25.11.2021
This privacy notice explains how we, Quintain Ltd with company number 02694983 process your personal data when you sign up to our loyalty scheme and/or use our app.
Please do not use our services unless you are 18 years old or over.
1. Who does this privacy notice apply to?
This notice applies to:
- users of our services; and
- persons who interact with us, when you call us, email us or visit our premises.
- Persons who sign up to our newsletter and other email marketing – we collect and use personal information of people who sign up to receive our newsletter and other marketing emails, including via the websites and Wifi. The personal information collected consists of: your name and email address, and where you inform us, your gender. If you choose to tell us your gender we can tailor the information in emails and newsletters accordingly, please see paragraph 8 below for more information.
- Persons who we interact with on social media – occasionally we may direct message Guests via Facebook or Instagram regarding a competition that we are running. The personal information collected consists of: your name and email address.
- Advertising, events and competitions – some Persons may wish to participate in certain events, promotions or competitions which we run. These could be online or at the Centre itself. The personal information collected consists of: your name, email address and mobile phone number.
- Business Contacts In addition, we collect and use the name, job title, place of work, business email address and business mobile number about Business Contacts who work for various businesses involved with the Centre, notably: tenants who run retail units at the Centre, potential tenants, agents who provide services to the Centre, investors in the Centre and our clients who are involved with the Centre.
This notice applies to you whether you act in your personal capacity or as an employee or agent of an organisation.
2. Sources of the personal information
- From you directly – in most instances, we collect your personal information from you directly, including where you sign up for our rewards club, newsletter, competitions and to receive other marketing emails and promotional information.
- Wi-Fi services provider – we use a third party provider of Wi-Fi services, who initially collects your name and email address if you register to use the Centre’s Wi-Fi. The Wi-Fi services provider may send us your name and email address so we can add you to our marketing database.
3. What personal data is processed about you?
Generally, “personal data” refers to any information that identifies you or relates to you. We will process personal data including:
- your user details collected when you sign up for our app as you use our features, such as your title, name, email address, language, mobile, city, postcode, country and date of birth, sex and other information;
- when accessing our services, your device will automatically provide unique information such as mobile device ID, IP address, cookie ID, online identifiers, geolocation data, operating system, browser type and time zone setting and other information;
- our systems may generate usage data about how you navigate and engage with our services, which pages you view, which offers you access, your preferences (including language), methods used to access our services, interests known, observed or inferred as well as security logs;
- GPS location data if you enable the functionality on your device, we will be able to offer you location-based features and notifications. In doing so we will collect the time date and duration of stay of a visit, as well as technical information such as which of our systems interacted with your device. We do this so we can keep in touch with you when you visit our premises, to determine which of our products and services may be of interest to you (based on your store visit) and to record your visit in our customer loyalty reward programmes.
- third party data such as confirmation that you have scanned a barcode at a participating store, data about your interaction with our posts and content and ‘likes’ on social media platforms, profile information from advertising and analytics partners and information from our suppliers;
- when we send you emails, sms or push notifications, we may collect technical email interaction data, such as open rates or what content you clicked on; and
- when you interact with our services, contact or visit us, we may process your image, complaint details, details of your requests, communications, feedback, keep a relationship history, details of your survey submissions or other interaction data.
We will likely be unable to assist unless you provide the relevant personal data, and some personal data will be mandatory for our compliance with the law. Nevertheless, we would ask that you only provide the necessary personal data to us.
4. How do we process your personal data and why?
The type of personal data we collect about you will depend on your interaction with our services and features and your user settings.
Generally, we will use your personal data as “controller” to (i) provide our services; (ii) to send you relevant information; (iii) ensure the security and technical availability of our services; (iv) develop and promote our organisation and services; and (v) as further described in this notice.
We will update you about any new purposes of processing of your personal data from time to time and we will obtain your prior consent where we are required to do so at law.
5. Data Accuracy
We and our clients who are the participating stores will rely on the information provided by you as accurate, complete and up to date, and we shall be grateful if you would inform us of any changes without delay.
We would ask that you do not provide to us information about others unless you have their permission to do so.
6. What data do we collect and why?
Purpose | Personal data | Legal ground for processing |
To enable you to sign up for our services, to understand your basic demographic information and verifying that the format of the information provided by you is correct. | user details | Necessary for our legitimate interest in reasonably ensuring that the information provided by users is accurate and understanding the basic demographic information about our users who might be interested in our services. |
To provide our services such as our customer engagement and loyalty app and features, keeping count of your points and rewards, and sharing necessary information with participating stores to verify conversions. | usage data device data | Necessary for our legitimate interest in providing our services to our users and, where applicable, the performance of our contract with you. |
To send you promotional information through various marketing channels including email, social media, telephone, SMS, push notification, etc. about our services and our organisation, reviewing campaign performance and profiling information about interests known, observed or inferred for direct marketing purposes. For example, we may send you our update email or use your contact details to display relevant ads on Facebook or Instagram and other social media platforms or send you a push notification if you visit our premises or if you walk near a participating store. | user details usage data device data GPS location data email interaction data third party data | Where you signed up for our services or marketing or allowed us to send you push notifications, we will send you relevant information based on your consent and, where applicable, the performance of our contract with you. Where consent is not required at law, we may send you marketing communications based on our legitimate interest in sending you relevant promotions and satisfy your request. We will use your information for direct marketing purposes based on our legitimate interest in understanding your interests based on the information available to us and to provide you with relevant services and promotions. We may use cookies and similar technologies if you provided consent, and combine information with your user details and usage data for direct marketing purposes. |
Send you push notifications to welcome you at our premises, to inform you about relevant offers and to send you offers relevant to your location at our premises. | user details usage data device data third party data GPS location data | Where you signed up for our services or marketing or allowed us to send you push notifications, we will send you relevant information based on your consent and, where applicable, the performance of our contract with you. |
To send you notifications about matters relevant to your engagement with our services, such as events, surveys, changes in our terms, welcome you at our premises as described below, etc. | user details usage data GPS location data interaction data third party data | Service notifications are necessary for the performance of our contract with you. Other notifications are necessary for our legitimate interest in satisfying your requests, providing assistance with using our app and organising related business activities. |
Use your GPS location data to welcome you at our premises, to send you relevant offers, to record your visit for our customer loyalty reward programmes and to count conversions if you are at a participating store or if you requested an offer at the store or scanned a bar code. | GPS location data third party data | If you enable the functionality on your device, we will use the minimum necessary GPS location data in connection with our legitimate interest in providing our services and provide meaningful functionalities and, where applicable, the performance of our contract with you. |
Receive information from participating stores to verify your purchase if you scan a bar code at the store. | third party data | Necessary for our legitimate interest in providing our services to our users and, where applicable, the performance of our contract with you. |
We will use anonymised information including sex, age and other demographic information to create market reports and similar materials for statistical and commercial purposes. | anonymised data | Necessary for our legitimate interest in understanding the customer base, sharing market information, developing our services, exploring business opportunities and informing business decisions. |
To improve and develop our service functionality, including to: obtain user feedback and improve user experience; make services and features more relevant; conduct statistical analysis on usage data, device data and other data; use data to develop algorithms, software and other technologies; and work with third parties and evaluate data to improve and develop our services. | anonymised data | Necessary for our legitimate interest in developing and improving our services and business. |
To ensure proper administration of our business, including to: keep appropriate records; resolve complaints; conduct troubleshooting; and debt collection. | user details usage data device data interaction data email interaction data | Necessary for our legitimate interest in the proper administration of our business, dispute resolution, ensuring technical operation of our services and debt collection and as is necessary for compliance with our legal obligations. |
To share your information with our third party providers who facilitate the provision of our services and the fulfilment of essential service functions, such as hosting, cloud storage, analytics, advertising and marketing tools, plugins, communications providers, accounting or security tools and others. | all information necessary to enable the relevant service | Some are necessary for the performance of our contract with you, others are necessary for our legitimate interest in ensuring proper operation of our services and features. |
To monitor our networks, systems and services for suspicious activities, crime detection and prevention, testing, audit and deployment of security measures, including information from third parties who may alert us about suspicious activities. | user details usage data device data interaction data third party data | Necessary for our legitimate interest to ensure the security of our organisation, people and services and in detecting and preventing fraud and illegal conduct, ensuring that the information provided by you is accurate and as is necessary for compliance with our legal obligations. |
To share information for legitimate purposes within our offices and our group companies. | limited data necessary and proportionate to achieve our legitimate purposes | Necessary for our legitimate interest in using our group’s resources to organise, develop and deliver our services, run our organisation and decide on future strategies. |
To share data with a successor or partner legal entity in compliance with the law for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation or similar event relating to our business. | limited data necessary in connection with the transaction | Necessary for our legitimate interest in acting in the best interest of our shareholders and investors and complying with our legal obligations. |
To process information as is required for our compliance with the law or to establish, exercise or defend legal claims. To process and share information with other third parties where required by law, such as regulators, law enforcement agencies or where mandatory under a court order. | data necessary in connection with the legal requirement, proceedings or request | Where processing or sharing your data is necessary for compliance with a legal obligation to which we are subject, to establish, exercise or defend legal claims or, where appropriate and proportionate, in order to satisfy our legitimate interest in complying with best practice and applicable laws. |
7. Sharing your data
We will generally not share your information except with (i) our clients who are the participating stores, (ii) with our third party service providers, commercial partners and group companies for the purposes set out above, (iii) where we are compelled by law, and (iv) other third parties where you have provided your consent.
Google analytics & re-marketing – Our websites use Google analytics and Google’s re-marketing technology. This technology enables users who have already visited our online services and shown interest in our services to see targeted advertising on Google partner network websites. Likewise, users that are similar to the visitors of our websites can be addressed. The advertising will be displayed through the use of web cookies. Using cookies, the user behaviour on a website can be analysed and subsequently utilised to provide targeted product recommendations and advertising based on the user’s interests. If you would prefer to not receive any targeted advertising, you can deactivate the use of cookies for these purposes through Google. Alternatively, users can deactivate the use of cookies by third-party providers by visiting the Network Advertising Initiative’s deactivation website. Please note that Google has its own data protection policy, which is independent of our own. We assume no responsibility or liability for their policies and procedures. Please read Google’s privacy policy before using our websites. How Google uses data.
Facebook Pixel – Our website utilises the ‘Pixel’ service of Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (“Facebook”). This tool allows us to re-target users on Facebook after they have visited the London Designer Outlet site. It is also an analytics tool used to record the efficacy of Facebook advertisements for statistical and market research purposes. The collected data remain anonymous. This means that we cannot see the personal data of any individual user. However, the collected data is saved and processed by Facebook*. Facebook is able to connect the data with your Facebook account and use the data for their own advertising purposes, in accordance with Facebook’s Data Use Policy. You can revoke your permission at Facebook- website custom audiences.
(* Information accurate at the time of writing this statement.)
Targeted Advertising – We may make use of email address information to target online adverts using third party networks, that may be of interest to a subscriber who has provided their email address and has opted in to online marketing. Current promotional channels include Facebook and Google advertising network, where email addresses may be matched to an audience.
8. Third parties may process your data
Third party suppliers may be engaged as data sub processors, any suppliers that a relationship is entered into with will have the relevant safeguards in place. If you are based in the UK, we may transfer your information to one of our suppliers based within the EEA, which has been deemed by the UK to provide an adequate level of protection for individuals in relation to their personal data.
1. Name of the data transferee: Codilink DOOEL
Registered office of the data transferee: 8-mi Septemvri Blvd, 16 Hiperium Center, 2nd Floor, Skopje, 1000, North Macedonia.
Responsibilities in the course of the data processing: Skopje is the location of some of the Supplier’s support and engineering teams. These individuals will be able to access data to fulfill their roles.
2. Name of the data transferee: Codilink S.L.
The registered office of the data transferee: Avenida Diagonal, Entl. Esq, Barcelona, 08006, Spain.
