We collect your information when you interact with us or use our services, such as when you use our Site to place an order. We also look at how visitors use our Site, to help us improve our services and optimise customer experience.
We collect information:
As part of our commitment to the privacy of our customers and visitors to our Sites more generally, we want to be clear about the sorts of information we will collect from you.
When you visit the Sites or make a Defected order through the Site, including any partner’s website we work with to provide any one of the services that we undertake, you are asked for information about yourself including your name, contact details, delivery address, order details, loyalty scheme details where applicable, and payment information such as credit or debit card details. We will also collect information from you when you contact our support teams using the chat function on our Site. We will also collect your date of birth to verify your age when you purchase age restricted items.
We collect information about your use of the Sites and information about you from any messages you post to the Site or when you contact us or provide us with feedback, including via email, post, phone or chat function. If you contact us by phone, we record and make notes about the call, including for training and service improvement purposes.
We collect information from your mobile device or computer, such as its operating system, the device and connection type and the IP address from which you are accessing our Sites. We also collect technical information about your use of our services through a mobile device, for example, carrier, location data and performance data such as mobile payment methods, interaction with other retail technology such as use of NFC Tags, QR Codes and/or use of mobile vouchers. Unless you have elected to remain anonymous through your device and/or platform settings, this information may be collected and used by us automatically if you use the service through your mobile device(s) via any Defected mobile application, through your mobile's browser or otherwise.
Where we need to collect information by law, or under the terms of a contract we have with you, and you fail to provide that information, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel our service to you but we will notify you if this is the case at the time.
We will only process your information if there is a reason for doing so, and if that reason is permitted by law.
Where we need to provide you with the service you have requested or to enter into a contract with you we use your information to:
We also process your information to enforce our contractual terms with you and any other agreement, to ensure compliance with our internal policies and procedures and for the exercise or defence of legal claims and to protect the rights of Defected and our partners or others (including to prevent fraud).
If you submit comments and feedback regarding the Sites and the services, we may use such comments and feedback on the Sites and in any marketing or advertising materials. We will only identify you for this purpose by the name and the city you have provided us and such comments and feedback may be shared with our partners to assess and improve their services.
We will also analyse data about your use of the Sites and the services to create profiles relating to you and for you. This means that we may make certain assumptions about what you may be interested in and use this, for example, to send you more tailored marketing communications, to present you with partners that we think you will prefer, or to let you know about special offers or products which we think you may be interested. This activity is referred to as profiling. You have certain rights in relation to this type of processing. Please see section 12. Your Rights for more details.
We may also use your information to comply with any legal obligation or regulatory requirement to which we are subject.
Where you have given your consent or where we have a legitimate interest for doing so (and are permitted to do so by law) we will use your information to let you know about our other products and services, or Defected initiatives that may be of interest to you and we may contact you to do so by email, post, phone, or push notification or in-app message.
We use online advertising to keep you aware of what we’re up to and to help you see and find our products.
You may see Defected banners and ads when you are on other websites and apps, such as on social media. We manage this through a variety of digital marketing networks and using a range of advertising technologies. The banners and ads you see are based on information we hold about you, or your previous use of our services (for example, your order history) or on banners or ads on our Site that you have previously clicked on. We use your information to send you communications that are the most relevant to you. You have certain rights in relation to this type of processing. Please see section 12. Your Rights for more details.
You can control your marketing preferences by:
Please add steps to change marketing preferences
Where you have chosen at a device level to begin or continue receiving push notifications from us, we may send you push notifications relating to the services that you have requested from us and information about our services, offers and Defected initiatives. You can choose to stop receiving push notifications from us at any time by changing your preferences on your mobile device.
We undertake fraud checks on all customers which is necessary for us to:
• perform our contracted services to customers;
• ensure that our services (and those of all our partners) provided are duly paid for;
• ensure that customers themselves are protected from fraudulent transactions being made on their payment cards.
Given the volume of customer orders we handle, we may sometimes use automated systems, including from a third party fraud detection provider. Such system may analyse your order data to make automated decisions as to whether or not we should accept an order. This is a fairer and more accurate and efficient way of conducting fraud checks since human checks would simply not be possible in the timeframes and given the volumes of customers that we deal with.
The checks and decisions that are made look at various components including known industry indicators of fraud which our expert fraud detection provider makes available to us, as well as fraud patterns we have detected on our Sites. When combined, these generate an automated score indicating the likelihood of a fraudulent transaction. Where we believe there may be fraudulent activity we may block you from placing an order and using our Site. The specific fraud indicators are dynamic so will change depending on what types of fraud are being detected in the industry, country and our Sites at any particular time.
Our fraud detection is in place to protect our customers, as well as Defected. You have the right to contest any automated decision made about you and to be given more information about why any such decision was made. Please see section 12. Your Rights for more details.
