HuYu Privacy Notice

Version 6

Last Updated: 21 December 2020

Quick links

We recommend that you read this Privacy Notice in full to ensure you are fully informed. However, if you only want to access a particular section of this Privacy Notice, then you can click on the relevant link below to jump to that section.

1.What is this privacy notice about?

2.What does dunnhumby do?

3.What is Huyu?

4.What data do we collect?

5.How we use your data and the legal basis for processing it

6.Who does dunnhumby share my data with?

7.How does dunnhumby share my data?

8.How does dunnhumby keep my data secure?

9.International data transfers

10.Data retention

11.Minimum age of HuYu users

12.Your data protection and privacy rights

13.Updates to this Privacy Notice

14.How to contact us


1. What is this privacy notice about?

1.1 HuYu is an Android and iOS app owned and operated by dunnhumby Limited. dunnhumby Limited (referred to in this Privacy Notice as "dunnhumby", "we", "our" or "us") respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal data about you (referred to in the Privacy Notice as "data"), as a user of HuYu, and how you can exercise your privacy rights in relation to your use of HuYu. In this Privacy Notice we will refer to you as a "user", " you" or "your".

1.2 This Privacy Notice applies to data that we collect via the HuYu Android and iOS app and the HuYu desktop web browser data capture extension ("HuYu Snapshot"). Together, simply "HuYu". dunnhumby is the controller of the data processed by HuYu that means we are responsible for making decisions about how your data will be processed.

1.3 If you have any questions or concerns about our use of your data, then please contact us using the contact details provided at section 14 of this Privacy Notice.

2. What does dunnhumby do?

2.1 dunnhumby is a consumer data science company, headquartered in the UK but with group companies all around the world. Our products and services help retailers and brands analyse data in order to improve consumer experiences and build loyalty.

2.2 For more information about dunnhumby and the services we provide, please see the "About us" section of our website at https://www.dunnhumby.com/about-us.

3. What is Huyu?

HuYu enables you to receive rewards for sharing your data with HuYu. You can earn points for scanning or forwarding grocery receipts, completing surveys and sharing web browsing data. These points can be turned into vouchers for shopping, eating out, and other treats – you can chose from a wide range of major brands. Rewards are managed by one of our trusted suppliers – see section 6 for more details. HuYu is a simple and easy way to make your data work for you.

4. What data do we collect?

Data that you provide voluntarily as a user of HuYu

4.1 We will collect the following data from you when you sign up and use HuYu:

  1. Data about you – you need to be 18 or over and live in the UK to use HuYu so, before you start using HuYu, we will ask you to confirm that you are 18 or over and that you live in the UK;
  2. Your email address if you choose to sign up to HuYu using your email address, we will collect your email address;
  3. Data about you from Facebook – if you choose to sign up to HuYu using Facebook, we will ask you if you're happy for us to access and use the data in your public profile on Facebook. Specifically, we will use your name, profile picture and email address or phone number. You can find out more about the ways in which Facebook uses your data and how you can control the data which Facebook collects and uses about you at https://en-gb.facebook.com/policy.php. If you don't sign in to HuYu for more than 90 days, you may be asked to reconfirm you're happy for us to access and use the data in your public profile on Facebook;
  4. Data about you from Google – if you choose to sign up to HuYu using your Google account, we will ask you if you're happy for us to access and use the data in your public profile on your Google account. Specifically, we will use your name and email address. You can find out more about the ways in which Google uses your data and how you can control the data which Google collects and uses about you at https://policies.google.com/privacy . If you don't sign in to HuYu for more than 90 days, you may be asked to reconfirm you're happy for us to access and use the data in your public profile on your Google account;
  5. Data about you from Apple – if you choose to sign up to HuYu using your Apple account, we will ask you if you're happy for us to access and use the email address registered to your Apple account. You can find out more about the ways in which Apple uses your data and how you can control the data which Apple collects and uses about you at https://www.apple.com/privacy/ . If you don't sign in to HuYu for more than 90 days, you may be asked to reconfirm you're happy for us to access and use the email address registered to your Apple account;
  6. Paper Receipt details – if you choose to share receipts with us through HuYu, we will receive the data on those receipts which may include any of the following data: total spend, total number of items, individual product descriptions, individual product price, offers (e.g. 3 for 2 or 10% off), name of store, address of store or website, date and time of receipt or loyalty card number;
  7. Email Receipt ("e-receipt") details – if you choose to forward your e-receipts to us through HuYu, we will receive the data on those receipts which may include the data described in the 'Paper Receipt' section above and the additional data in the email such as your email address, name and delivery address;
  8. Survey and feedback responses – your responses to online surveys or feedback requests;
  9. Web browser history – when invited, you can choose to send a one-off snapshot of your web browser history from the last 90 days using the HuYu desktop web browser data capture extension (" HuYu Snapshot"). When you use HuYu Snapshot, we collect the following data from your computer web browser and any browsers on other computers or mobile devices you have synched with your computer web browser: website address; title of website; time of visit; and means by which you got to the website e.g search engine. HuYu Snapshot only collects data about websites in whitelisted categories, like shopping and sport. We will never intentionally use information obtained from HuYu Snapshot to infer sensitive data about you and HuYu Snapshot never seeks to collect data about your physical or mental health, sexuality, religion or political affiliations, or adult content nor any key strokes, usernames, passwords, private or incognito browsing data, or email or messaging content. You can request the full list of whitelisted categories about which HuYu Snapshot collects data by emailing us at individualrights@dunnhumby.com;
  10. Phone number – if you opt-in to take part in a focus group or to participate in feedback sessions, we may request your phone number in order to contact you;
  11. Things you tell us – if you have any questions about your HuYu account or are having trouble using HuYu, our customer service and support team will be happy to help you. We will need to keep a record that you contacted us and how we helped you. We'll also use data from messages to the helpdesk to make HuYu better for you and other HuYu users.

4.2 We will never seek to collect or process any special category data. This is data about you which the law says is sensitive and includes data about your physical or mental health or condition, sexuality, religion, political affiliations – you can find a full list at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/). We will never intentionally use information obtained from information you provide us (especially receipts you have uploaded) to infer sensitive information about you. If you have any concerns that the products you purchase and shown on your receipts risk evidencing sensitive data about you , please don't scan the receipt into HuYu.

4.3 As we don't have control over what you choose to scan or share using HuYu, you might choose to provide an image to us that contains data which directly identifies you (e.g. your name or your address might be in an e-receipt you send to us). This data will not be used by us and will be deleted as described in section 10.

Data that we collect automatically

4.4 We automatically collect data about how and when you use HuYu, and data about your personal device, including smartphones and tablets. Some of this is essential (because HuYu wouldn't work without it) and some of this is to help us improve HuYu. We collect the following data automatically:

  1. Data about how and when you use HuYu:
    1. your IP address;
    2. logs of when you downloaded HuYu, when you registered, when you used it, how long you used it for, how many times you scanned receipts, how many times you took part in surveys, and the features of HuYu that you use and don't use;
    3. whether you signed up using your email address, Facebook, Google or Apple account;
    4. your profile photo, username and email address if you sign up using your Facebook, Google or Apple account;
    5. the version of the HuYu app you are using, and if it's visibly open, or running in the background;
    6. the app store you installed HuYu from and app store referral data on how you navigated to HuYu; and
    7. interactions with advertisements for HuYu.
  2. Data about the device you use HuYu on:
    1. device brand and model (for example, Apple iPhone 12 Pro Max);
    2. device Mobile Advertising ID (AdID for Android devices and IDFA for Apple devices);
    3. device operating system (iOS or Android); and
    4. ther technical information about your device including any crash logs (these are sent to us when HuYu breaks or stops working).

    We automatically collect and process the above data through third-party service provider tracking technology – as you download, register and interact with HuYu, our third-party service providers Appsflyer and Google Analytics for Firebase, will automatically collect and process some of the information described above using tracking technology. See section 6 for more information about our third-party service providers.

  3. HuYu Snapshot use data:
    1. browser name and version of the web browser you use to install HuYu Snapshot.

Data that we obtain from publishers

4.5 When working with publishers as described in 5.1(g) below, we will obtain from them:

  1. The fact that you are a customer of the publisher we are working with.
  2. Ad exposure data, which tells us the adverts you have been shown on the publisher's media.

