HuYu Privacy Notice
Last Updated: 21 December 2020
We recommend that you read this Privacy Notice in full to ensure you are fully informed. However,
if you only want to access a particular section of this Privacy Notice, then you can click on
the relevant link below to jump to that section.
1.What is this privacy notice about?
2.What does dunnhumby do?
3.What is Huyu?
4.What data do we collect?
5.How we use your data and the legal basis for processing it
6.Who does dunnhumby share my data with?
7.How does dunnhumby share my data?
8.How does dunnhumby keep my data secure?
9.International data transfers
11.Minimum age of HuYu users
12.Your data protection and privacy rights
13.Updates to this Privacy Notice
14.How to contact us
1. What is this privacy notice about?
1.1 HuYu is an Android and iOS app owned and operated by dunnhumby Limited. dunnhumby Limited
(referred to in this Privacy Notice as "dunnhumby", "we",
or "us") respects your right to privacy. This Privacy Notice explains who we
are, how we collect, share and use personal data about you (referred to in the Privacy Notice as
"data"), as a user of HuYu, and how you can exercise your privacy
rights in relation to your use of HuYu. In this Privacy Notice we will refer to you as a
"user", " you" or "your".
1.2 This Privacy Notice applies to data that we collect via the HuYu Android and iOS app and
the HuYu desktop web browser data capture extension ("HuYu Snapshot").
Together, simply "HuYu". dunnhumby is the controller of the data
processed by HuYu that means we are responsible for making decisions about how your data
will be processed.
1.3 If you have any questions or concerns about our use of your data, then please contact us
using the contact details provided at section 14 of this Privacy Notice.
2. What does dunnhumby do?
2.1 dunnhumby is a consumer data science company, headquartered in the UK but with group
companies all around the world. Our products and services help retailers and brands analyse
data in order to improve consumer experiences and build loyalty.
2.2 For more information about dunnhumby and the services we provide, please see the
"About us" section of our website at https://www.dunnhumby.com/about-us.
3. What is Huyu?
HuYu enables you to receive rewards for sharing your data with HuYu. You can earn points for
scanning or forwarding grocery receipts, completing surveys and sharing web browsing data. These
points can be turned into vouchers for shopping, eating out, and other treats – you can chose
from a wide range of major brands. Rewards are managed by one of our trusted suppliers – see
section 6 for more details. HuYu is a simple and easy way to make your data work for you.
4. What data do we collect?
Data that you provide voluntarily as a user of HuYu
4.1 We will collect the following data from you when you sign up and use HuYu:
- Data about you – you need to be 18 or over and live in the UK to use HuYu so,
before you start using HuYu, we will ask you to confirm that you are 18 or over and that
you live in the UK;
- Your email address if you choose to sign up to HuYu using your email address, we
will collect your email address;
- Data about you from Facebook – if you choose to sign up to HuYu using Facebook,
we will ask you if you're happy for us to access and use the data in your public profile
on Facebook. Specifically, we will use your name, profile picture and email address or
phone number. You can find out more about the ways in which Facebook uses your data and
how you can control the data which Facebook collects and uses about you at
don't sign in to HuYu for more than 90 days, you may be asked to reconfirm
you're happy for us to access and use the data in your public profile on
- Data about you from Google – if you choose to sign up to HuYu using your Google
account, we will ask you if you're happy for us to access and use the data in your
public profile on your Google account. Specifically, we will use your name and email
address. You can find out more about the ways in which Google uses your data and how you
can control the data which Google collects and uses about you at
https://policies.google.com/privacy . If
you don't sign in to HuYu for more than 90 days, you may be asked to reconfirm you're
happy for us to access and use the data in your public profile on your Google
- Data about you from Apple – if you choose to sign up to HuYu
using your Apple
account, we will ask you if you're happy for us to access and use the email address
registered to your Apple account. You can find out more about the ways in which Apple
uses your data and how you can control the data which Apple collects and uses about you
at https://www.apple.com/privacy/ . If you
don't sign in to HuYu for more than 90 days, you may be asked to reconfirm you're
happy for us to access and use the email address registered to your Apple
- Paper Receipt details – if you choose to share receipts
with us through HuYu, we
will receive the data on those receipts which may include any of the following data:
total spend, total number of items, individual product descriptions, individual
offers (e.g. 3 for 2 or 10% off), name of store, address of store or website, date
and time of
