Privacy Policy – [new][draft]
Privacy Policy
1. Privacy Policy
Zuspresso Philippines, Inc. or ZUS Coffee (“we”, “us” or “our”) is committed to processing Personal Information about you in accordance with applicable data privacy laws, which include Republic Act No. 10173 or the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the Philippine National privacy Commission ("NPC") (collectively referred to as "Data Privacy Act").
Your privacy is of great importance to us. This Privacy Policy describes how we collect, use, process and disclose your Personal Information through the use of our website (“Website”) and ZUS Coffee mobile application/s (“App”). It also describes the measures we take to protect the security of Personal Information, your rights and choices with respect to your Personal Information, and how you can contact us about our privacy practices.
2. WHAT PERSONAL INFORMATION DO WE COLLECT AND HOW DO WE COLLECT THE SAME?
Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. We may collect the following categories of Personal Information, including Sensitive Personal Information, as defined under the Data Privacy Act:
2.1 name, address, email address, log-in credentials (i.e., username and password)
2.2 telephone number including your contact list or when you give us permission on your device,
2.3 nationality,
2.4 date of birth, age,
2.5 gender,
2.6 marital status,
2.7 education level,
2.8 health information,
2.9 identification number,
2.10 religion,
2.11 banking details, debit cards details and credit card details
2.12 inferences drawn from Personal Information
2.13 business contact information (e.g., consumption habits, interests, location data) (collectively, "Personal Information”)
When you browse or use our Website and/or our App, other Personal Information may also be collected (e.g., through cookies, web beacons when you interact with our ads), which includes, but is not limited to, your internet protocol (IP) address, web terms or searches that led you to our Website, location information, time stamps, feedbacks, reviews, ratings, transaction information or other Personal Information that may be captured when you interact with us through our live chat feature.
If you are applying for employment with ZUS Coffee, we may collect certain identifiers and professional or employment-related information from your job applications on our Career website.
3. WHAT DO WE DO WITH YOUR PERSONAL INFORMATION?
We may use your Personal Information to:
3.1 communicate with you about our store(s), existing and new products, updates, information, promotions, marketing materials, and other marketing activities;
3.2 improve our products and services by assessing how many users access or purchase our products and services, which content, products and features of our products and services most interest you, what types of offers you like to see and how our online products and services perform from a technical point of view;
3.3 fulfill your orders and provide our products and services;
3.4 process your payment transactions;
3.5 receive, fulfill and address orders, questions, requests, messages, and other feedback received from you;
3.6 protect against and prevent fraud and other legal or information security risks;
3.7 create and manage any accounts you may have with us;
3.8 provide you with personalized products, promotions, services, or recommendations;
3.9 manage our customer, supplier, and vendor relationships, including to create and publish business directories (which may include business contact information);
3.10 develop and improve our products and services, and operate, evaluate and improve our business;
3.11 detect and prevent deceptive, fraudulent, or illegal activity using techniques such as, machine learning to process and analyse data;
3.12 for job applicants, process your job application and contact you;
3.13 learn more about you, including your preferences or other characteristics. We treat these inferences as Personal Information;
3.14 and any other relevant purposes that you may be notified by us from time to time.
We will only use and process your Personal Information with your consent, unless another legal basis for processing under the Data Privacy Act is present.
For reference, we only process your Personal Information when any of the following legal basis is present:
3.15 You have given us your consent prior to the collection, or as soon as practicable and reasonable;
3.16 The processing involves is necessary in order to fulfill obligations under the contract with you or to take steps at your request prior to entering the said agreement (e.g., to provide you with products and services);
3.17 The processing is necessary for compliance with a legal obligation to which we are subject;
3.18 The processing is necessary to protect your vitally important interests, including your life and health;
3.19 The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
3.20 The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or
3.21 The processing is necessary to pursue our legitimate interests, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.
Meanwhile, we process your Sensitive Personal Information, as defined in the Data Privacy Act, only when any of the following legal basis is present:
3.22 You have given us your consent, prior to the processing of the sensitive personal information or privileged information, which shall be undertaken pursuant to a declared, specified, and legitimate purpose;
3.23 The processing of the sensitive personal information or privileged information is provided for by existing laws and regulations;
3.25 The processing is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or
3.26 The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.
Where we process your Personal Information on the basis of legitimate interest, we carry out the legitimate interest assessment to ensure that our or the third party(ies)'s legitimate interest is not overridden by your interest, fundamental rights or freedoms.