5. How we use your data and the legal basis for processing it

5.1 We use your data to do the following things and, unless we say something different below, our legal basis for processing your data is given by your consent:

  1. To register you as a HuYu user - we do this to perform the contract we have with you;
  2. To create aggregated insights, segmentations and models about HuYu user's preferences, opinions and shopping behaviour. This involves combining the data about all HuYu users so that we can identify trends and patterns of behaviour. When we do this, we may analyse the data of all HuYu users or just segments of HuYu users. As part of this process, your data will be anonymised so the recipient of the insights, segmentations and models cannot identify you. These reports only ever include insights about all HuYu users or segments of HuYu users, not individuals;
  3. To match receipts uploaded in HuYu to our retail client's transaction data to improve the accuracy of HuYu product data;
  4. To identify HuYu users in our client's audience or customer databases, which allows us to understand the value of HuYu data to our clients. We do this using a secure third-party data matching tool which allows us to identify individuals who are common to two databases without directly transferring any identifiable data to our clients;
  5. To increase the reach and relevance of our client's targeted advertising campaigns by identifying individuals in our client's audience or customer databases who share similar characteristics with segments of HuYu users and serving advertisements to those individuals;
  6. o target you with relevant advertisements via HuYu and on other organisation's online and offline media channels, including TV and radio, podcasts, social media, online news media and, print and digital newspapers or magazines;
  7. To measure the effectiveness of advertising campaigns executed by brands, retailers and publishers by analysing changes in shopping behaviour of HuYu users who have seen a particular advertisement and those who have not;
  8. To enhance our client's audience or customer databases. We do this by identifying the attributes common to particular segments of HuYu users and applying these attributes to similar segments of individuals in our client's databases;
  9. To provide our clients with aggregated and anonymised sales and other market data on a continuous basis, to enable them to create their own insights and reports to better understand market trends;
  10. To understand your interests by analysing your online behaviour i.e. the websites you visit and how you spend your time online, based on web browser history data you share with us using HuYu Snapshot. The data helps our clients understand the best ways to communicate with their customers – we do this only if you have given your explicit consent to share this data with us through HuYu Snapshot;
  11. To issue your points and facilitate points redemption. We also keep a record of points redemption (including the date on which you exchanged your points, the number of points you exchanged, the reward you selected and the date on which your reward was sent to you) – we do this to perform the contract we have with you;
  12. To understand and track how users interact with HuYu so we can improve your user experience and develop new features and functions based on how you and other users are using HuYu;
  13. To invite you to take part in HuYu surveys that will be of interest to you, analyse your responses and create aggregated insights. When we do this, we look at all HuYu user's responses together or segments of users, not just yours;
  14. To invite you to take part in HuYu surveys which are requested by our clients. We will analyse your responses, create aggregated insights and share these insights with our clients;
  15. To invite you to take part in HuYu focus groups and feedback sessions;
  16. To respond to your questions or comments – we do this to perform the contract we have with you;
  17. To send you emails, for example to let you know about new HuYu features or surveys, to remind you about HuYu activities or request feedback – we do this if you have given your consent to receiving these communications;
  18. To send you notifications, for example to let you know about new HuYu features or surveys, to remind you about HuYu activities or request feedback – we rely on a 'soft opt-in' to send you these so you will receive these if you have not opted out e.g. via the notifications page and via your device settings;
  19. To send you service communications to let you know about something important relating to HuYu or your use of HuYu, for example we may need to notify you about issues we're experiencing with the app, essential updates or upgrades, updates to our privacy notice or terms of use and any other legal updates – we do this to perform the contract we have with you and to comply with a legal obligation;
  20. To take the appropriate steps if you violate the HuYu Terms and Conditions; and/or
  21. To take action against you if you do something illegal – we do this to comply with a legal obligation.

5.2 If you have questions about or need further information concerning the legal basis on which we collect and use data about you, please contact ususing the details in section 14.

6. Who does dunnhumby share my data with?

6.1 We will share your data with:

  1. our group companies who operate around the world to help us make HuYu available to you or to create and deliver insights to our clients;
  2. our clients who include retailers, brands, publishers and media outlets; financial institutions; and business and market insights companies, who operate online and/or in physical locations;
  3. our trusted service providers who help us provide HuYu, for example by hosting it, enabling certain features or functionality, or by providing ancillary services such as data matching and analytics, data storage, support and maintenance or security technology. The main service providers that we use for HuYu are:
    1. Survey Monkey provides HuYu's survey functionality;
    2. AppsFlyer provides mobile attribution and marketing analytics;
    3. Service providers who fulfil the rewards available on HuYu, currently Tango Card ;
    4. ResearchBods is our community manager and helpdesk provider;
    5. Hitachi Vantara provides app development and app operations support;
    6. InfoSum provides data matching services; and
    7. Google provides the following services:
      - Cloud Platform which is the cloud data storage platform that HuYu uses;
      - Big Query which is our cloud data warehouse for analytics; and
      - Firebase (including the following Firebase features: Authentication, Firebase Analytics, Cloud Messaging, Cloud Functions, Administration Console and Storage) which we use for app development.

