Last Updated On 4 January 2022
The Policy applies to visitors, users, suppliers, business contacts, third-parties as well as employees and staff members (including applicants as an employee, worker, apprentice and contractor) who uses GASTON app and the platform in accordance with the UK General Data Protection Regulation (“UK GDPR”), DPA 2018 and all other mandatory laws and regulations of the United Kingdom.
We will not share personal data with third parties for them to use for their own marketing purposes without ensuring that there is a lawful ground to do so.
We will not sell your personal data to third parties.
What Information Do We Collect And Use?
We collect your information when you interact with us or use GASTON app and Platform and Services, such as when you access our website and app to place an order. “Personal Data” identifies, relates to, describes, can be used to contact or could reasonably be linked directly or indirectly to you. Any reference to “information’ or “data” in this policy is a reference to personal information about a living individual.
The full scope of the Personal Data we may collect, use, store and transfer has been grouped together below. Not all of the following types of data will necessarily be collected from you but this is full scope of the data that we collect and when we collect it from you. Categories of personal data we process are:
- Profile / Identity Data: This is data relating to your first name, last name, date of birth (when you purchase age restricted items), account setting and passwords.
- Contact Data: This is data relating to your phone number, email address, postal address.
- Marketing and Communications Data: This is your preferences in receiving marketing information and other information from us.
- Payment Data: This is information relating to your modes of payments, debit and credit card information as well as the name attached to your payment details and your billing address.
- Transactional Data: This is information of details and records of all payments you have made for our services and products.
- Technical Data: This is your IP address, browser type and version, time zone setting and location, operating system and platform and other technology on the devices you use to engage with us, NFT tags, QR Codes. Where some of these data maybe collected automatically if you use the service through your mobile device(s) via GASTON mobile App through your mobile’s browser or otherwise.
- Customer Communication Data: This includes communication you send to us, reviews, feedbacks and content including photos you upload.
- Usage Data: Information about how you use our website, products and services, activity logs including frequency of usage or when you contact us or provide us feedback, in writing, via email, phone or using our chat function.
- Preferences: This is your dining preferences, dining restrictions due to health-related conditions, and specific diet plans, favourite restaurants, restaurant types, meal types, special requests, cancellations and information provided to us via third-party platforms. We only process your health information about you where you volunteer and consent to this.
- Promotion Information: This includes information collected through your participation in contest, survey responses, sweepstakes or similar campaigns of your activity according to the terms provided during promotional activities.
- Employment / Recruitment Information: This is copies of your right to work documentation, National Insurance number, employment records, references, results of any tests (e.g. psychometric or other) included in the recruitment process, compensation history, information necessary to complete pre-employment security checks, CCTV footage if you attended our premises, details about your professional qualifications and education history as well as interview notes taken during and following interviews and other information included in CV or cover letter or as part of application process.
For the purpose of our business, we also collect what is known under the UK GDPR as special category of Personal Data. We collect following types of special Personal Data:
- Political Data: Information about race, or ethnicity, religious beliefs, sexual orientation and political opinions.
- Health Data: Information about health, including any medical conditions, health and sickness records that influence dietary requirements.
- Generic information and biometric data.
- Information about criminal convictions and offences.
Although many of our Products and Services require some personal information to operate and provide you with a particular Service or feature of that Service, you may choose not to provide some of the information described above. In such cases, you may not be able to use that Service or feature.
Legal Basis For Collecting Personal Data?
We will only process the data we collect about you if there is a reason for doing so and if that reason is permitted under the Data Protection Law. There are number of justifiable reasons under the UK GDPR that allow collection and processing of Personal Data. We use your information to provide you with the service you have requested or enter into a contract. You are not obliged to provide this information to us, but we may not be able to provide our services to you without your information. The main avenues we rely on are;
We collect your Personal Data when you opt in to relevant Services and features to;
- Communicate with you about your account or use of our Services, Products and/or functionality; respond to, or follow-up on, your comments and questions; and otherwise provide customer service;
- Send you marketing communications such as, contests, offers, promotions, rewards, upcoming events and other news about Services and/or Products offered by NILA, or our business partners and other marketing communications that we believe you would be interested in;
- Process and manage your rewards and loyalty programs;
- Tailor your experiences with our Services, such as by making inferences or combining different pieces of information we have collected about you to suggest restaurants, meal choices, payment modes, etc you may be interested in;
- Provide you more relevant advertising on-and-off our Services, including near field loyalty programs.