We will only retain your information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
When determining the appropriate retention periods, we will take into account factors including:
• our contractual obligations and rights in relation to the information involved;
• legal obligation(s) under applicable law to retain information for a certain period of time;
• statute of limitations under applicable law(s);
• our legitimate interests for retaining the information (please see section 4. Use of Your Information);
• whether there is an actual or potential dispute; and
• guidelines issued by relevant data protection authorities.
Otherwise, we securely erase your information where we no longer require it for the purposeswe collected it for.
The information we collect about you will be transferred to and stored on our servers located within the EU. We are very careful and transparent about who else your information is shared with.
We share your information with other Defected group companies only where necessary for the purposes set out in the Use of Your Information section above. We share your information with our partners (such as restaurants, grocers, and other retail partners on Defected), who have access to limited information to enable them to fulfil an order. Where relevant and you give your consent, we may share the health information you volunteer to us with partners to enable them to investigate and respond to complaints.
We share your information with third party service providers that provide services on our behalf.
The types of third party service providers whom we share your information with include for example:
• Payment providers (including online payment providers and fraud detection providers);
• IT service providers (including cloud providers);
• Riders, who have access to limited information to enable them to fulfil an order;
• Customer support providers (including, but not limited to, companies that assist us to provide customer or technical support); and
• Marketing and advertising partners.
We share your information when we promote a programme or offer a service or product in conjunction with a third-party business partner. We will share your information with that partner to assist in marketing or to provide the associated product or service. In most of those cases, the programme or offer will include the name of the third-party business partner, either alone or with ours. An example of such a business partner relationship would be a partner that we partner with for providing delivery services.
If you submit comments and feedback regarding the Sites, services, and our partners we may share such comments and feedback with our partners. In addition, and if you consent to it, we may share health information about you with our partners, for example if you report any specific food allergies after placing an order.
If our business enters into a joint venture with, purchases or is sold to or merged with another business entity, your information may be disclosed or transferred to the target company, our new business partners or owners or their advisors.
We may also share your information:
• if we are under a duty to disclose or share your information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation or regulatory requirement;
• in order to enforce our contractual terms with you and any other agreement;
• to protect the rights of Defected, our partners, or others, including to prevent fraud; and
• with such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police or for health and safety purposes.
In some cases the information we collect from you might be processed outside the United Kingdom or the European Economic Area, such as the United States and the countries in which Defected operates. These countries may not have the same protections for your information as the UK or EEA has. To the extent these countries have not been lawfully recognised as providing an adequate level of data protection, we will ensure that the information that is processed by us and our suppliers outside of the UK or EEA is protected in the same way as it would be if it was processed within the UK or the EEA. We ensure to use an appropriate data transfer mechanism, such as reliance on the protections set out in approved standard contractual clauses.
Please contact us using the contact details above for further information on the specific mechanism used by us when transferring your information.
We adopt robust technologies and policies to protect your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have implemented procedures to deal with any data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your information transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
When you open an account you may create a password, or other secure login method and also provide payment card details. You must use a unique password and keep any password you create, or other secure login method, secret in order to help prevent others from accessing your account.
Under certain circumstances, you have rights under data protection law in relation to the information we hold about you.
• The right of access. This is also known as a “data subject access request”. You have the right to receive a copy of the information we hold about you and to check that we are lawfully processing it.
• The right to rectification. You are entitled to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
• The right to erasure. This is also known as “the right to be forgotten” which enables you to request the deletion or removal of certain of the information that we hold about you where there is no good reason for us continuing to process it. This right is not absolute and only applies in certain circumstances.
• The right to restrict processing. You have the right to block or suppress further use of your information in certain circumstances. When processing is restricted, we may still have a lawful reason to store your information, but we will not use it further.
• The right to data portability. You have the right to receive your information in a structured, commonly used and machine-readable format which you can transfer to another service provider or other third party. This right is not absolute and only applies in certain circumstances.
• The right to withdraw consent. Where we rely on consent to use your information, you have the right to withdraw that consent at any time. Withdrawing consent will not, however, make unlawful our use of your information before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.
• The right to object to processing. You have the right to object to certain types of processing of your information, including processing for direct marketing purposes and profiling. You can object by changing your marketing preferences and disabling cookies as set out in section 6. Cookies and section 7. Marketing or by contacting us.
• You have the right not to be subject to a decision based solely on automated processing of your information, such as in connection with our fraud checks.
To exercise any of these rights, please contact our Data Protection Officer in writing at email@example.com.
If you are unhappy with how we have handled your information you can contact your local data protection authority. In the UK, this is the Information Commissioner’s Office. We would, however, really appreciate the chance to deal with your concerns before you approach your local data protection authority and so we please ask that you contact us first.