PRIVACY POLICY FOR CHEERFY USER SERVICES

By means of this Privacy Policy, Cheerfy Ltd (“CHEERFY”, “we”, “us” and “our”) wants to inform you about the Processing of your Personal Data while using our User Services. Below you will find information on what Personal Data we collect about you, how we use it, for which purposes we use it, with whom we share it and which rights you have regarding the Processing of your Personal Data. Further, you will find information on the data processing by the Business you are visiting as indicated during registration.

As further described below, for some data processing activities we act as joint controller together with the Business. We determined our respective responsibilities in a joint controller agreement in accordance with Art. 26 GDPR.

If you have any questions, concerns or comments about this Privacy Policy or any requests regarding the Processing of your Personal Data by CHEERFY, please contact our Data Protection Officer via dpo@cheerfy.com.

For questions regarding the Processing of your Personal Data by the Business you visit please contact CHEERFY using the contact details provided during registration in the event you cannot directly contact the Business.

 

1.     Definitions

Personal Data: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or location data.

Basic Profile Information: means Personal Data you provide us with during the registration process and while using our Services which will include, inter alia: your name, date of birth, age, sex, photographic material, city and/or country of residence and/or birth, post code, email address, phone number, credentials to access some or all of this information on your social network profiles (Facebook or LinkedIn) as well as information that is publicly available on those profiles.

Business Specific Information: means Personal Data collected through surveys and during your visit to a Business’ premise or website, including inter alia: date, time, duration and frequency of your visits, your presence at a Business Premises, your preferences observed by the Business as well as information we collect when you visit our Website or use our mobile applications like, inter alia: the full Uniform Resource Locators (URL) clickstream to, through and from our Services (including date and time), page response times on websites, download errors, the length of visits to certain areas, page and mobile application interaction information (such as scrolling, clicks and mouse-overs), and the methods you are using to browse away from pages.

Business Specific Transaction Information: means Personal Data collected when you purchase online at a Business through the Websites or the Business’ website or as a result of the use of loyalty cards or vouchers at a Business Premises or on our Website. This includes inter alia: products purchased, their amount and price, date and time of transactions, vouchers used, tips given, full postal address.

Device Information: means Personal Data relating to technical information that is automatically collected to provide the service to you such as the Internet protocol (IP) address used to connect to the internet, login information, browser type and version, time zone setting, browser plug-in types and versions, device model, operating system and platform as well as the MAC (Medium Access Control) address of your device, which is a unique identifier assigned by the device manufacturer.

Processing: means any operation which is performed on Personal Data, such as collection, recording, organising, structuring, storing, adaptation or any kind of disclosure or other use.

Businesses: means the businesses who have subscribed to the Cheerfy Business Service.

Business Affiliates: means any entity controlling, controlled by, or under common control with the Business, any entity operating under the same brand as the Business or the owner of the venue visited.

Sponsor: means any entity that pays in part or in full the subscriptions of Businesses to the CHEERFY Business service.

Website or Websites: means web pages that enable registration for and/or access to the Cheerfy User Services by End Users.

 

2.     INFORMATION ON HOW CHEERFY USES YOUR PERSONAL DATA

2.1.    Purposes of the Processing

In this section, we have set out information about the Personal Data we Process, the purposes we use the Personal Data for and the legal basis for the Processing of your Personal Data.

2.1.1. If you want to use our Services you need to register at a Business by connecting with a Wi-Fi device (e.g. a smartphone, tablet, or computer) to the Wi-Fi Network owned by each Business visited or by registering on the Business’ website. During the registration process and while using our Services you provide us with your Basic Profile Information, certain Business Specific Information and certain Business Specific Transaction Information. The legal basis for this Processing of your Personal Data is the execution of the Terms and Conditions.

2.1.2. When you visit our Websites or use our mobile applications, we will automatically collect additional Business Specific Information and Business Specific Transaction Information to conduct analysis on the use of the Services. The legal basis for this Processing is the execution of the Terms and Conditions as well as our legitimate interests to analyse the usage of our Services and to enhance your user experience.

2.1.3. Additionally, CHEERFY will collect any phone number that is used to call our customer service as this is necessary to process your request. The legal basis for this Processing of your Personal Data are the execution of the Terms and Conditions as well as our legitimate interest to provide you with adequate customer support.

2.1.4. While you use our Services, we may automatically collect Device Information to provide you with the Services. The legal basis for this Processing is the execution of the Terms and Conditions.

2.1.5. To enhance your experience while using our Services and to provide you with targeted services and information, CHEERFY Processes certain Personal Data to send you information and direct advertising via electronic messages for goods or services similar to the ones you have already obtained. We may analyse the acceptance of the electronic advertising (e.g. by recording whether you have read an electronic message or clicked on links). The legal basis for this Processing of your Personal Data is our legitimate interest in analysing and improving our Services. You may object to this Processing at any time.

