This notice is version 1.2 and was last updated on 21 May 2018.
1. Who are we?
2. What personal data do we collect and why?
a: Registration details
If you install the Application or
access the Website, you will be asked to provide us with certain registration
information in order to create a GBK profile and receive the related Services.
Registration information may include:
Your registration information may be used to perform our obligations under the contract with you for the Services, in particular to:
Your registration information may also be used by us for our legitimate business interests of promoting our business and services to users and developing new products and services, in particular:
with your opt-in permission (which may be sought in-App), send you marketing communications (including in-app advertising) relating to our products and services and, where you have separately consented to this, third party products and services, that we think may be of interest to you. You will of course be able to opt-out at any time by email@example.com or by changing your preferences.
b: Device and Technical Information
We may collect information about the device you use to download the Application or access the Website, including, where available, the device's unique device identifiers, operating system and mobile network information, for system administration purposes in connection with our contract with you. We may also collect information about the computer you use to visit the Website, including session data and your IP address for our legitimate business interests of system administration, business analysis and customer service. We may associate this kind of device information with the registration information referred to in the sections above for our legitimate business interests of providing customer services and system administration purposes and will treat the combined information as personal data in accordance with this policy for as long as it is combined.
c: Your payment card details
In order to order online via the Website / Application or at table and collect loyalty stamps, you will need to input credit or debit card details. Payment processing services are provided by third parties, including VeriFone and Adyen, who are subject to strict compliance with the PCI DSS rules. The Application or Website will transfer payment details directly from VeriFone, Adyen or other PCI compliant verified payment processing companies to the venue's point of sale system and Flyt/GBK does not have access to this. By inputting payment card details, you are consenting to use of such details by these third party payment providers, the venue and us for the purpose of paying your bill and processing your payment.
Your card details will be securely stored by PCI compliant third party payment providers (including Verifone and Adyen) for ease of use in future transactions using the Application or Website. However, your CSC/CVV number is not stored and must be entered each time you use a card for authentication. GBK does not have access to your card details nor does it store your card details on its systems, although it holds a payment processing 'token' which retains some of the card number digits only. This enables you to identify the appropriate card in future transactions and on your payment receipt. You may remove payment card details from the Application or Website at any time by contacting us using the details at paragraph 13. Payment transactions are between you and the relevant venue. Whilst the Services seek to facilitate the payment procedure, GBK does not receive your payment and is not responsible for subsequent use of your card or payment details by or on behalf of the venue.
d: Your venue visits or online orders
The Application allows you to place orders in advance of arriving or on arrival at GBK and to collect loyalty stamps. After placing an order you will “check out” and pay through Flyt. The details of your bill will be used to deliver the Services and generate the payment receipt in relation to your order. We use this for the purpose of performing the contract with you.
We may also collect POS data relating to your venue visits or orders placed online via the Website, including:
We may use POS data for the purpose of performing the contract with you in relation to the first bullet point below, for our legitimate interests of delivering service improvements in relation to the second bullet point below, with your consent in relation to the third bullet point below and for our legitimate interests in expanding the services we offer in relation to the fourth bullet point below the following purposes:
We collect POS data through the Application, the Website and directly from the venue's point of sale system. We may also collect additional data relating to your venue visits and the surrounding areas, for example:
This additional data is used for analysis and statistical purposes (see further below).
We may also collect other data you provide us with in the course of providing the Services, for the purpose of providing the Services and, where this data is a special category of data, such as allergy or health related, with your consent.
e: Contacting us or visiting our website
If you contact us (via email, webform, telephone, post or otherwise), we may collect and retain your contact details and your communication for the purpose of handling and responding to your query, keeping records of communications and improving our customer services. This is used for our legitimate business purposes of responding to your queries and record keeping which is necessary for the provision of quality assurance and customer services.
With your permission (opt-in), we may also collect information about your geo-location through the Application to enable us to provide location based services and tailor the offers/promotions you receive through the Application.
g: Log Information
When you use the Application or Website, we may also automatically collect and store certain information in our server logs to get a better understanding of how people use the Application and Website, for system administration purposes in connection with our contracts with you, and, for our legitimate business interests, to ensure we provide a good user experience and customer service. This type of information includes "clickstream" data (i.e. information about when, how, and what parts of the Application or Website you use), viewed and exit pages as well as date or time stamps.
The Application allows you to contact friends via SMS, Twitter, Facebook or Google Plus to invite them to try the Application. In order to use this feature, you must select the option which allows the Application to access your mobile phone contacts or Twitter, Facebook or Google Plus account (as applicable) and your contacts listed within that account. Please only use this feature to send an invitation to a friend who you know would be happy to receive one. We do not collect or process this information unless a friend accepts the invitation and registers to use the Application or Services in which case he or she becomes a user.
i: Analysis and statistics
We may use the data we collect about you, on an anonymous basis only, for analysis and statistical purposes, for example to analyse how many users are visiting or ordering from particular venues at particular times, food preferences, and the characteristics of such users, for example their age or gender.
Statistics and results of analysis (anonymised and without reference to your personal data) may be shared with our selected partners, including partner restaurants and their suppliers for our and our partners’ legitimate business interests for the purpose of improving the customer experience within restaurants.