receipt or loyalty card number;
- Email Receipt ("e-receipt") details – if you choose to forward your e-receipts to
us through HuYu, we will receive the data on those receipts which may include the data
described in the 'Paper Receipt' section above and the additional data in the
email such as your email address, name and delivery address;
- Survey and feedback responses – your responses to online surveys or feedback
- Web browser history – when invited, you can choose to send a one-off snapshot of
your web browser history from the last 90 days using the HuYu desktop web browser data
capture extension (" HuYu Snapshot"). When you use HuYu Snapshot, we collect the
following data from your computer web browser and any browsers on other computers or
mobile devices you have synched with your computer web browser: website address; title
of website; time of visit; and means by which you got to the
website e.g search engine. HuYu Snapshot only collects data about websites in
whitelisted categories, like shopping and sport. We will never intentionally use
information obtained from HuYu Snapshot to infer sensitive data about you and HuYu
Snapshot never seeks to collect data about your physical or mental health,
sexuality, religion or political affiliations, or adult content nor any key strokes,
usernames, passwords, private or incognito browsing data, or email or messaging
content. You can request the full list of whitelisted
categories about which HuYu Snapshot collects data by emailing us at
- Phone number – if you opt-in to take part in a focus group or to participate in
feedback sessions, we may request your phone number in order to contact you;
- Things you tell us – if you have any questions about your HuYu account or are
having trouble using HuYu, our customer service and support team will be happy to help
you. We will need to keep a record that you contacted us and
how we helped you. We'll also use data from messages to the helpdesk to make HuYu
better for you and other HuYu users.
4.2 We will never seek to collect or process any special category data. This is data about you
which the law says is sensitive and includes data about your physical or mental health or
condition, sexuality, religion, political affiliations – you can find a full list at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/).
We will never intentionally use information obtained from information you provide us (especially
receipts you have uploaded) to infer sensitive information about you. If you have any
concerns that the products you purchase and shown on your receipts risk evidencing sensitive
about you , please don't scan the receipt into HuYu.
4.3 As we don't have control over what you choose to scan or share using HuYu, you might
choose to provide an image to us that contains data which directly identifies you (e.g. your
name or your address might be in an e-receipt you send to us). This data will not be used by
us and will be deleted as described in section 10.
Data that we collect automatically
4.4 We automatically collect data about how and when you use HuYu, and data about your personal
device, including smartphones and tablets. Some of this is essential (because HuYu wouldn't
work without it) and some of this is to help us improve HuYu. We collect the following data
- Data about how and when you use HuYu:
- your IP address;
- logs of when you downloaded HuYu, when you registered, when you used it, how long
you used it for, how many times you scanned receipts, how many times you took part
in surveys, and the features of HuYu that you use and don't use;
- whether you signed up using your email address, Facebook, Google or Apple account;
- your profile photo, username and email address if you sign up using your Facebook,
Google or Apple account;
- the version of the HuYu app you are using, and if it's visibly open, or running in the
- the app store you installed HuYu from and app store referral data on how you
navigated to HuYu; and
- interactions with advertisements for HuYu.
- Data about the device you use HuYu on:
- device brand and model (for example, Apple iPhone 12 Pro Max);
- device Mobile Advertising ID (AdID for Android devices and IDFA for Apple devices);
- device operating system (iOS or Android); and
- ther technical information about your device including any crash logs (these are
sent to us when HuYu breaks or stops working).
We automatically collect and process the above data through third-party service
provider tracking technology – as you download, register and interact with HuYu,
our third-party service providers Appsflyer and Google Analytics for Firebase, will
automatically collect and process some of the information described above using tracking
technology. See section 6 for more information about our third-party service providers.
- HuYu Snapshot use data:
- browser name and version of the web browser you use to install HuYu Snapshot.
Data that we obtain from publishers
4.5 When working with publishers as described in 5.1(g) below, we will obtain from them:
- The fact that you are a customer of the publisher we are working with.
- Ad exposure data, which tells us the adverts you have been shown on the publisher's media.