We require certain personal information to authenticate your account credentials and identify you as necessary to log you into the services and ensure security of your account. We also use your personal data to provide Services to you in order to fulfil our contractual obligations and provide you with the promised service. This include, but not limited to, for;
- supplying the services you have requested and enter into contract;
- enabling us to collect payment from you on behalf of our Partner Businesses;
- contacting you where necessary concerning our services, such as to resolve issues you may have with your order.
We are required by law to collect and process certain types of data such as, fraudulent activity or other illegal actions.
We might need to collect certain information from you to be able to meet our legitimate interests – this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests.
We aggregate personal information collected directly from you, information generated about you by us, and information obtained from our third-party partners (with your consent, where required) with personal information collected about other users in order to produce general statistics that cannot be lined to your or any other specific user. We also process information that cannot be linked to you or any other specific user using any means available to us, either because it was collected anonymously or has been subsequently anonymised. Information that is anonymous or has been anonymised or can be aggregated is no longer considered “personal information” and maybe subsequently used for any purpose.
For special categories of data that we collect, the enhanced legal justification we rely on is:
- the data subject has given explicit consent to the processing of such Personal Data for one or more specified purposes (“Explicit Consent”);
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject (“Necessity”);
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which will be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (“Research”).
Where Do We Get Our Information From?
Directly From You
When you visit or use our App, Platform, Website and other Services, we automatically collect certain information about your device (e.g. your mobile location, computer or tablet) including information about your hardware and software, device configuration and nearby networks. Such data may include data about your device identifiers, including region and language settings and information about domain servers and wireless or network access points near your device.
Usage And Performance
We automatically collect information about your usage, searches, interactions with features of our Services, sites or restaurant pages you visited, booking path, access times and performance of our Services.
Behavioural And Tracking Information
When you use our Products and Services, we automatically collect generic location information about you (such as city or neighbourhood) or, with your consent, precise geographic location data from your mobile device when the app is running and when it is not running, depending on the choices you make when you are asked to consent to our collection of location information. We also collect your behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use our Services and other features. For example, we may receive this information when you select restaurant search locations, enter your local dining city in your account profile, when you are in proximity to certain beacons, choose to publish your location in reviews you leave for restaurants on our Services, or in your comments or other communications with us.
We combine the information we collect, generate, or otherwise obtain to draw inferences about your preferences and interests in order to provide and personalise our key Product features and other related Services as well as tailor the offers we and our partners provide to you.
We may also receive certain categories of personal information from third parties which include third-party websites, applications, social media networks, analytics providers such as Google, advertising networks, third-party publicly-available platforms, restaurants, including individuals who have added you as a guest to their reservation. If you are an existing NILA customer, we will combine this information with information we collect through our Services and use and share it for the purposes described below.
The categories of personal information we may obtain from third parties include;
- Contact information
- Preference information
- Social media data
- Purchase information, including from restaurants operating with NILA point-of-sale devices
- Information from restaurants.
Application And Recruitment Process
We collect your personal information, including information under “Special Categories” through the application and recruitment process, either directly from the medium of your application on our career portal, or from an employment agency or background check provider. We may sometimes collect additional information from third parties including from your formal employers, credit reference agencies and other background check agencies.
Who Do We Share Your Information With?
The information we collect about you will be transferred to and stored on our servers located in the EU. We will only use your personal information when the law allows us to do so. We are always transparent about the information we collect as well as take utmost care and diligence in determining who we share your information with. More specifically, we share your personal information we collect, or otherwise generate or obtain as follows;
- With payment providers which include, but not limited to, online payment providers, payment id verification providers, fraud prevention agencies;
- With restaurants and their affiliates to provide Services such as connecting diners with their preferred restaurants, online reservations, sharing dining activity, history, preferences, requests, restrictions (including health-related dietary restrictions);
- With business partners for executing geo-targeted near field customer value management programs, marketing purposes including sharing with online advertisers or advertising technology (“ad tech”) companies to provide you with targeted advertising and marketing communications where permitted under law;
- With social networking services to connect and share your information publicly or with friends or when you use our Services to connect with us on share on, or use third-party social networking platforms and services;
- With restaurants when you submit reviews of your restaurant visits, your dining experiences, any messages and other communications you submit to restaurants;
- With third-party payment processors when you make payments at certain restaurants via our payment gateways, secure reservations, purchase tickets or other products and services via our services;
- With third-party vendors, consultants and other service providers who perform services or functions on our behalf;
- With corporation if we sell, transfer, divest or disclose all or portion of our business or assets to another company in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding;
- With third-parties to protect our rights, our property, the integrity of the Services we offer, personal safety or the interest of you or any other person, and to detect, prevent and/or otherwise address fraud, risk management, security or technical issues;
- With authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our services, e.g. revenue or tax authorities, as required by law, which may include personal data such as your name, address and information regarding card transactions processed by us on your behalf through your use of our services.
Some of the third parties that we share personal data with are data processors. A data processor is such a party that processes personal data on our instructions and on our behalf. We collaborate with selected suppliers, which include processing of personal data on behalf of us. Examples include suppliers of IT development, maintenance, hosting and support but also suppliers supporting us with marketing.
When we share your personal data with data processors we only share them for purposes compatible with the purposes for which we have collected the data (such as performance of a contract). We always control all data processors and ensure that they can provide adequate guarantees as regards security and confidentiality of personal data. We have written agreements in place with all data processors through which they guarantee the security and confidentiality of personal data that they process on our behalf and limitations as regards third country transfers.
Some of the third parties that we share personal data with are independent data controllers. This means that we are not the ones that dictate how the data that we provide shall be processed. Examples are authorities, credit bureaus, acquirers and other financial institutions. When your data is shared with independent data controllers their data policies and personal data processing principles apply.
Who Is Your Data Controller?
Full name: Dr. Yogesh Gupta
Postal address: 1 Wright Close, Bushey WD23 2FH
In discharging the responsibilities of the Data Controller, we have Processors who deal with your data on behalf of the Data Controller. Therefore, the responsibilities described below may be assigned to an individual, or may be taken to apply to the organisation as a whole. The Data Processor has the following responsibilities:
- Ensure that all processing of personal data is governed by one of the legal bases laid out in the UK GDPR;
- Ensure that persons authorised to process personal information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal information;
- Obtain the prior specific or general written authorisation of the Controller before engaging another Processor;
- Assist the Controller in the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights;
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
- Maintain a record of all categories of processing activities carried out on behalf of a Controller;
- Cooperate, on request, with the supervisory authority in the performance of its tasks;
- Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process them except on instructions from the Controller;
- Notify the Controller without undue delay after becoming aware of a Personal Data Breach;
- Designate a data protection officer where required by the UK GDPR, publish their details and communicate them to the supervisory authority;
- Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to Personal Data and processing operations, and to maintain his or her expert knowledge.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
How Long Do We Store Your Personal Data?
In cases when we keep your data for other purposes than those of the performance of a contract, such as anti-money laundering purposes, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose. The data retention obligations will differ subject to applicable local laws.
See below for examples of the retention periods that we apply:
- Preventing, detecting and investigating money laundering, terrorist financing and fraud: minimum five (5) years after termination of the business connection;
- Bookkeeping regulations: seven (7) years;
- Details on performance of an agreement: up to ten (10) years after end of customer relationship to defend against possible claims;
- Recorded telephone calls to our support: up to ninety (90) days from telephone call to support.
The above is only for explanatory purposes and the retention times may differ from country to country.
What Are Your Choices And Rights?
We might be the ones in the driver’s seat on the processing of your personal data when you use our websites or services. But that doesn’t mean that you can’t do anything about it. You have rights and they are important to us!
Generally, we believe you have the right to have your data processed only in accordance with your expectations. But you also have rights laid down by applicable law. Below you can read more about your rights, in the order we believe might be most relevant for you.
The rights we believe most relevant for you are;
- You have the right to receive a copy of the personal data we process about you. Please contact us on the details provided below to receive this data from us
- You have the right to correct the personal data we process about you if you see that it is inaccurate
- You have the right to object to our processing of your personal data. Please note that there are exceptions to the rights below, so access may be denied, for example where we are legally prevented from making a disclosure.
Right To Be Informed
Right of Access
You have the right to access the personal data that we hold about you. In this respect, you may receive a copy of the personal data that we hold about you. For any further copies, we reserve the right to charge a reasonable fee based on our administrative costs. To exercise this right, please contact us as set out below. Please note that much of the personal data that we process about you is available and visible for you in your personal NILA account.
This right means that you have a right to:
- Receive a confirmation about what personal data that we process about you;
- Get access to your personal data, and
Please note that we might have to ask you to provide further information about yourself in order for us to be able to identify you and handle the request in an efficient and secure way. This may mean that we may require you to send in a copy of a valid ID, which we will also require you to sign.
Right to Rectification
We ensure that inaccurate or incomplete personal data is erased or rectified. You have the right to rectification of inaccurate or incomplete personal data that we hold about you.
Right to Be Forgotten
You have the right to erasure if;
- The personal data is no longer necessary for the purposes it was collected or processed for (and no new lawful purpose exists);
- Your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below) and there is no justified reason for continuing the processing;
- The lawful basis for the processing is your consent, and you withdraw your consent, and no other lawful grounds exist;
- Processing the personal data has been unlawful, or
- There is a legal obligation for us to erase the data.
Please note that due the fact that we provide such financial services which are subject to a license, we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims. This means that we will keep any KYC data that we have about you during such time period as we are required according applicable anti-money laundering regulations.
Right to Restrict the Processing of Your Personal Data
You have the right to request us to restrict the processing of your data (meaning that the personal data may only be held by us and may only be used for limited purposes) if;
- The personal data we have about you is inaccurate;
- The processing is unlawful and you ask us to restrict the use of the personal data instead of erasing it;
- We no longer need the personal data for the purposes of the processing, unless we still need it for the establishment, exercise or defence of legal claims, or
- You have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.
Right to Object to Processing of Your Personal Data
Where our lawful basis for processing your data is our legitimate interests, you have the right to object to the processing of your data if:
- You can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data, or
- We process your personal data for direct marketing purposes, including but not limited to profiling.
This means that we will cease such processing unless we:
- Demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
- Require the personal data in order to establish, exercise or defend legal rights.
Right To Data Portability
You have rights to data portability;
- For personal data that you provided to us, and
- If the legal basis for the processing of the personal data is the fulfilment of contract or consent.
We will send a copy of your data in a commonly used and machine-readable format to you or a person/organisation appointed by you, where technically feasible and where the exercise by you of this right does not adversely affect the rights and freedoms of others.
Your account information will be protected by a password for your privacy and security. You need to prevent unauthorised access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or device by signing off after you have finished accessing your account.
California Privacy Rights: Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer information which we share with our affiliates and/or third parties for marketing purposes and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request to email@example.com.
What About Cookies?
Cookies are text files placed on your computer to collect standard internet log information and visitor use of the website and to compile statistical reports on website activities. You may set your browser not to accept cookies. However, in a few cases some of our website features may not function as a result.
What About Links To Third-party Websites And Services?
What Are the Age Limits to Access Our Services?
Our Services are not directed at or intended for use by children. We do not knowingly collect information from, children under 16 years of age. This website is not intended for children and we do not knowingly collect data relating to children. If you become aware that your child or any child under your care has provided us with information without your consent, please contact us at using the contact details listed in the How to Contact Us section below.
How May We Change the Policy?
How to Contact Us?
If you have any questions about this Policy or the way in which your personal information has been used, please contact us: by email at firstname.lastname@example.org
or write to us at:NILA Technology Limited – Data Protection Officer
1 Wright Close, Bushey WD23 2FH, Hertfordshire, UK