If you provide us with any information or material relating to another individual, you must make sure that the sharing with us and our further use as described to you from time to time is in line with the Data Privacy Act, e.g., you should duly inform that individual about the processing of her/his Personal Information and obtain her/his consent, as may be necessary under the Data Privacy Act and other applicable laws.
4. HOW DO WE GET YOUR CONSENT?
When you provide us your Personal Information including, but not limited to, filling in your information through the use of our Website and/or App, completing a transaction, verifing your banking details or credit card details, placing an order, arranging for a delivery or return of a purchase, we incorporate appropriate consent forms to ensure that we obtain your freely, specific, and express consent to the processing of your Personal Information, unless another legal basis for processing Personal Information is present.
By using our Website and/or App, you represent that you are at least eighteen (18) years old, and you have given us your consent to allow any of your minor dependents to use our Website and/or App and be responsible for the actions of the minor dependent.
We will not subject you to a decision based solely on automated processing that produces legal effects concerning you or that significantly affects you, unless you explicitly consented to the processing.
5. HOW DO YOU WITHDRAW YOUR CONSENT?
You may withdraw your consent at any time by contacting our Data Protection Officer or through other easy and convenient means of withdrawing consent depending on the specific processing activity as may be available on the Website or App.
After you have chosen to withdraw your consent, we may be able to continue to process your Personal Information if another lawful basis for processing is present and only to the extent required or otherwise permitted by the Data Privacy Act. If further processing of your Personal Information may be allowed, we will notify you of the corresponding purposes and lawful bases relied on for those other purposes. If you withdraw your consent to direct marketing activities, we shall immediately cease from processing your Personal Information.
The withdrawal of your consent to some processing activities may affect the manner and quality of the services we offer or provide to you, as well as the availability, functionality or use of the Website or App. In some instances, we may not be able to provide your requested products or services. The withdrawal of your consent will not, however, affect the lawfulness of the processing before the withdrawal of such consent.
6. HOW AND TO WHOM DO WE DISCLOSE YOUR PERSONAL INFORMATION?
We may share your Personal Information with:
6.1 our subsidiaries, associated companies, jointly controlled entities, and other entities within the Zuspresso group of companies;
6.2 service providers acting on our behalf, such as, but not limited to, providers of delivery services, logistics services, payment services, fraud monitoring and prevention purposes, data analytics, third parties whose feature(s) you use in connection with our products and services (e.g., third-party cookies, widgets, plug ins);
6.3 business partners and entities that partner with us to provide products and services;
6.4 other entities as required under applicable law;
6.5 third parties in the event of a sale or transfer of our business or assets;
6.6 law enforcement agencies and government agencies as required under applicable law or legal process, or to respond to requests from law enforcement agencies and government agencies; and
6.7 other third parties with your consent.
Prior to the transfer or sharing of any Personal Information (including access to Personal Information), we require appropriate privacy and information security protections in agreements (i.e., data sharing agreement or data outsourcing/processing agreement as the case may be) with third parties.
In general, the third-party providers or vendors used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us or as permitted by law.
Certain third-party service providers or vendors, such as payment gateways and other payment transaction processors, may have their own privacy policies in respect to the information that we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your Personal Information will be handled by these providers. In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located. Once you leave our Website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our Terms of Service.
When you click on links on our Website and/or App, they may direct you away from our Website and/or App. We are not responsible for the privacy practices of third-party sites and encourage you to read their privacy policies.
7. HOW DO WE TRANSFER YOUR PERSONAL INFORMATION?
We may transfer the Personal Information we collect about you to recipients in countries other than the Philippines. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your Personal Information to other countries, we will protect that information as described in this Privacy Policy, as disclosed to you at the time of data collection, or as described in a specific privacy notice.
We comply with applicable legal requirements, including obtaining consent where required, when transferring Personal Information to countries other than the country where you are located.
8. HOW DO WE RETAIN YOUR PERSONAL INFORMATION?
We maintain appropriate security safeguards to protect your Personal Information and only retain it for a limited period of time.
