VELO
PRIVACY NOTICE
1. INTRO
At BAT (which is the name of the business that owns VELO we are committed to protecting your privacy – this means that we will make sure that any information you give to us by visiting our websites, social media pages, or participating in our competitions that you enter from the links on our website or social media pages (such as Instagram or Facebook) ("Competition") are only used for the purposes set out in this “Privacy Notice”.
This Privacy Notice tells you what we do with your personal data, and how we comply with the laws that tell us to treat your personal data in a certain way. This Privacy Notice applies to everyone who visits our website, social media pages and/or participates in our Competitions: (and the VELO Global team at BAT love doing competitions!).
For the purpose of this Privacy Notice, we need to tell you that the relevant legal entity responsible for any personal data you provide to us (known as a “data controller”) is called Nicoventures Trading Limited ("BAT", “us” or "we").
If you need or want to get in touch with us, we have provided general contact details in the ’How to Contact Us’ section of this Privacy Notice or (to save you scrolling to this section, you can email us at data_privacy@bat.com).
We may amend this Privacy Notice from time to time so please check it regularly on the bio of @velo.global.
2. WHAT INFORMATION WE COLLECT ABOUT YOU & WHY
Depending on the circumstances and applicable local laws and requirements, we may collect the information detailed below. You can learn about the reasons why we do this later in this Privacy Notice.
-
If you visit our social media pages and like our posts, include a hashtag or mention relating to us or tag us in a post, we will collect your social media handle and post related information (the content, time and date of your post);
-
If you correspond with us using direct messages, we will collect your social media handle and the content of correspondence;
-
Where you are required to share personal data for your entry to a Competition (such as a written post) we will collect the content of your Competition entry;
-
Where you enter into one of our Competitions hosted on our social media pages, we may collect your full name, town, country of residence, email address, date of birth, telephone number, age verification documentation (including either a copy of your passport or driving licence);
We collect this data from you on a voluntary basis however if you don’t let us collect this data, you may not be able to interact with us through our websites or social media pages or enter our Competitions and we may not be able to continue our relationship with you. For example, all of our Competitions are only open to tobacco and/or nicotine consumers aged 18 or over. Entrants to our Competitions will be contacted via email, during which we will ask for confirmation that they are a tobacco and/or nicotine consumer and are aged 18 or over. If you do not provide these confirmations, you will not be able to continue to be an entrant to our Competitions, and we reserve the right to withdraw any applicable prize from you and pick a replacement winner.
3. HOW DO WE COLLECT YOUR PERSONAL DATA?
Most of the data we hold about you, will be information you provide to us when interacting on our social media pages, communicating with us via email, direct message or submitting your entry for our Competitions. We may ask our third parties who work with us to assist in our Competitions, to collect information from you on our behalf for example, verification checks of proof of age and sending prizes to your home address.
We may also collect some personal data about you which we’ve collected indirectly. For example, technical information such as the internet protocol (known as IP) address used to connect your device to the internet, your log-in information, time of access, date of access, time zone setting, web page(s) visited, software crash reports, type and version of browser used, browser plug-in types and versions used, and operating system and platform to ensure the security of your account and to verify that the person operating your account is you.
We may collect details about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from a competition page (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call out customer service team; and information about your device allowing us to analyse trends, administer the competition page, track your web navigation, and gather broad demographic information for aggregated use.
Certain content and pages may appear to be part of our websites but are in fact elements transmitted from third party websites that are not operated by us. For example, we may present videos from a third party video hosting service by framing them within pages on our websites. In some cases, it will be clear that we have incorporated third party elements, whilst in others it may not. These third party websites may use cookies or collect personal data about you when you access the content they host as part of our websites.
4. HOW WE LAWFULLY USE YOUR PERSONAL DATA
There are a few ways the law allows us to process (i.e. use) your personal data. These are explained below according to each data type.
-
Where using your data is in our legitimate interests
We can process your personal data where it is in our “legitimate interests” to do so, and those legitimate interests are not outweighed by any potential prejudice to you - some of these are set out below:
-
To communicate with you via our social media pages;
-
Using your data to help us run any of our Competitions you enter and award you a prize (if you win);
-
To market and advertise BAT products and services to the extent permitted by the law, including targeted advertising delivered through social media platforms. To find out more, please see the ‘Our Use of Social Media’ section below;
-
To help us establish, exercise and defend legal claims; and
-
For our internal admin purposes.
We don't think that any of the activities set out in this Privacy Notice will prejudice you in any way. However, you do have the right to object to us and we’ve set out details regarding how you can go about doing this in the ‘You Have Rights!’ section below.
-
Where using your data is necessary for us to carry out our legal obligations
When we have legal obligations that we need to comply with, we can use your personal data to comply with those other legal obligations (for example to verify your age).
