Privacy Policy

GIFTCLOUD PRIVACY NOTICE

This privacy notice describes how Invitation Digital Limited, trading as Giftcloud (‘Giftcloud’, 'we', 'us') collects and processes personal information about you, how we use and protect this information, and your rights in relation to this information.

This privacy notice applies to all personal information we collect or process about you. Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified.

PERSONAL INFORMATION WE USE

We will collect personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us), and information we collect about you from your friends, family, colleagues, employer or other contacts who may purchase a gift on your behalf and from third parties such marketing agencies, market research companies, our suppliers and clients, contractors and consultants, group companies, public websites and public agencies, which we refer to as "third party sources" or "suppliers" throughout this policy.

Information we collect directly from you

The categories of information that we collect directly from you are:

• Authentication and identification information (e.g. your name, email address, and password). This information is necessary to set up and log you into your Giftcloud account, but you do have the option to make purchases without creating a password. If you don’t provide this, we may not be able to provide our full range of account services to you;

• Basic personal details (e.g. your name, date of birth);

• Contact details (e.g. your postal address, telephone number, and email address). We may need some of this information to deliver products to you, such as your postal address to deliver physical products and your email address to send you vouchers, and won’t be able to carry out these services if you don’t provide it;

• Payment details (e.g. your credit card details or payment tokens from third party payment providers like PayPal). We use these to process your order, and won’t be able to take payment from you or give refunds if you don’t provide it;

• Third party contact details. If you use our service to send gifts to your colleagues, employees, friends, family or other contacts, we will collect their contact details from you in order to provide our services; and

• Information about your contacts with Giftcloud (e.g. call recordings, instant messages on our website or in our app, and user generated content).

Some information we collect is necessary for us to provide our services or meet our legal obligations. We will make this clear when we collect that information from you.

We will also automatically collect personal information when you interact with our website through your computer, mobile device, or other device using cookies and similar technologies. This personal information includes the following:

• Analytics data (e.g. information about app downloads, app and web page histories), which may include data collected from cookies and other types of device identifiers;

• Profile inputs (e.g. page and deal views on the website, purchase details, click information and information about the website you clicked to our website from). This may include data about your location. With respect to geolocation information collected from your mobile device, we will only collect this where you have provided consent; and

• Device details (e.g. MAC address, IP address, bluetooth data and advertising identifiers).

You can find detailed information about our use of cookies in our Cookie Policy, rewards.giftcloud.com/uk/cookies.

Information we collect from other sources:

The categories of information that we collect about you from individuals who purchase a gift on your behalf using our services are:

• Contact details (e.g. phone number, email address, postal address or mobile number)

HOW WE USE YOUR PERSONAL INFORMATION AND THE BASIS ON WHICH WE USE IT We use your personal information to:

• provide and personalise our services

• deal with your enquiries and requests

• comply with legal obligations to which we are subject and cooperate with regulators and law enforcement bodies

• contact you with marketing and offers relating to products and services offered by us (unless you have opted out of marketing, or we are otherwise prevented by law from doing so)

• personalise the marketing messages we send you to make them more relevant and interesting

• for internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, ensuring the security of company facilities, research and development, and to identify and implement business efficiencies.

• to establish, exercise or defend our legal rights – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others, as well as where we are legally required to do so.

We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:

(a) to fulfil our contractual obligations to you, for example to provide the services, to fulfil an order which you place with us, to fulfil an order which you have placed with one of our clients, to ensure that invoices are paid correctly, and to ensure you are able to access our premises when required.

(b) to comply with our legal obligations, for example obtaining proof of your identity to enable us to meet our anti-money laundering obligations.

(c) to meet our legitimate interests, for example to understand how you use our services and to enable us to derive knowledge from that enable us to develop new services. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.

We may obtain your explicit consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, or when we process sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this privacy notice.

INFORMATION SHARING

We may share your personal information with third parties under the following circumstances:

• Service providers and business partners. We may share your personal information with our service providers and business partners that perform marketing services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimize our services, send newsletters and marketing emails, support email and messaging services and analyse information.

• Our suppliers and clients who provide you with the offers through the Giftcloud services. These suppliers and clients will also share your personal information with us;

• Law enforcement agency, court, regulator, government authority or other third party. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.

We may also disclose and use anonymised, aggregated reporting and statistics about users of our website or our goods and services for the purpose of internal reporting or reporting to our group or other third parties, and for our marketing and promotion purposes. None of these anonymised, aggregated reports or statistics will enable our users to be personally identified. Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). See the section on "International Data Transfer" below for more information.

INFORMATION SECURITY AND STORAGE

We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing. We will keep your personal information for as long as we have a relationship with you. Once our relationship with you has come to an end, we will retain your personal information for a period of time that enables us to:

• Maintain business records for analysis and/or audit purposes

• Comply with record retention requirements under the law

• Defend or bring any existing or potential legal claims

• Deal with any complaints regarding the services

We will delete your personal information when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.

INTERNATIONAL DATA TRANSFERS

Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal information under European Union or United Kingdom law. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.

YOUR RIGHTS OVER YOUR PERSONAL INFORMATION

You have certain rights regarding your personal information, subject to local law. These include the following rights to:

• access your personal information • rectify the information we hold about you • erase your personal information • restrict our use of your personal information • object to our use of your personal information • receive your personal information in a usable electronic format and transmit it to a third party (right to data portability) • lodge a complaint with your local data protection authority. We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate. We will contact you if we need additional information from you in order to honour your requests. If you would like to discuss or exercise such rights, please contact us at the details below.

LINKS TO OTHER WEBSITES

Our website may contain hyperlinks to websites that are not operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of such third-party websites or any association with their operators. This privacy policy only applies to the personal information that we collect or which we receive from third party sources, and we cannot be responsible for personal information about you that is collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third party websites or third party terms and conditions or policies.

CHILDREN

You must be aged 18 or over to purchase products or services from us. Our website and services are not directed at children and we do not knowingly collect any personal information from children. If you are a child and we learn that we have inadvertently obtained personal information from you from our websites, or from any other source, then we will delete that information as soon as possible. Please contact us at hello@giftcloud.com if you are aware that we may have inadvertently collected personal information from a child.

MARKETING

We may collect and use your personal information for undertaking marketing by email telephone and post. We may send you certain marketing communications (including electronic marketing communications) if it is in our legitimate interests to do so for marketing and business development purposes or, if you are a consumer if you have consented to receive such electronic marketing information. However, we will always obtain your consent to direct marketing communications where we are required to do so by law and if we intend to disclose your personal information to any third party for such marketing. If you wish to stop receiving marketing communications, you can contact us by email at hello@giftcloud.com.

CONTACT US

Invitation Digital Limited is the controller responsible for the personal information we collect and process. If you have questions or concerns regarding the way in which your personal information has been used, please contact hello@giftcloud.com or our Data Protection Officer. Our Data Protection Officer can be contacted at: dpo@groupon.co.uk We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the United Kingdom data protection authority, the Information Commissioner's Office at www.ico.org.uk, or the data protection regulator in the country where you usually live or work, or where an alleged infringement of the General Data Protection Regulation has taken place using.

CHANGES TO THE POLICY

You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time. If we change this privacy notice, we will notify you of the changes. Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g. to object to the processing). NOVEMBER 2020