We will only retain your Personal Information for so long as it is necessary for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; or for the establishment, exercise or defence of legal claims; or for legitimate business purposes, which must be consistent with industry or approved standards.
Some of the applicable retention periods are summarized below:
| Purpose/Activity | Lawful basis for processing | Retention period |
|---|---|---|
| Meeting our obligations to our customers | Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interest in running our business and providing you with requested products and services. Your consent. | 10 years from the registration or account activity in accordance with legal obligations. |
| Managing registrations and accounts of our customers and clients | ||
| Improving our products and services, marketing activities, advertising and promotion, communications | Performance of contract with you. Necessary for our legitimate interests in promoting our services, performing direct marketing activities and improving our services. Your consent. | 6 years from the last date on which you have interacted with us in any way. |
| Carrying out surveys and analyses of questionnaires and customer comments, managing claims or complaints | Performance of contract with you Necessary for our legitimate interests in promoting our services, performing direct marketing activities and improving our services Your consent. | 6 years from the last date on which you have interacted with us in any way. 6 years from the date of closure of your file in case of a claim or a complaint. |
| Securing and enhancing your use of the Website and App | Necessary for our legitimate interests in running our business, provision of administration and IT services and network security to prevent fraud. Your consent. | 13 months from the collection of the information. |
| Compliance with applicable laws (e.g., accounting, tax) | Necessary to comply with a legal obligation. Your consent. | As required by law |
9. HOW DO WE SECURELY DISPOSE YOUR PERSONAL INFORMATION?
When we no longer require your Personal Information, we will take steps to erase, remove, destroy, anonymise or prevent access to or use of your Personal Information. After the lapse of the retention period and if your Personal Information may no longer be kept in accordance with the Data Privacy Act, we dispose and destroy your Personal Information or keep it in a form that does not permit identifying you, to ensure secure and proper disposal that would render further processing inaccessible.
For electronically stored Personal Information, we use appropriate degaussers, erasers, encryption, or secure wiping programs as applicable. For physically stored Personal Information, we securely dispose or destroy storage media used to store Personal Information such as disk servers, hard or solid-state drives, portable storage drives, such as disks, flash drives and memory cards, read-only memory storage in mobile phones when they reach the end-of-life. We also dispose Personal Information in paper documents through paper shredders that would render shredded paper documents into small pieces that cannot be reassembled.
If our store is acquired or merged or sold or entered into a joint venture, consolidation, restructuring, financing or any other types of business transactions with another company, your information may be shared or transferred to the other parties. </p
10. HOW DO WE SECURE YOUR PERSONAL INFORMATION?
To protect your Personal Information, we maintain appropriate security safeguards to protect your Personal Information. We maintain reasonable administrative, technical and physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
These safeguards include measures to prevent your Personal Information from being lost, used, accessed, disclosed or altered in an unauthorized way or being destroyed. All information on our website is encrypted using secure socket layer technology (SSL) and stored with an AES-128 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry best practice and standards. In addition, we implement other technical measures (such as firewalls, a user ID/password system, implementation of a security policy), physical measures (such as proper destruction of files), and organizational measures (such as appointment of a Data Protection Officer, implementation of data protection procedures and policies, maintenance of records of processing activities, means of physical protection) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
In particular, we have implemented access control measures which restrict access to Personal Information as well as storage and processing equipment by imposing access rights or permission, user access management to limit access to Personal Information to only authorized person, and implement user responsibilities to prevent unauthorized access, disclosure, perception or unlawful duplication of Personal Information. This also includes methods enabling the re-examination of unauthorized access, alteration, erasure, or transfer of Personal Information which is suitable for the method and means of the collection, use, and/or disclosure of Personal Information.
In the event of a breach of our security safeguards, we will assess the extent of harm (if any) to individuals, and comply with reporting and notification obligations in accordance with the Data Privacy Act.
11. HOW DO WE MANAGE COOKIES?
A cookie is a small amount of data, which often includes an anonymous unique identifier amongst other, that is sent and stored on your computer or mobile device in emails and or notifications that we send to you on our Website and or App. Some cookies are required to use our Website and/or App.