In the course of providing telephone support to you in your use of the Application or Services, we or our service providers may record the calls for quality assurance purposes. This is in our legitimate interests for the purposes of quality assurance and customer services. Any data collected in this way will be retained for a period of 3 months, after which it will be deleted.
3. Cookies and similar technologies
4. Other use of your personal data
We may also use your personal data for our legitimate interests for the purposes of:
5. Disclosure of your personal data to other parties
We may share statistics and results of
analysis with selected third parties as described in paragraph 2.j above.
We may also disclose your personal data for the purposes outlined in paragraph 4 above to third parties, including:
6. Storage and security of your personal data
Your personal data is stored in electronic and physical records maintained by us and/or our service providers (such as point of sale providers, payment gateways, payment processors, IT support and MailChimp). Whilst we are based in the UK, our service providers may have servers located overseas, where the laws may not give the same level of protection to personal data as within the UK. Our data centre, where are servers are located, is located in Europe as is our support provider, but some of our POS providers and payment gateways and payment providers are located outside the EEA. We have agreements in place with these service providers which limit their use of the data and place strict security obligations on the service providers with respect to how your data is used. In addition, where the service providers are based outside of the EEA, we rely on approved mechanisms such as Privacy Shield or the model contracts approved by the European Commission to provide safeguards for you. By submitting your personal data to us, you consent to the transfer, storing and processing of your personal data in countries outside of the UK (including countries located outside of the European Economic Area ("EEA").
7. Passcodes and security
If you create a user ID, a passcode or any other authentication information as part of our security procedures, you must treat such information as confidential. You must not disclose it to anyone else and must take appropriate steps to keep your information secure by not using an obvious login name and ensuring that you keep your passcode confidential and change it regularly. If you know or suspect that anyone other than you, or anyone authorised by you, knows your user ID, passcode or any other authentication information, you must promptly notify us using the contact details below. You are entirely responsible for all activities that occur through use of your user ID, even if another person was using your account at the relevant time. We are not responsible for any losses or liabilities arising out of or in connection with any unauthorised use of the Application or Website.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted via the Application or Website; any transmission is at your own risk. Once we have received your information, we will use appropriate security measures which aim to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so..
As mentioned above, where you consent, we may also use your personal data to provide you with information about our products and services, which may be of interest to you. If you do not want us to use your information in this way at any time, we will give you the opportunity to opt-out of receiving any such marketing communications in each marketing communication that we send to you. Please note that if you opt out from receiving marketing communications, we may still contact you about service-related issues, such as where we make any changes to the Application or Website, or the terms of this policy.
9. Third party sites and services
Your use of the Application will also be subject to the privacy policies of any app store provider and/or operator ("App Store Provider") from whom you have downloaded the Application ("App Store Policies"). The Application and Website may also contain links to other third party websites and services including through advertising and social media tools and widgets such as those provided by Facebook and Twitter ("Third Party Sites and Services"). The links to these Third Party Sites and Services are provided for your convenience only. Your use of the Third Party Sites and Services will be governed by their terms and conditions and privacy policies (if any) ("Third Party Terms"). It is your responsibility to read the Third Party Terms. You acknowledge that we have no control over the Third Party Sites and Services and are not responsible for them.
10. Removal of your details
You may request removal of your live profile at any time by sending an email to us at firstname.lastname@example.org.
We may however retain certain aspects of your profile and other personal details for the purposes of maintaining records of our dealings with you, analysis and statistics.
We may remove your profile in accordance with clause 2(e)(iii) of our terms and conditions, including in the circumstances where you breach our terms or have not used our Services for a substantial period of time.
Where Flyt retains certain aspects of your personal data for the purposes of maintaining records of dealings with you, this will be for a period of approximately 7 years from the date of last use by you of the Application.
Any call recordings for IT support purposes will be deleted after 3 months.
We will not keep your personal data for longer than we need it. We will keep under review the retention periods outlined above and change them as necessary.
11. Your rights
You have the right to request a copy of the personal data we hold about you. If you would like to access a copy of any personal data which we hold about you, please send a request by email or by post using the contact details in paragraph 13 below. We try to respond to legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
You have the right, in certain circumstances, to object to us processing your personal data or to request that your personal data is corrected or deleted or that our processing of your data is restricted. Please contact us to discuss this as required.
In addition, where our processing is based on your consent, you have the right to withdraw consent at any time.
Where you have provided us with any data, such as a profile picture, you have the right for that to be provided to you in a standard format which we reasonably determine.
You also the right to complain to the data supervisory authority if you are unhappy with our processing of your personal data. The data supervisory authority in the UK is the Information Commissioner’s Office at www.ico.org.uk.
We may change this policy at any time. Your continued access or use of the Application or Website after such a change signifies your acceptance of the updated or modified policy. We may email registered users about any material changes to the policy and we may notify you of a change to this policy when you next start the Application or access the Website. The new policy may be displayed on-screen via the Application or Website and you may be required to agree to it to continue your use of the Application or Website. The date this policy was last updated appears at the top of this document.
If you have any queries in relation to the processing of your personal data by Gourmet Burger Kitchen Limited, please contact us: