DATA PRIVACY NOTICE

At Swish, we take privacy as an important and serious matter and commit to protect it. This Website Data Privacy Notice ("Notice") may evolve over time.Therefore, we kindly ask you to visit this page frequently and check on the date on this page to make sure, you are familiar with the latest version.
Versiondate:
25 Aug 2023 This Notice describes how Swish Retail Limited, 3rd Floor 86-90 Paul Street, London, United Kingdom, EC2A 4NE ("Swish"or "we" or "us" or "our") as controller processes the personal data and other information of the users("you" or "your") in particular within the meaning of the General Data Protection Regulation ("GDPR") and other applicable Data Privacy Laws, when using the website www.Swish.com ("Website") or the "Swish App".Reference to the GDPR shall also be deemed to include references to the specific clause of other applicable Data PrivacyLaws.

1. CATEGORIES OF PERSONAL DATA, PROCESSING PURPOSES, LEGAL BASIS, ANDSOURCE

1.1 Personal Data actively provided by you:

If you create a user account on our website, you will be asked to provide certainpersonal data about you - for example: Name, postal address, email address,selected password. Swish processes such personal data for the purpose ofproviding our services to you. Providing such personal data is voluntary.However, without providing such personal data, you will not be able to create auser account. The legal basis for the processing of such personal data is thecontract on the use of the Website concluded with you (Art. 6 (1)lit. b GDPR).If youregister for the newsletter and consent to the receipt of newsletters and theprocessing of your email address for this purpose, you will be asked to provideyour name, but at least your email address. We will use your email address forregularly sending you newsletters. Providing your email address is voluntary.However, without providing your email address you will not receive newsletters.The legal basis for the processing of your personal data for sendingnewsletters is consent (Art. 6 (1) lit. a GDPR).We may also receive personal data about from sources outside ourbusiness which may include our group companies or other third-party resources.

1.2 Other passively collected information:

Inaddition to the personal data that you actively provide, the Website mayautomatically collect, process, and store certain information (e.g., device andusage information) through the usage of Cookies from you. We kindly ask you torefer to our Cookie Policy for more information.The legal basis for this purpose is consent given by clicking on therespective button displayed on the Cookie Banner (Art. 6 (1)lit. a GDPR).


2. RECIPIENTS

2.1 Transfer within the Swish group companies

We may share your information within the Swish group companies for internal administrative purposes or for marketing purposes in connection with the products and services we offer and/or that might be interesting for you.Some of our colleagues administering the Website/App and providing IT services may be employees of our group companies. When administering the Website our colleagues may have access to and/or may process your personal data.The respective transfer of your personal data within the Swish group companies is based on our legitimate interests. The access is limited to colleagues with a need to know.

2.2. Transfer to service providers

Swish may engage external service providers, who act as a data processor of Swish, to provide certain services to Swish such as website and app service providers, marketing service providers or IT support service providers. When providing such services, the external service providers may have access to and/or may process your personal data.Those external service providers will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal data and its confidential nature and to process the personal data only as instructed. 

2.3 Other recipients

Swish may also transfer your personal data to law enforcement agencies, governmental authorities, legal counsel, and external consultants in compliance with applicable data protection law. The legal basis for such processing is compliance with a legal obligation to which the Swish is subject to or are legitimate interests, such as exercise or defense of legal claims.Swish may also transfer your personal data to a third party as part of a sale of some or all our business assets to any third party or as part of any business restructuring or reorganisation.



3. INTERNATIONAL TRANSFERS OF PERSONAL DATA

The personal data that we collect or receive about you may be transferred to and processed by recipients which are located inside or outside the EuropeanEconomic Area ("EEA") and which do not provide for an adequate level of data protection. The countries that are recognised to provide for an adequate level of data protection from an EU law perspective are, among others,Switzerland, and the UK. To the extent your personal data are transferred to countries that do not provide for an adequate level of data protection from an EU law perspective (e.g., the UK), we will base the respective transfer on appropriate safeguards, such as Standard Contractual Clauses adopted by theEuropean Commission.



4. WHAT RIGHTS DO YOU HAVE AND HOW CAN YOU ASSERT YOUR RIGHTS?

If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.Pursuant to applicable data protection law you may have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these rights might be limited under the applicable national data protection law. For further information on these rights please refer to section "Your Rights" at the end of this notice.You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise your rights please contact us as stated in Section 6.



5. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Your personal data will beretained as long as necessary to provide you with the services requested. When Swishno longer needs to use your personal data to comply with contractual orstatutory obligations, we will remove it from our systems and records and/ortake steps to properly anonymize it so that you can no longer be identifiedfrom it, unless we need to keep your information, including personal data, tocomply with legal or regulatory obligations to which Swish is subject, e.g.statutory retention periods and could contain retention periods, depending onthe case up to 10 years, or if we need it to preserve evidence within thestatutes of limitation, which is usually three years but can be up to thirtyyears.

6. CONTACT US

If you have concerns or questions regarding this Website Data Processing Notice, please contact us as follows: 

Swish Retail Limited
3rd Floor 86-90 Paul Street,London, United Kingdom, EC2A 4NE
or hello@swishretail.com

SMART FRIDGE DATA PROTECTION NOTICE

This Smart Fridge Data ProtectionNotice ("Notice") describes how Swish UK & I, 1 Finway Road, Hemel Hempstead, HP2 7PT ("Swish" or "we"or "us" or "our") as controller processes the personal data and other information ("Data") of the users("you" or "your") in particular within the meaning of the General Data Protection Regulation (“GDPR”) and other applicable data protection laws ("Applicable Law") when usingSmart fridges ("Store").