5. How we use your data and the legal basis for processing it
5.1 We use your data to do the following things and, unless we say something different below,
our legal basis for processing your data is given by your consent:
- To register you as a HuYu user - we do this to perform the contract we have with you;
- To create aggregated insights, segmentations and models about HuYu user's
preferences, opinions and shopping behaviour. This involves
combining the data about all HuYu users so that we can identify trends and patterns
of behaviour. When we do this, we may analyse the data of all HuYu users or just
segments of HuYu users. As part of this process, your data will be anonymised so the
recipient of the insights, segmentations and models cannot identify you. These
reports only ever include insights about all HuYu users or segments of HuYu users,
- To match receipts uploaded in HuYu to our retail client's transaction data to improve
the accuracy of HuYu product data;
- To identify HuYu users in our client's audience or
customer databases, which allows us to understand the value of HuYu data to our
clients. We do this using a secure third-party data matching tool which allows us to
identify individuals who are common to two databases without directly transferring
any identifiable data to our clients;
- To increase the reach and relevance of our client's
targeted advertising campaigns by identifying individuals in our client's audience
or customer databases who share similar characteristics with segments of HuYu users
and serving advertisements to those individuals;
- o target you with relevant advertisements via HuYu and on other organisation's
online and offline media channels, including TV and radio,
podcasts, social media, online news media and, print and digital newspapers or
- To measure the effectiveness of advertising campaigns executed by brands, retailers and
publishers by analysing changes in shopping behaviour of HuYu users who have seen a
particular advertisement and those who have not;
- To enhance our client's audience or customer
databases. We do this by identifying the attributes common to particular segments of
HuYu users and applying these attributes to similar segments of individuals in our
- To provide our clients with aggregated and anonymised sales and other market data on a
continuous basis, to enable them to create their own insights and reports to better
understand market trends;
- To understand your interests by analysing your online behaviour i.e. the websites you
visit and how you spend your time online, based on web browser history data you share
with us using HuYu Snapshot. The data helps our clients understand the best ways to
communicate with their customers – we do this only if you have given your explicit
consent to share this data with us through HuYu Snapshot;
- To issue your points and facilitate points redemption. We also keep a record of points
redemption (including the date on which you exchanged your points, the number of points
you exchanged, the reward you selected and the date on which your reward was sent to
you) – we do this to perform the contract we have with you;
- To understand and track how users interact with HuYu so we can improve your user
experience and develop new features and functions based on how you and other users are
- To invite you to take part in HuYu surveys that will be of interest to you, analyse your
responses and create aggregated insights. When we do this, we look at all HuYu
user's responses together or segments of users, not
- To invite you to take part in HuYu surveys which are requested by our clients. We will
analyse your responses, create aggregated insights and share these insights with our
- To invite you to take part in HuYu focus groups and feedback sessions;
- To respond to your questions or comments – we do this to perform the contract we have
- To send you emails, for example to let you know about new HuYu features or surveys, to
remind you about HuYu activities or request feedback – we do this if you have given your
consent to receiving these communications;
- To send you notifications, for example to let you know about new HuYu features or
surveys, to remind you about HuYu activities or request feedback – we rely on a
'soft opt-in' to send you these so you will receive these if you have not opted out e.g.
via the notifications page and via your device settings;
- To send you service communications to let you know about something important relating to
HuYu or your use of HuYu, for example we may need to notify you about issues
we're experiencing with the app, essential updates or
– we do this to perform the contract we have with you and to comply with a legal
- To take the appropriate steps if you violate the HuYu Terms and Conditions; and/or
- To take action against you if you do something illegal – we do this to
comply with a legal obligation.
5.2 If you have questions about or need further information concerning the legal basis on
which we collect and use data about you, please contact ususing the details in section 14.
6. Who does dunnhumby share my data with?
6.1 We will share your data with:
- our group companies who operate around the world to help us make HuYu available to you
or to create and deliver insights to our clients;
- our clients who include retailers, brands, publishers and media outlets; financial
institutions; and business and market insights companies, who operate online and/or in
- our trusted service providers who help us provide HuYu, for example by hosting it,
enabling certain features or functionality, or by providing ancillary services such as
data matching and analytics, data storage, support and maintenance or security
technology. The main service providers that we use for HuYu are:
- Survey Monkey provides HuYu's survey
- AppsFlyer provides mobile attribution and marketing analytics;
- Service providers who fulfil the rewards available on HuYu, currently Tango
- ResearchBods is our community manager and helpdesk provider;
- Hitachi Vantara provides app development and app operations support;
- InfoSum provides data matching services; and
- Google provides the following services:
- Cloud Platform which is the cloud data storage platform that HuYu uses;
- Big Query which is our cloud data warehouse for analytics; and
- Firebase (including the following Firebase features: Authentication, Firebase
Analytics, Cloud Messaging, Cloud Functions, Administration Console and Storage)
which we use for app development.
