the right to complain to the UK Supervisory Authority, the ICO (www.ico.org.uk).

8. Links to other websites

Links on this website may take you to a third party website. At the point you enter the third party website, the privacy and cookie policy of the third party will apply to any and all information that you provide. It is important to read the third party’s privacy and cookie policy.

9. Notification of changes to this policy

Our privacy and cookie policy will be reviewed and enhanced from time to time. Please check our website or contact us for a copy of the current privacy and cookie policy. If you are not happy with the conditions of a revised privacy and cookie policy you may opt out by contacting us.

10. Contact Us

If you would like to get in touch or have any concerns about our privacy policy, please contact us at: Post: Vanilla Active, Devonshire House, Manor Way, Borehamwood, Hertfordshire WD6 1QQ Email: support@vanillaactive.com Telephone: 020 8736 5628   Updated: May 2018