Responsibilities in the course of the data processing: Some of the Supplier’s staff are located in Spain and may access data to fulfill their roles
3. Amazon Web Services
Personal Information is stored in AWS servers in data centres in Ireland (EU and ME clients). It can be accessed through the platform by platform users – restricted only to the accounts the users have access to, direct database access from the office or through VPN only for the data team and we have made available to Account Managers some spreadsheets that talk to the database that can only be accessed from the office or VPN. The instances are segregated completely, so data stored in the EU will be accessible only by people that have an account in the EU platform. Currently, there is no direct database access for anyone in the US.
9. How long is your personal data kept?
We will keep your personal data for as long as is necessary for the purposes listed above or longer, as may be required by law. Generally, the retention periods below will apply. You may contact us for further details or request deletion of your personal data at any time.
Category of personal data | Retention period |
user details | 1 year following account closure or earlier if no longer needed |
usage data, device data, interaction data | 6 years from collection or 1 year following account closure or earlier if no longer needed |
information from participating stores | 60 days except as required for billing purposes |
all other personal data | 6 years from collection or earlier if no longer needed. |
After the retention period, your personal data will either be securely deleted or anonymised and it may be used for analytical purposes. You must back up your data if you wish to keep it for longer.
10. How do we secure your personal data?
We maintain appropriate organisational and technological safeguards to help protect against unauthorised use, access to or accidental loss, alteration or destruction of personal data. We also seek to ensure our service providers do the same.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the data protection authority of a personal data breach where required by law.
We will endeavour to use the least amount of personal data as is required for each purpose. We will employ pseudonymisation and anonymisation, where appropriate.
Our staff will access your personal data on a need to know basis.
11. Where is your personal data processed?
Generally, our data is held in the United Kingdom. However, we may transfer your personal data to our clients, group companies, suppliers and other third parties in countries different to your country of residence.
Where we transfer your personal data outside the European Economic Area (EEA) or the UK, we will only do so where we are satisfied that your data protection rights are adequately protected by appropriate technical, organisational and contractual safeguards in accordance with data protection laws. This means that we will only carry out such transfers of data where one of the following situations applies:
- Where the other country has been deemed, under an ‘Adequacy Decision’ by the EU or by the UK, to provide a data protection framework which guarantees broadly equivalent protections for the rights of individuals as in the EEA or in the UK.
- Where we have put in place ‘Standard Contractual Clauses’, as approved by the EU or the UK, with the overseas organisation receiving the data.
Where we share information with our clients who are the participating stores, we will do so on the basis of performance of our contract with you.
You may request further information on the measures used for the international transfers or access to your personal data from outside the EEA or the UK.
12. Your right to opt-out
If you would like us to stop sending you marketing communications and to process your personal data for direct marketing purposes, please let us know.
You can stop our communications at any time by clicking on the unsubscribe link at the bottom of the message.
13. Your data protection rights
Subject to certain exemptions, limitations and appropriate proof of identity, you will generally have numerous rights in relation to your personal data, including the following:
- Right to information about matters set out in this notice.
- Right to make an access request to receive copies of personal data.
- Right to rectification of any inaccurate or incomplete personal data.
- Right to withdraw consent previously provided.
- Right to object to our processing of personal data based on our legitimate interests, and any automated processing and profiling.
- Right to erasure of personal data, within limited circumstances.
- Restriction on the processing of personal data.
- Right to data portability from one service provider to another, where applicable.
- Right to lodge a complaint with your country’s data protection authority, such as the Information Commissioner’s Office.
All requests will be processed in a timely manner, generally within one month. If we cannot process your request within this period, we shall explain why and process it as soon as possible thereafter.
14. Contact us
If you have any queries or concerns about how we use your personal data please contact us via our supplier Realm, who manage the loyalty scheme and App, using the details below.
Email: [email protected]
Post: Realm, The Farmhouse, Farm Road, Street, Somerset BA16 0FB
15. Updates
If we make any changes to our notice you will be able to see them on this. You should regularly check for updates, as indicated by the “Last updated” date at the top.
If any such changes significantly affect you, we will ask for your prior consent where required by law. However, if you do not agree to the changes, please consider not using our content or services.