Some of our trusted service providers may automatically collect data about how
you use their services. You can find out more about the ways in which they will
use your data and how you can control the data they collect and uses here:
- Appsflyer: https://www.appsflyer.com/privacy-policy/;
- Survey Monkey: https://www.surveymonkey.com/mp/legal/privacy-policy/;
- Tango Card: https://www.tangocard.com/privacy-policy;and
- Google: https://policies.google.com/technologies/partner;
- any competent law enforcement body, regulatory, government agency, court or other third
party where we believe we need to share it (i) because the law or regulations requires
us to, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your
vital interests or those of any other person; and
- a potential buyer (and its agents and advisers) in connection with any proposed
purchase, merger or acquisition of any part of our business, provided that we inform the
buyer it must use your data only for the purposes disclosed in this Privacy Notice.
7. How does dunnhumby share my data?
7.1 We share your data in the following formats:
- in an aggregated format: we share insights, segmentations and models derived from your
data and the data of other HuYu users, removing any individual identifiers, with our
- in a pseudonymised format: we share your data linked to an identifier that allows our
clients to do their own analysis of the data we collect across multiple HuYu users, or
use it to do further analysis of the aggregated data we have provided them. When we do
this the recipients will not be able to identify you from this data.
- in an identifiable format: we share your data with our trusted data matching service
provider at an individual level with a pseudonymous identifier (as in (b) above). The
pseudonymous identifier can be used by our data matching service provider and selected
clients to identify if you appear in both our and our clients' customer
8. How does dunnhumby keep my data secure?
8.1 We use appropriate technical, physical and organisational measures to protect your data. The
measures we use are designed to provide a level of security appropriate to the risk of
processing your data.
8.2 Specific measures we take include:
- using surrogate identifiers in place of your personal identifiers when processing your
personal data internally and applying strict access controls to your personal identifier
which permit access only where this is absolutely necessary;
- applying encryption methods to your identifiable data (including your first
name, surname, email address and device ID) both when we store
your data on our internal databases and when we need to transfer it to a third party
or internally, with access to the key that allows this encrypted data to be unlocked
being strictly controlled and only shared where absolutely necessary;
- ensuring we have appropriate firewalls in place;
- providing data protection training to our staff;
- regularly monitoring our systems for possible vulnerabilities and attacks, and carrying
out penetration testing to identify ways to further strengthen security;
- asking for proof of identity (where appropriate) before we share your personal data with
- restricting employee access to your data on a need to know basis and requiring that
employees always treat your data as confidential and comply with our data protection
policies and procedures; and
- when we share your data with the other organisations referred to in section 6, we will
put appropriate safeguards in place to protect your data including putting contracts in
place and making sure that they treat your data confidentially.
9.International data transfers
9.1 The data we hold about you is stored using Google Cloud Platform's servers in Belgium.
9.2 Our group companies and third-party service providers operate around the world. As a
your data may be transferred to, and processed in, countries other than the country you are
These countries may have data protection and privacy laws that are different to the laws of
country and, in some cases, may not be as protective.
9.3 We have taken appropriate safeguards so that your data is protected in the way we've
explained in this Privacy Notice. These include implementing the European Commission's
Standard Contractual Clauses for transfers of data between our group companies, which
all group companies to protect data they process from the EEA in accordance with European
data protection and privacy law. If you're wondering what the EEA is, it's each country
in the European Union plus Norway, Iceland and Liechtenstein.
9.4 If you would like to see our Standard Contractual Clauses, please contact us using the
details in the How to Contact Us section below and we would be happy to provide a copy. We
similar safeguards in place with our third-party service providers and partners, if you
like further details about these, please contact us (see section 12).
