This privacy notice explains how we, Heart of London Business Alliance with company number 04293930 (we, us, our) process your personal data (user, your) when you use our app (services).
We do not offer our services unless you are 18 years old or over.
This policy (together with our Terms, Conditions and Licence Agreement as set out at heartoflondonbid.london/heartoflondonclub/terms-conditions (T&Cs) applies to your use of:
- Heart of London Club mobile application software (App) [available on our site] OR hosted on the App Store or Google Play Store (App Site) once you have downloaded or streamed a copy of the App onto your mobile telephone or handheld device (Device).
2. Important information and who we are
Heart of London Business Alliance is the controller and is responsible for your personal data (collectively referred to as “Company” in this policy).
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues.
3. Who does this privacy notice apply to?
This notice applies to:
- users of our services; and
- persons who interact with us, when you call us, email us or visit the Heart of London area
This notice applies to you whether you act in your personal capacity or as an employee or agent of an organisation.
4. What personal data is processed about you?
Generally, “personal data” refers to any information that identifies you or relates to you. We will process personal data including:
- your user details collected when you sign up for our services and as you use our features, such as your title, name, email address, language, preferred centre, mobile, city, postcode, country and date of birth, sex and other information;
- when accessing our services, your device will automatically provide unique information such as mobile device ID, IP address, cookie ID, online identifiers, geolocation data, operating system, browser type and time zone setting and other information;
- our systems may generate usage data about how you navigate and engage with our services, which pages you view, which offers you access, your preferences (including language), methods used to access our services, interests known, observed or inferred as well as security logs;
- GPS location data if you enable the functionality on your device in relation to our services, we will be able to offer you location-based features and notifications. When you reach the Heart of London area, we will collect the time, date and duration of your visit, each visit to a Participating Brand and technical information about your device. We do this to determine which products and services you may be interested in, particularly based on visits, for direct marketing purposes, to send you relevant notifications and offers while in the area or later and to allocate rewards to your loyalty account;
- third party data such as confirmation that you have scanned a barcode at a Participating Brand, data about your interaction with our posts and content and ‘likes’ on social media platforms, profile information from advertising and analytics partners and information from our suppliers;
- when we send you emails, SMS or push notifications, we may collect technical communication interaction data, such as open rates or what content you clicked on; and
- when you interact with our services, contact or visit us, we may process your image, complaint details, details of your requests, communications, feedback, keep a relationship history, details of your survey submissions or other interaction data.
We will likely be unable to provide all our features unless you provide the relevant personal data, and some personal data will be mandatory for our compliance with the law. Nevertheless, we would ask that you only provide the necessary personal data to us.
6. How do we process your personal data and why?
The type of personal data we collect about you will depend on your interaction with our services and features and your user settings.Generally, we will use your personal data as “controller” to (i) provide our services; (ii) to send you relevant information; (iii) ensure the security and technical availability of our services; (iv) develop and promote our organisation and services; and (v) as further described in this notice.We will update you about any new purposes of processing of your personal data from time to time and we will obtain your prior consent where we are required to do so at law.
7. Data Accuracy
We and our clients who are the Participating Brands will rely on the information provided by you as accurate, complete and up to date, and we shall be grateful if you would inform us of any changes without delay.We would ask that you do not provide to us information about others unless you have their permission to do so.
8. What data do we collect and Why?
Legal ground for processing
To enable you to sign up for our services, to understand your basic demographic information and verifying that the format of the information provided by you is correct.
Necessary for our legitimate interest in reasonably ensuring that the information provided by users is accurate and understanding the basic demographic information about our users who might be interested in our services.
To provide our services such as our user engagement and app and features.
Necessary for our performance of our contract with you and, where applicable, our legitimate interest in providing relevant service features to our users.
To send you promotional information through various marketing channels including email, social media, telephone, SMS, push notification, etc. about our services and our organisation, reviewing campaign performance and profiling information about your interests known, observed or inferred for direct marketing purposes.
For example, we may send you our update email or use your contact details to display relevant ads on Facebook or Instagram and other social media platforms or send you a push notification if you visit our area or a Participating Brand. Social media and advertising providers may use their own information about you to help us make our ads most relevant.
Where you signed up for our services, we may send you relevant information and offers in the performance of our contract with you.
We will use your information based on our legitimate interest in understanding your interests based on the information available to us, information observed or inferred for direct marketing purposes and to understand campaign metrics.
We may rely on the soft opt-in exemption to send you marketing emails and push notifications if you are an existing customer. This means that consent will not be necessary but you will have the right to opt out at any time.