1. CONTENT OF THIS NOTICE

This Notice describes the technical means, their functionality, and if and how Data is collected, processed, and stored in relation to the Smart Fridge. At the end of the Notice, you will find a section describing your rights under the GDPR related to your Data. Swish is controller for all processing of personal data that occurs in connection with the use and operationalisation of Smart Fridges.

2. SMART FRIDGE

Data iscollected in two different ways when using the Smart Fridge: a) a camera filmsthe products movement in the Smart Fridge as soon as the Smart Fridge isopened; and b) if you use your preferred card for payment.

Thecollection of the Data is undertaken based on legitimate interest, contractualcompliance, and legal obligation

2.1 CAMERA

As soon as the Smart Fridge is opened, a camera is activated to track the movements of the products in theSmart Fridge to support the appropriate payment of your purchase. The camera will likely only capture your hand movements when operating the Smart Fridge but depending on the angle you are positioned to the Smart Fridge, the camera might be able to catch more of your features on video. However, this is not intended but unfortunately impossible to avoid. Such video footage is stored locally on a hard drive installed in the Smart Fridge and remains there for 7days. In case of a discrepancy, the video footage is sent to our service provider, where your data is hosted on a dedicated server. In such case, the video footage will be retrieved from the system, if there is a question regarding a transaction.  Such video footage is stored on that dedicated server for 7 days.

2.2 CARD DATA

If you use your card to get access to Store, your card data will be processed by an independent third-party service provider. Your card data will be handled in line with the PCI standard and will only receive the money from the corresponding transaction. The card data is collected to fulfil the contract, namely processing the payment.

3. LEGAL BASIS FORTHE PROCESSING ACTIVITIES

3.1 CAMERA

Swish's legal basis for processing video footage is legitimate interest, pursuant to the GDPR article 6 nr. 1 f. The purpose of the video recordings is to document and resolve discrepancies, for instance technical issues or suspected theft

Swish has legitimate interest to avoid discrepancies and document that the Smart Fridges are operated appropriately and that they function properly.

To achieve the purposes of the legitimate interests, it is necessary to record video. If video recordings are not in place, Swish will not get definitive documentation and will not be able to adequately address discrepancies.

As thevideo footage only captures a person’s hand, the infringement on an individual’s privacy is minimised. Moreover, the Smart Fridges have clear andvisible information signalling that video recording is taken place.

Swish will not share video recordings with anyone except for sub-processors, andpotentially public authorities provided that such authorities have a legalbasis to request such Data.

3.2 CREDIT CARD

Swish'slegal basis for processing card data is that the processing is necessary for the performance of a contract to which the data subject is a party, and forcompliance with a legal obligation to which the controller is subject to.Please see GDPR article 6 nr. 1 b and c.

To process payments, Swish must also process card data. Under applicablebookkeeping legislation, Swish is also obligated to keep records oftransactions.



4. INTERNATIONAL DATATRANSFER AND TRANSFER TO THIRD PARTIES TO COMPLY WITH A LEGAL OBLIGATION

The Data that we collect or receive about you may be transferred to and processed by recipients - as set out in this notice - which are located in United Kingdom.Tosafeguard your Data, a Data Processing Agreement in line with Art. 28 GDPR has been concluded.

Swish may also transfer your personal data to law enforcement agencies, government authorities, legal counsel, and external consultants. The legal basis for such processing is compliance with a legal obligation to which Swish is subject toor legitimate interests, such as exercise or defence of legal claims.

5. WHAT RIGHTS DO YOUHAVE AND HOW CAN YOU ASSERT YOUR RIGHTS?

If you have declared your consent for any personal data processing activities, you can with draw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

Pursuant to applicable data protection law you may have the right to: request access toy our personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to Appendix Your Rights. If you wish to exercise your rights towards Swish, please use the contact information under 7.

You also have the right to lodge a complaint with the competent data protection supervisory authority in your country. In the UK, this is the Information Commissioner's Office (ICO) which may be contacted through their websiteico.org.uk or via their helpline on 0303 123 1113 .  In Ireland, this is the Data Protection Commission (DPC), which can be contacted through their website data protection .ie or via their helpline 017650100

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Video footage is stored locally on a hard drive installed in the Smart Fridge and remains there for 7 days. In case of a discrepancy, the video footage is sent to our service provider where your data is hosted on a dedicated server. In such case, the video footage will be retrieved from the system, if there is a question regarding the transaction.  Such video footage is stored on that dedicated server for 7 days.

7. CONTACT US

If you have concerns or questions regarding this Store Data Processing Notice, please contact us as follows:

Swish Retail Limted
3rd Floor 86-90 Paul Street,London, United Kingdom, EC2A 4NE
or hello@swishretail.com

1. YOUR RIGHTS

1.1. RIGHT OF ACCESS

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right, and the interests of other individuals may restrict your right of access.

You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

1.2. RIGHT TO RECTIFICATION

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

1.3. RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN")

Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.

1.4. RIGHT TO RESTRICTION OF PROCESSING

Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

1.5. RIGHT TO DATA PORTABILITY

Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

1.6. RIGHT TO OBJECT

Under certain circumstances, you may have the right to object, on grounds relating toy our particular situation, or where personal data are processed for direct marketing purposes at any time to the processing of your personal data by us and we can be required to no longer process your personal data.


Moreover,if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.