Cookies allow a site to "remember" your actions or preferences over time. So when you visit our site, the cookies may store or retrieve information on your browser, which may be about you, your preferences and/or your device. We use cookies, as well as third-party cookies, to operate and improve the site, measure our audience, enhance your experience and provide you with content and advertising tailored to your interests based on your browsing activities and actions on this and other sites. For instance, cookies enable us to assess how many users access or use our service, which content, products, and features of our service most interest our users, what types of content our users like to see, and how our service performs from a technical point of view.
Third parties may be able to associate the Personal Information they collect with other personal information they have about you from other sources. We do not necessarily have access to or control over the cookies they use.
You have the right to choose to disable, block or deactivate cookies. Please note however that refusal or removal of some cookies could affect the availability, functionality or use of our Website and our App.
12. WHAT ARE YOUR DATA PRIVACY RIGHTS AND HOW CAN YOU EXERCISE THEM?
You have certain rights regarding the Personal Information we maintain about you and certain choices about what Personal Information we collect from you, how we use it, and how we communicate with you.
12.1 Right of Access: You have the right to obtain confirmation on whether or not Personal Information relating to you are being processed, as well as information about any of the following:
12.1 Right of Access: You have the right to obtain confirmation on whether or not Personal Information relating to you are being processed, as well as information about any of the following:
12.2 Contents of your Personal Information and categories of data that were processed;
12.3 Sources from which Personal Information were obtained, if the data was not collected from you;
12.4 Purposes of processing;
12.5 Manner by which such data were processed;
12.6 Information on automated processes where the processed data will or is likely to be made as the sole basis for any decision that significantly affects or will affect you;
12.7 Names and addresses of recipients of the Personal Information;
12.8 Reasons for the disclosure of the Personal Information to recipients;
12.9 Date when your Personal Information were last accessed and modified;
12.10 Period for which particular categories of Personal Information will be stored; and
12.11 The designation, name or identity, and address of the Data Protection Officer.
12.12 Right of Rectification: You have the right to dispute the inaccuracy or error in your Personal Information, and we shall correct the same within a reasonable period of time.
12.13 Right to be Informed: A data subject has the right to be informed whether Personal Information pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
12.14 Right to Object: You have the right to object to the processing of your Personal Information where such processing is based on consent or legitimate interest. When you exercise this right, we shall cease the processing of personal data and comply with the objection, unless the processing falls under any other allowable instances pursuant to the Data Privacy Act, other than consent and legitimate interest. Notwithstanding the foregoing, objection to direct marketing is absolute.
12.15 Right to Erasure or Blocking: You have the right to request for the suspension, withdrawal, blocking, removal, or destruction of your Personal Information from our filing system, in both live and back-up systems.
12.16 Right to Data Portability: You have the right to obtain from us a copy of your Personal Information and/or have the same transmitted from one data controller to another, in an electronic or structured format that is commonly used and allows further use by you.
Right to Damages: You have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your Personal Information, taking into account any violation of your rights and freedoms as a data subject. You also have the right to file a complaint with the National Privacy Commission in case of any violation of your data privacy rights.
Your exercise of the foregoing rights shall be subject to the restrictions and limitations imposed under the Data Privacy Act. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you. In some instances, we may not be able to provide you with the good or service that you request if you choose to exercise certain rights.
You may exercise your rights by submitting a request or reaching out to our Data Protection Officer.
If we fall short of your expectations in processing your Personal Information, please let us know because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We review and respond to all complaints within a reasonable time and as required under applicable law.
13. AMENDMENTS
We reserve the right to modify, update or amend this Privacy Policy at any time, so please review it frequently. Modification, updates and/or amendments will take effect immediately upon the same being posted on our Website and/or App. For any significant or material changes to our Privacy Policy, we will post a prominent notice on our Website and in the App to notify you prior to them being effective and indicate at the top of the Policy when it was most recently updated. Your continued use of our Website and/or App shall constitute your agreement to be bound by such amendments. If we update our Privacy Policy, in certain circumstances, we may seek your consent.
14. HOW DO YOU CONTACT US?
If you would like to enquire or would like to exercise your rights under this Privacy Policy, please contact us at:
Data Protection Officer
Zuspresso Philippines, Inc.
Unit 34, Cliffpoint Square, CW Home Depot, Julia Vargas Ave., Ugong, Pasig City