2.1.6. Specific processing operations during your visits to a Business’ premises include:

2.1.6.1. During your visits to a Business’ premises we will collect Business Specific Information. The legal basis for this Processing of your Personal Data is the execution of the Terms and Conditions as well as our legitimate interest to maintain our Services targeted towards specific End Users.

2.1.6.2. If you are browsing through the internet during your visit to a Business’ premises, we will never monitor your activity. Please note a Business may restrict at its own discretion access to certain websites.

2.1.6.3. To distinguish one End User from another, we may use your Device Information to automatically identify you at your arrival at a Business’ premises and authenticate your device when you are using our Services. The legal basis for this Processing is our legitimate interest to increase the usability of our Services and to provide our Services in a more user-friendly way.

 

2.2.    Disclosure of Personal Data

In this section, we have set out information about the parties to whom your Personal Data may be disclosed and the legal basis for the disclosure.

2.2.1. Please note that Basic Profile Information and Device Information will be shared with each Business you visit and its Business Affiliates. Business Specific Information and Business Specific Transaction Information will only be shared with the Business you visited while this information was collected and its Business Affiliates.

The legal basis for this disclosure of your Personal Data to Businesses and their Business Affiliates is the execution of the Terms and Conditions. To ensure that the transfer does not disproportionately interfere with your rights and freedoms, and in order to determine the respective responsibilities for compliance with the obligations under GDPR, an agreement was concluded between us and the above-mentioned parties. This agreement constitutes an arrangement between joint controllers in the meaning of Art. 26 GDPR and regulates (i) the transfer of the Personal Data collected and the limitation of use of such transferred Personal Data for the provision of our Services, (ii) technical and organisational measures to be taken by us and the third parties to protect the transferred Personal Data and (iii) your rights with regards to the transferred Personal Data as described below and the fact that those rights can be exercised against us or any of the third parties. Particularly, the agreement stipulates that each of us will handle the data processing activities in our own discretion and, even though we are separately responsible for complying with data protection requirements, we will assist each other where necessary.

2.2.2. Please note that, within the scope of our Processing activities mentioned above, we will disclose your Personal Data to Processors residing in the EU that will assist us in providing our Services and Process your Personal Data on our behalf and under our control. The legal basis for this disclosure of your Personal Data is Art. 28 GDPR.

To ensure that your Personal Data will be used only to the extent necessary and in compliance with legal requirements and our instructions, we have bound our Processors by concluding Data Processing Agreements with them. This way, we made sure that your Personal Data will be Processed only for the purposes mentioned above.

2.2.3. Please note that your Personal Data may be transferred to a third country outside the European Economic Area (EEA). Those countries may not provide an adequate level of data protection. CHEERFY shall ensure that such a transfer will be performed either to countries which have adequate level of data protection (according to the European Commission’s Adequacy decisions) or CHEERFY will conclude Standard Contractual Clauses with each recipient that reside in a country which is not covered by an Adequacy decision of the European Commission. The Standard Contractual Clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

2.2.4. Finally, please note, only in the event you explicitly consent to it, we might disclose your Personal Data to the Sponsor of the Businesses you visit in order to enable the Sponsor to send you commercial communications about its products and services, including newsletters. In such event, the Sponsor will include you in its customer database. Furthermore, for the same purpose, the Sponsor may study and take into consideration your characteristics, tastes and preferences, making profiles according to them and matching this information with other information such as your browsing information, online searches in services and online platforms owned by the Sponsor, your requests made to the Sponsor and your contact history. You are free to decide whether to agree to the data transfer to the Sponsor. You can refuse to provide and (without impact to data processing activities that have taken place before such withdrawal or to any other existing legal justification of the processing activity in question) withdraw your consent to transfer the personal data at any time. The refusal to provide consent does not affect the use of the Services. Please read the Sponsor’s Privacy Policy that we provide you with when we request your explicit consent.

 

2.3.    Retention periods

We strive to limit our Processing activities with respect to your Personal Data. Your Personal Data will, therefore, be retained only for as long as you remain registered for our Services and, if applicable, as long as required by statutory retention requirements. If you close your CHEERFY account, we will delete all Personal Data we hold about you.

 

2.4.    Registration for our Services

To use our Services, you need to register. We process the Personal Data mentioned in section 2 of this Privacy Policy in order to provide you with our Services. All further information is provided by you voluntarily.

 

2.5.    Data security

Please note that the transmission of information via the Internet is not completely secure. Although we will do our best to protect all Personal Data, we cannot guarantee its security when it is transmitted via our Services; any transmission takes place at your own risk. However, once we have received your Personal Data, we will use strict procedures and security features to prevent unauthorised access.