-
Where you give us your consent to use your personal data
We can use your data where you have specifically given us permission to do so in certain circumstances. For example, where we wish to use your name and image in our publicity materials.
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this in the section ‘You Have Rights!’ below.
5. SHARING YOUR PERSONAL DATA WITH OTHERS
Sometimes we will share your information to ensure the smooth running of our website (such as provide you with information /marketing communications where you have requested us to) and so that we can carry out any of our Competitions in a fair, efficient and transparent manner.
As the data controller of your personal data, we decide why and how it is processed and our responsibility for that processing extends to processing by our service providers if they process your personal data based on our instructions. We work with other, more independent, organisations in connection with some of the processing activities described in this statement, such as our group companies, social media platforms and certain suppliers.
Where that data is collected and sent to other organisations for a processing purpose that is in both our and their interests or where we make decisions together in relation to that particular processing, we will be “joint data controllers” with the organisations involved. Where this applies, we and the other organisation will be jointly responsible to you under data protection laws for this processing. If we pass your personal data to an organisation that independently decides why and how to use your personal data then it will be separately responsible to you for that processing and use your personal information in the ways described in its privacy notice (and not ours).
We may share your information with any of the following groups:
-
Any of our BAT entities. Your personal data may be shared with other members of the BAT group, for example, in the country in which you tell us you reside. We may work with some of these entities as joint data controllers, for example in relation to cookies that we arrange for some of these entities to set on their websites. Please see the cookie notice on the relevant website for further information.
-
Regulatory authorities. We may share your information with authorities when we believe that the law or other regulation requires us to do so (for example, because of a request in connection with any anticipated litigation or in order to help prevent fraud or to enforce or protect the rights and properties of BAT or its subsidiaries).
-
Third party service providers. We may share your information with third party service providers who perform functions on our behalf (such as 20Ten – a company that is assisting us with our Competition in verifying entrants are over the age of 18 and sending out prizes to winners). We will only share information with such service providers where we have an appropriate data processing agreement (or similar protections) in place.
-
Social media platforms. We use a number of different social media platforms to communicate with you, to promote products and services and to run Competitions. We process your personal information using these platforms in a variety of ways. Please see the dedicated ‘Our Use of Social Media’ section below to find out more.
-
Professional advisors and auditors. We may disclose your personal data to professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.
-
Acquisitions. If a BAT entity merges with or is acquired by another business or company in the future, we may share your personal data with the new owners of the business or company.
6. OUR USE OF SOCIAL MEDIA
We process your personal information using social media platforms in a variety of ways, as follows:
Pages. We use your personal data when you post content or otherwise interact with us on our official pages on Facebook, Instagram, and other social media platforms. We also use the Page Insights service for Facebook and Instagram to view statistical information and reports regarding your interactions with the pages we administer on those platforms and their content. Where those interactions are recorded and form part of the information we access through the Page Insights services, we and the relevant platform are joint data controllers of the processing necessary to provide that service to us.
Single sign-on. Some of our websites may incorporate a feature provided by social media and other digital service providers that allows you to log into your account on our websites using the same login you have already set up with those providers. This feature is known as a ‘single sign-on service’. Any use we make of the personal data we receive from the platform using this feature is processing for which we are the sole data controller.
Data from your profile. When you use single sign-on services, you will be prompted to confirm that you are happy to share with us your email address and certain other personal data you hold with those providers. You may be asked if you would like to share information with us that goes beyond what is needed to log you into your account on our website. For example, you may be asked if you would like us to use your contact details or date of birth for direct marketing purposes. We will only use your personal data in this way if you agree.
Targeted advertising. We use social media platforms to deliver targeted advertising to you, unless you object. You may receive advertising because you have previously interacted with us (such as by visiting one of our websites) or because of your profile on a social media platform on which you have an account. You can find our more by consulting the help pages of the relevant social media platform but in summary we use social media platforms to send targeted advertising using two methods:
-
‘Custom audience’ targeting. You may receive advertising based on information about you that we have provided to the platform or allowed it to collect using cookies/pixels or code embedded in our websites (or a combination of the two). For example, we may target you if you have signed up to our mailing list and where cookies have detected that you have visited one of our websites in the last month. Please see the paragraph below regarding our use of cookies to send targeted advertising using social media.
-
‘Lookalike audience’ Targeting. You may also receive advertising because, at our request, the social media platform has identified you as falling within a group or ‘audience’ whose attributes we have selected, or a group that has similar attributes to you (or a combination of the two).