We will obtain your consent for direct marketing where the soft opt-in exemption does not apply or where consent is the most appropriate basis for our activities.
For example, your consent will be required to place cookies or similar technologies on your device or to read information on your device. Where you have provided consent, we will combine cookies information with your user details and usage data for direct marketing purposes.
9. Sharing your data
We will generally not share your information except with (i) our clients who are the participating brands, (ii) with our third party service providers, commercial partners and group companies for the purposes set out above, (iii) where we are compelled by law, and (iv) other third parties where you have provided your consent.
Our service providers:
- Codilink UK Ltd (trading as Coniq) incorporated and registered in England and Wales with company number 06269999 whose registered office is at 3 Wesley Gate, Queens Road, Reading, Berks, RG1 4AP, In order to ensure your data is accessed and processed securely, the appropriate safeguards in the form of ‘model clauses’ are in place. They assist us with:
- storing and combining data;
- processing transaction information of users;
- communicating with our users about the benefits of these programmes;
- communicating with customers who have signed up to receive our newsletter; and
- communicating with entrants of competitions and contests we may run from time to time;
- communicating for operational emails;
- Kodilink Dooel Skopje (a subsidiary of Codilink UK Ltd) incorporated and registered in North Macedonia with company registration number 7274980 and registered address at 16, 8 mi Septemvri Blvd, Hyperium Business Centre, Skopje, 1000, North Macedonia. In order to ensure your data is accessed and processed securely, the appropriate safeguards in the form of ‘model clauses’ are in place
10. Third parties may process your data
Our services may contain links to other websites, third party services and plugins. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. You should check the privacy statements of these third party providers before using their services as we are not responsible for how they may process your personal data.
11. How long is your personal data kept?
We will keep your personal data for as long as is necessary for the purposes listed above or longer, as may be required by law. Generally, the retention periods below will apply. You may contact us for further details or request deletion of your personal data at any time.
Category of personal data
1 year following account closure
Usage data, device data, interaction data
1 year following account closure
All other personal data
1 year following account closure
After the retention period, your personal data will either be securely deleted or anonymised and it may be used for analytical purposes. You must back up your data if you wish to keep it for longer.
12. How do we secure your personal data?
We maintain appropriate organisational and technological safeguards to help protect against unauthorised use, access to or accidental loss, alteration or destruction of personal data. We also seek to ensure our service providers do the same.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the data protection authority of a personal data breach where required by law.
We will endeavour to use the least amount of personal data as is required for each purpose. We will employ pseudonymisation and anonymisation, where appropriate.
Our staff will access your personal data on a need to know basis.
13. Where is your personal data processed?
Generally, our data is held in the UK or the EEA. However, we may transfer your personal data to our clients, group companies, suppliers and other third parties in countries different to your country of residence. For example, our processor Kodilink Dooel Skopje is located in North Macedonia.
Where we transfer your personal data outside of the UK or the European Economic Area (EEA), we will only do so, where we are satisfied that your data protection rights are adequately protected by appropriate technical, organisational and contractual safeguards in accordance with data protection laws.
Where we share information with the participating stores, we will do so on the basis of performance of our contract with you.
You may request further information on the measures used for the international transfers or access to your personal data from outside the UK.
14. Your right to opt-out
If you would like us to stop sending you marketing communications and to process your personal data for direct marketing purposes, please let us know.
You can stop our marketing communications at any time by clicking on the unsubscribe link at the bottom of the message.
15. Your data protection rights
Subject to certain exemptions, limitations and appropriate proof of identity, you will generally have numerous rights in relation to your personal data, including the following:
- Right to information about matters set out in this notice.
- Right to make an access request to receive copies of personal data.
- Right to rectification of any inaccurate or incomplete personal data.
- Right to withdraw consent previously provided.
- Right to object to our processing of personal data based on our legitimate interests, and
any automated processing and profiling.
- Right to erasure of personal data, within limited circumstances.
- Restriction on the processing of personal data.
- Right to data portability from one service provider to another, where applicable.
- Right to lodge a complaint with your country’s data protection authority, such as the Information Commissioner’s Office.
All requests will be processed in a timely manner, generally within one month. If we cannot process your request within this period, we shall explain why and process it as soon as possible thereafter.
16. Contact us
Please contact us if you have any queries or concerns about how we use your personal data. You can contact us using the details below. We will try to resolve your query as quickly as we possibly can.
If we make any changes to our notice you will be able to see them on this page. You should regularly check for updates, as indicated by the “Last updated” date at the top.
If any such changes significantly affect you, we will ask for your prior consent where required by law. However, if you do not agree to the changes, please consider not using our content or services.