      Some of our trusted service providers may automatically collect data about how you use their services. You can find out more about the ways in which they will use your data and how you can control the data they collect and uses here:
      - Appsflyer: https://www.appsflyer.com/privacy-policy/;
      - Survey Monkey: https://www.surveymonkey.com/mp/legal/privacy-policy/;
      - Tango Card: https://www.tangocard.com/privacy-policy;and
      - Google: https://policies.google.com/technologies/partner;

  4. any competent law enforcement body, regulatory, government agency, court or other third party where we believe we need to share it (i) because the law or regulations requires us to, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person; and
  5. a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your data only for the purposes disclosed in this Privacy Notice.

7. How does dunnhumby share my data?

7.1 We share your data in the following formats:

  1. in an aggregated format: we share insights, segmentations and models derived from your data and the data of other HuYu users, removing any individual identifiers, with our clients;
  2. in a pseudonymised format: we share your data linked to an identifier that allows our clients to do their own analysis of the data we collect across multiple HuYu users, or use it to do further analysis of the aggregated data we have provided them. When we do this the recipients will not be able to identify you from this data.
  3. in an identifiable format: we share your data with our trusted data matching service provider at an individual level with a pseudonymous identifier (as in (b) above). The pseudonymous identifier can be used by our data matching service provider and selected clients to identify if you appear in both our and our clients' customer databases.

8. How does dunnhumby keep my data secure?

8.1 We use appropriate technical, physical and organisational measures to protect your data. The measures we use are designed to provide a level of security appropriate to the risk of processing your data.

8.2 Specific measures we take include:

  1. using surrogate identifiers in place of your personal identifiers when processing your personal data internally and applying strict access controls to your personal identifier which permit access only where this is absolutely necessary;
  2. applying encryption methods to your identifiable data (including your first name, surname, email address and device ID) both when we store your data on our internal databases and when we need to transfer it to a third party or internally, with access to the key that allows this encrypted data to be unlocked being strictly controlled and only shared where absolutely necessary;
  3. ensuring we have appropriate firewalls in place;
  4. providing data protection training to our staff;
  5. regularly monitoring our systems for possible vulnerabilities and attacks, and carrying out penetration testing to identify ways to further strengthen security;
  6. asking for proof of identity (where appropriate) before we share your personal data with you;
  7. restricting employee access to your data on a need to know basis and requiring that employees always treat your data as confidential and comply with our data protection policies and procedures; and
  8. when we share your data with the other organisations referred to in section 6, we will put appropriate safeguards in place to protect your data including putting contracts in place and making sure that they treat your data confidentially.

9.International data transfers

9.1 The data we hold about you is stored using Google Cloud Platform's servers in Belgium.

9.2 Our group companies and third-party service providers operate around the world. As a result, your data may be transferred to, and processed in, countries other than the country you are in. These countries may have data protection and privacy laws that are different to the laws of your country and, in some cases, may not be as protective.

9.3 We have taken appropriate safeguards so that your data is protected in the way we've explained in this Privacy Notice. These include implementing the European Commission's Standard Contractual Clauses for transfers of data between our group companies, which require all group companies to protect data they process from the EEA in accordance with European Union data protection and privacy law. If you're wondering what the EEA is, it's each country in the European Union plus Norway, Iceland and Liechtenstein.

9.4 If you would like to see our Standard Contractual Clauses, please contact us using the details in the How to Contact Us section below and we would be happy to provide a copy. We have similar safeguards in place with our third-party service providers and partners, if you would like further details about these, please contact us (see section 12).