Cookies. We use cookies and similar technologies in our websites and applications to collect and send information to Facebook (who operates the Facebook and Instagram platforms) about actions you take on our website and applications. In particular:
-
Facebook (who operates the Facebook and Instagram platforms) uses this information to provide services to us and also for further processing for its own business purposes. We and Facebook are joint data controllers of the processing involved in collecting and sending your personal information to Facebook using cookies and similar technologies as each of us has a business interest in Facebook receiving this information. The services we receive from Facebook that use this information are delivered to us through Facebook’s Business Tools, which include Facebook Login (Facebook’s single sign-on service, see above), Facebook Pixel and Website Custom Audiences (which includes ‘lookalike audience’ targeting). The data from these tools allows us to target advertising to you within Facebook’s social media platform by creating audiences based on your actions on our website and applications. They also allow Facebook to improve and optimise the targeting and delivery of our advertising campaigns for us. Please see the paragraph above for further information.
Our relationship with Facebook. As we are joint data controllers with these platforms for certain processing, we and each platform have:
-
entered into agreements in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;
-
agreed that we are responsible for providing to you the information in this privacy statement about our relationship with each platform; and
-
agreed that each platform is responsible for responding to you when you exercise your rights under data protection law in relation to that platform’s processing of your personal information as a joint data controller.
Facebook also process, as our processors, personal information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing these platforms carry out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to them.
Further information. The Facebook company that is a joint data controller of your personal information is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For further information regarding these platforms and their use of your personal information, please see:
-
Facebook’s Controller Addendum for Page Insights and Controller Addendum for Business Tools and LinkedIn’s Page Insights Joint Controller Addendum which include information regarding how our and those platforms’ responsibilities to you are allocated as controllers of your personal information;
-
Facebook's Data Policy at https://www.facebook.com/about/privacy and LinkedIn’s Privacy Policy at https://www.linkedin.com/legal/privacy-policy which include details of the legal reasons (known as ‘lawful bases’) on which each platform relies to process your personal information, together with details regarding your data protection rights;
-
Facebook’s help pages regarding its Page Insights and Business Tools and its terms and conditions relating to those tools.
7. HOW WE LOOK AFTER YOUR PERSONAL DATA
We care about protecting your information. That is why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.
Unfortunately, please note, when you send us your personal data there is always risk involved in sending information through any channel over the internet, and when you send information over the internet, it is entirely at your own risk.
8. WHERE DO WE STORE YOUR PERSONAL DATA?
Your personal data may be sent outside of the UK or European Economic Area or EEA (i.e. the Member States of the European Union from time to time, together with Norway, Iceland and Liechtenstein) to the types of entities described in the section called ‘Sharing Your Personal Data with Others’ above.
We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data outside of the UK/EEA where it is compliant with data protection laws and the way we transfer it provides adequate safeguards in relation to your data (e.g. using EU Commission approved contracts that we put in place between ourselves and the recipient organisation of your data).
9. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We only keep your personal data for as long as necessary - after which time we destroy it.
Unsuccessful entrants
Social handles collected as part of the entry are stored in temporary memory (for a matter of millisecond) in our tool script. Once the script finishes, all data is automatically erased and this is not stored in a local file or in the cloud.
Competition winners
We delete competition winner data once the competition has finished and the prize has been fulfilled and redeemed.
Just so you know, we may be required by law to retain your data for a longer period in certain circumstances. This may be because we are subject to a regulatory or other legal obligation in a specific jurisdiction which requires us to keep data for a specified period and we need to comply with those legal/regulatory requirements. If you would like more information regarding our data retention policies and practices, please contact us using the contact details set out at the end of this Privacy Notice.
10.YOU HAVE RIGHTS!
You have various rights in relation to the data which we hold about you.
-
Right to object
This right enables you to object to us processing your personal data. If you object, we will stop using your data unless we can demonstrate compelling legitimate grounds (which overrides your interests) or if our use of your data is necessary for the establishment, exercise or defence of legal claims.
-
Right to withdraw consent
Where we have obtained your permission to process your personal data for certain activities, you may withdraw this consent at any time. If you ask us to do this, we’ll stop using your data unless we consider that there is an alternative legal reason to justify our continued processing of your data for this purpose, in which case we will tell you.
-
Right to access your data
You may ask us for a copy of the information we hold about you at any time. We will respond to your request within one month. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. We may request proof of identification to verify your request. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
-
Right to erasure
You have the right to request that we "erase" your personal data in certain circumstances. We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
-
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
-
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
-
Right to complain
You also have the right to lodge a complaint with a supervisory authority – for us this is the Information Commissioner's Office ("ICO") in the UK. For further details, please visit www.ico.org.uk.
The privacy regulators for other EU Member States are listed (along with contact details) on the following website:
http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
11. HOW TO CONTACT US
If you have any queries about this Privacy Notice, including your rights in relation to your personal information, please contact our customer services team by direct message on Instagram to @velo.global or email us at data_privacy@bat.com.