10. Data retention
10.1 We will retain your data as follows:
- "Account Information" (your email address; the method you use to sign up and sign
in to HuYu; and if you signed up using Facebook or Google, your profile picture and user
name (in the case of Facebook) and your user name (in the case
of Google) will be retained
indefinitely, unless you become a Lapsed User (see paragraph
10.2) as we define that below) or you ask us
to delete your HuYu account. If you ask us to delete your account, your
Account Information will be deleted within 30 days and all other data will
be anonymised so you cannot be identified from it;
- Receipt scans and e-receipts will be retained for seven days from the
time which you provided them to us. We will retain the data we
extract from receipts and e-receipts in accordance with
paragraph (d) below;
- Your phone number , if you have given us this for the
purposes of participating in a focus group or feedback session, will be retained only
for the period necessary for the purposes of arranging the focus group or feedback
session you have opted in for. Unless you request that we delete it earlier, your phone
number will be deleted within 30 days after the focus group
or feedback session has taken place; and
- All other data that can be linked to you will be retained for five years from the
date you provided it to us and then deleted. Data about you
that has been mixed with other HuYu users' data, so that you cannot be separately
identified, will be retained indefinitely.
10.2 If you haven't logged in to HuYu for 2 years, we will deem you a " Lapsed
User". Within 30 days we will close your HuYu account, delete your Account
Information and anonymise all other data so you cannot be identified from it.
10.3 There are circumstances where the law allows us to retain your data beyond the periods
out in this section 10, such as where the law requires us to keep a copy of your data or
we may need it to bring a claim or to defend ourselves against a claim. In such
will extend the retention periods specified for as long as required and will delete it
11. Minimum age of HuYu users
HuYu is for people who are 18 or over. If you are under 18, please do not download or use
12. Your data protection and privacy rights
12.1 When you use HuYu, we will use your data as explained in this Privacy Notice, but you
always have the following rights over your personal data:
- You can access, correct, update or request deletion of your data, by contacting
us using the details provided under the "How to contact us" (see section 14). If
for any reason, you wish to close your HuYu account, contact us using the details in
section 12 below, so that we can delete your Account Information.
- You can object to processing of your data, ask us to restrict processing
of your data or request portability of your data. Again, you can exercise these
rights by contacting us using the details in section 14 below. Please note, certain
features and the third-party service provider tracking technology used by Firebase and
Appsflyer cannot be turned off for individual users so you will need to cease use of
HuYu if you wish to exercise your right to object to processing or restrict processing
carried out through the relevant feature or tracking technology.
- You have the right to opt-out of marketing communications we send you at any
time. You can exercise this right as follows:
- Notifications: by switching off notifications via your device settings and
via the Notifications sections of your account. The device settings override in-app
settings so, if you switch off in-app but not via your device settings, you will
still receive notifications.
- Emails: by switching off the toggle in the Notifications sections of your
account or by clicking on the "unsubscribe" link in the marketing e-mails we send
- Where we use your data with your consent, then you can withdraw your consent at
any time. If you withdraw your consent, this means that we can't use your data for that purpose any longer, unless we have
another lawful ground for us to use it (for example, service communications). It
also won't affect our use of your data before you
withdrew your consent.
- You can complain to an information authority about the way we have used your
data. For more information, please contact your local authority. Contact details for
authorities in the European Economic Area, Switzerland and certain non-European
countries (including the US and Canada) are available at
12.2 We will respond to any request which you send to us and we will manage your request in
accordance with applicable laws.
13. Updates to this Privacy Notice
13.1 We want HuYu to get bigger and better and for you to get more out of HuYu in the future,
we will introduce more features. As HuYu evolves, we may collect more data about you and we
use your data in different ways – we will always be completely transparent with you about
data we collect and what we will do with it – we will update this privacy notice as we
new features where they change the data we collect about you or the way we use it.
13.2 We will also update this Privacy Notice as things change around us – this may be due to
change in law, a change in technology – or it may be due to change in our business.
13.3 When we update our Privacy Notice, we will take appropriate measures to inform you,
consistent with the significance of the changes we make, and we will obtain your consent to
material Privacy Notice changes if and where this is required by law.
13.4 You can see when this Privacy Notice was last updated by checking the "last
updated" date displayed at the top of this Privacy Notice.
14. How to contact us
14.1 If you have any questions or concerns about our use of your data, please contact our
Protection Officer using the following details: firstname.lastname@example.org. The
controller of your data is dunnhumby Limited. If you have any concerns or would like to make
complaint to the Information Commissioner's Office, which is the UK regulator responsible
for data protection issues, you can contact them using these details: https://ico.org.uk/make-a-complaint/.