10. Data retention

10.1 We will retain your data as follows:

  1. "Account Information" (your email address; the method you use to sign up and sign in to HuYu; and if you signed up using Facebook or Google, your profile picture and user name (in the case of Facebook) and your user name (in the case of Google) will be retained indefinitely, unless you become a Lapsed User (see paragraph 10.2) as we define that below) or you ask us to delete your HuYu account. If you ask us to delete your account, your Account Information will be deleted within 30 days and all other data will be anonymised so you cannot be identified from it;
  2. Receipt scans and e-receipts will be retained for seven days from the time which you provided them to us. We will retain the data we extract from receipts and e-receipts in accordance with paragraph (d) below;
  3. Your phone number , if you have given us this for the purposes of participating in a focus group or feedback session, will be retained only for the period necessary for the purposes of arranging the focus group or feedback session you have opted in for. Unless you request that we delete it earlier, your phone number will be deleted within 30 days after the focus group or feedback session has taken place; and
  4. All other data that can be linked to you will be retained for five years from the date you provided it to us and then deleted. Data about you that has been mixed with other HuYu users' data, so that you cannot be separately identified, will be retained indefinitely.

10.2 If you haven't logged in to HuYu for 2 years, we will deem you a " Lapsed User". Within 30 days we will close your HuYu account, delete your Account Information and anonymise all other data so you cannot be identified from it.

10.3 There are circumstances where the law allows us to retain your data beyond the periods set out in this section 10, such as where the law requires us to keep a copy of your data or where we may need it to bring a claim or to defend ourselves against a claim. In such circumstances we will extend the retention periods specified for as long as required and will delete it promptly thereafter.

11. Minimum age of HuYu users

HuYu is for people who are 18 or over. If you are under 18, please do not download or use HuYu.

12. Your data protection and privacy rights

12.1 When you use HuYu, we will use your data as explained in this Privacy Notice, but you will always have the following rights over your personal data:

  1. You can access, correct, update or request deletion of your data, by contacting us using the details provided under the "How to contact us" (see section 14). If for any reason, you wish to close your HuYu account, contact us using the details in section 12 below, so that we can delete your Account Information.
  2. You can object to processing of your data, ask us to restrict processing of your data or request portability of your data. Again, you can exercise these rights by contacting us using the details in section 14 below. Please note, certain features and the third-party service provider tracking technology used by Firebase and Appsflyer cannot be turned off for individual users so you will need to cease use of HuYu if you wish to exercise your right to object to processing or restrict processing carried out through the relevant feature or tracking technology.
  3. You have the right to opt-out of marketing communications we send you at any time. You can exercise this right as follows:
    1. Notifications: by switching off notifications via your device settings and via the Notifications sections of your account. The device settings override in-app settings so, if you switch off in-app but not via your device settings, you will still receive notifications.
    2. Emails: by switching off the toggle in the Notifications sections of your account or by clicking on the "unsubscribe" link in the marketing e-mails we send you.
  4. Where we use your data with your consent, then you can withdraw your consent at any time. If you withdraw your consent, this means that we can't use your data for that purpose any longer, unless we have another lawful ground for us to use it (for example, service communications). It also won't affect our use of your data before you withdrew your consent.
  5. You can complain to an information authority about the way we have used your data. For more information, please contact your local authority. Contact details for authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

12.2 We will respond to any request which you send to us and we will manage your request in accordance with applicable laws.

13. Updates to this Privacy Notice

13.1 We want HuYu to get bigger and better and for you to get more out of HuYu in the future, so we will introduce more features. As HuYu evolves, we may collect more data about you and we may use your data in different ways – we will always be completely transparent with you about the data we collect and what we will do with it – we will update this privacy notice as we introduce new features where they change the data we collect about you or the way we use it.

13.2 We will also update this Privacy Notice as things change around us – this may be due to change in law, a change in technology – or it may be due to change in our business.

13.3 When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make, and we will obtain your consent to any material Privacy Notice changes if and where this is required by law.

13.4 You can see when this Privacy Notice was last updated by checking the "last updated" date displayed at the top of this Privacy Notice.

14. How to contact us

14.1 If you have any questions or concerns about our use of your data, please contact our Data Protection Officer using the following details: individualrights@dunnhumby.com. The data controller of your data is dunnhumby Limited. If you have any concerns or would like to make a complaint to the Information Commissioner's Office, which is the UK regulator responsible for data protection issues, you can contact them using these details: https://ico.org.uk/make-a-complaint/.