The CHEERFY mobile applications and Website may, from time to time, contain links to and from the mobile applications and websites of our partner networks, advertisers and affiliates. These mobile applications and websites have their own Privacy Policies and we do not accept any responsibility or liability for these Policies. Please check the respective Privacy Policies before you submit any Personal Data to these websites and mobile applications.

 

3.     INFORMATON ON HOW THE BUSINESS USES YOUR PERSONAL DATA

3.1.    Purposes of the Processing

3.1.1. The Business processes the Basic Profile Information, Device Information, Business Specific Information and the Business Specific Transaction Information they receive from us to evaluate its customers behaviour as well as frequency of visits and length of stay. The Processing serves the Business’ legitimate interest to analyse its customers to be able to adapt the service accordingly.

3.1.2. The Business uses the Basic Profile Information, Device Information, Business Specific Information and the Business Specific Transaction Information they receive from us to evaluate its customers profile to be able to provide you with the best-customized service on every visit. The legal basis is the Business’ legitimate interest to adapt its services to your specific needs and thereby increase your satisfaction.

3.1.3. The Business uses the Basic Profile Information, Device Information, Business Specific Information and the Business Specific Transaction Information to create and provide you with a personalised loyalty plan through electronic messages offering you rewards, special offers, gifts or information that match your preferences. The Processing is based on the Business’ legitimate interest in building customer loyalty.

3.1.4. Further, you might receive personalised messages from the Business with feedback surveys and other surveys. Where you access the Services via the Wi-Fi Network at the Business Premise, you will only receive surveys if you have consented prior to receiving the message. Where you signed up for the Services on the Business Website the Business may use your email address provided on the website to send you surveys without specific consent based on the Business’ legitimate interests to increase customer satisfaction. You may object to receiving surveys at any time.

 

3.2.    Disclosure of Personal Data

3.2.1. For the above-mentioned purposes, it might be necessary for the Business to share your data with service providers that support the Business in providing its services. The service provider will process your Personal Data only on behalf of the Business. The legal basis for the data access is Art. 28 GDPR in accordance with the respective data processing agreement.

3.2.2. Where necessary for the above-mentioned purposes the Business might share your Personal Data with its Business Affiliates. The legal basis is the Business’ legitimate interest to improve its service throughout its Business Affiliates.

3.2.3. Where a data recipient is located outside the EEA the Business will implement adequate safeguards for the cross-border transfer in accordance with GDPR.

 

3.3.    Retention periods

The Business will retain your Personal Data only as long as necessary for the purposes set out above. Legal retention obligations remain unaffected.

 

4.     YOUR RIGHTS

In this section, we have set out information about your rights regarding our Processing of your Personal Data. Depending on the specifics of the case, you may be entitled to exercise some or all of the following rights. You may:

4.1.    request (i) information whether your Personal Data is retained and (ii) access to and/or (iii) duplicates of your Personal Data retained, including the purposes of the Processing, the categories of data concerned, and the recipients or categories of recipients to whom the data is disclosed and where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;

4.2.    receive your Personal Data in a structured, commonly used and machine-readable format and transmit your Personal Data to another controller without our hindrance; where technically feasible you may have the right to have the Personal Data transmitted directly from us to another controller;

4.3.    request proper rectification, erasure or restriction of your Personal Data, e.g. because it is incomplete or inaccurate, it is no longer needed for the purposes for which it was collected, the consent on which the Processing was based has been withdrawn, or you have taken advantage of an existing right to object to the Data Processing; in case the Personal Data is Processed by third parties, your request for rectification, erasure or restriction will be forwarded also to such third parties unless this proves impossible or involves disproportionate effort;

4.4.    refuse to provide and, without impact to data Processing activities that have taken place before such withdrawal or to any other existing legal justification of the Processing activity in question, withdraw your consent to Processing of your Personal Data at any time;

4.5.    take legal actions in relation to any potential breach of your rights regarding the Processing of your Personal Data, as well as to lodge complaints before the competent Data Protection Regulators; and/or

4.6.    require to not be subject to any automated decision making, including profiling (automatic decisions based on Data Processing by automatic means, for the purpose of assessing several personal aspects) which produce legal effects on you or affects you with similar significance.

Additionally, you shall be entitled to object to the Processing of your Personal Data: at any time, if your Personal Data is used for direct marketing purposes; and based on grounds relating to your particular situation, if your Personal Data is Processed for other purposes.

To exercise your rights, you may send an email to CHEERFY to the address provided at the beginning of this Privacy Policy.

Finally, please be informed about your right to lodge a complaint before the corresponding authority in the event that you consider that the Processing of your Personal Data is not compliant with the applicable data protection legislation. The contact data of all data protection authorities in the European Union is available on this webpage: https://edpb.europa.eu/about-edpb/board/members_en

 

Last updated: 26th October, 2020