HuYu Privacy Notice

Version 5

Last Updated: 9 June 2020

1. About You, HuYu and dunnhumby

Get rewarded for sharing your data with HuYu. Earn points for scanning or forwarding grocery receipts, completing surveys and sharing your data. Then turn your points into vouchers for shopping, coffee, or rides – take your pick from a whole range of major brands. It’s a fair, simple and easy way to make your data work for you.

HuYu is an app brought to you by dunnhumby and we respect your right to privacy. We will be upfront with you about the data we collect from you when you use HuYu and how we it – so we've written this Privacy Notice for you.

dunnhumby is a consumer data science company, headquartered in the U.K. but with group companies all around the world. dunnhumby is the company behind HuYu and we're the company to contact if you have any questions about HuYu and the way we use your data. You can find out more information about dunnhumby at here. If you have any questions about the way we use your data, please contact us (See Paragraph 12).

Please read this Privacy Notice in full to ensure you are fully informed before you start using HuYu. By accepting the HuYu Terms and Conditions, and using HuYu, you consent to us using your personal data as described in this Privacy Notice.

2. What is HuYu?

HuYu is the mobile app that rewards you for connecting your data. You earn HuYu points when you scan or forward your shopping receipts, answer surveys and choose to share other data about yourself.

We've got big plans for HuYu so we’ll let you know when we add more features. If the data we collect about you or the way we use your data changes, we'll let you know. The 'Updates to this Privacy Notice' section below explains how we'll do this.

3. What data do we collect?

Data that you provide voluntarily as a participant of HuYu

We will collect the following data from you when you sign up and use HuYu:

  • Data about you – you need to be 18 or over and live in the UK to use HuYu so, before you start using HuYu, we will ask you to confirm that you are 18 or over and that you live in the UK;
  • Data about you from Facebook – if you choose to sign up to HuYu using Facebook, we will ask you if you're happy for us to access and use the data in your public profile on Facebook. Specifically, we will access your name, profile picture and email address or phone number. You can find out more about the ways in which Facebook uses your data and how you can control the data which Facebook collects and uses about you at https://en-gb.facebook.com/policy.php. If you don't log-in to HuYu for more than 90 days, you may be asked to sign-up again;
  • Data about you from Google – if you choose to sign up to HuYu using your Google account, we will ask you if you're happy for us to access and use the data in your public profile on your Google account. Specifically, we will use your name, profile picture and email address. You can find out more about the ways in which Google uses your data and how you can control the data which Google collects and uses about you at https://policies.google.com/privacy. If you don't log-in to HuYu for more than 90 days, you may be asked to sign-up again;
  • Paper Receipt details - if you choose to share receipts with us through HuYu, we will receive the data on those receipts which may include any of the following information: total spend, total number of items, individual product descriptions, individual product price, offers (e.g. 3 for 2 or 10% off), name of store, address of store or website, date and time of receipt, last 4 digits of payment card or loyalty card number;
  • Email Receipt (“e-receipt”) details – if you choose to forward your e-receipts to us through HuYu, we will receive the data on those receipts which may include the information described in the ‘Paper Receipt’ section above and the additional information in the email such as your email address, name and delivery address.
  • Survey and feedback responses – your responses to online surveys or feedback requests;
  • Search and browsing – you can choose to share a one-off snapshot of your search and browse history. We only collect details about sites in whitelisted categories – like shopping and sport. We never seek to collect data about your physical or mental health, sexuality, religion or political affiliates, or adult content. You can request the full list of whitelisted categories by emailing us at individualrights@dunnhumby.com;
  • Phone number - if you opt-in to take part in a focus group or to participate in feedback sessions, we may request your phone number in order to contact you;
  • Things you tell us – if you have any questions about your HuYu account or are having trouble using HuYu, our customer service and support team will be happy to help you. We will need to keep a record that you contacted us and how we helped you. We'll also use information from calls or messages to the helpdesk to make HuYu better for you and other HuYu users.

We will never seek to collect any special category data…..this is information about you which the law says is sensitive and includes information about your physical or mental health or condition, sexuality, religion, political affiliations – you can find a full list at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/) If your receipts contain special category data, please don't scan the receipt into HuYu.

We don't have control over what you choose to scan or share using HuYu, which means that you might choose to provide an image to us which contains information which directly identifies you (e.g. your name or your address might be in an -e-receipt you send to us). This information will not be used by us. Please see section 8 for more information on data retention.

Data that we collect automatically

We automatically collect data and keep records of how and when you use our HuYu app and data about your phone. Some of this is essential (because HuYu wouldn’t work without it) and some of this is to help us improve HuYu. Automatically collected data includes:

  • App use data:
    • Your IP address (this is the place from which you connect to the internet and comes to us which is displayed as a series of numbers);
    • logs of when you downloaded HuYu, when you registered, when you used it, how long you used it for, how many times you scanned receipts, how many times you took part in surveys, and the parts of HuYu that you use and don't use;
    • whether you signed up using your Facebook or Google account;
    • your profile photo, username and email address if you sign up using your Facebook or Google account;
    • app version, foreground or background state (if it's visibly open, or running in the background);
    • the app store you installed the app from and store referral data on how you navigated to HuYu; and
    • interactions with advertisements for HuYu.
  • Phone data:
    • Phone type (for example, iPhone or Android phone);
    • IMEI number (unique device identification number);
    • Mobile operating system (such as Apple OS or Android OS); and
    • other technical information about your phone including any crash logs (these are sent to us when HuYu breaks or stops working).

The data about your phone and your use of HuYu is connected to you and we will only use it in accordance with data protection and privacy laws.

We automatically collect and process the above data through third-party service provider tracking technology – as you download, register and interact with HuYu, our third-party service providers Appsflyer and Google Analytics for Firebase, will automatically collect and process some of the information described above using tracking technology. See paragraph 5 for more information about our third-party service providers.

4. How we use your data and the legal basis for processing it

We use your data to do the following things and, unless we say something different below, the legal reason we use it is for our legitimate business interests as a data science company:

  • to register you as a HuYu user - we do this to perform the contract we have with you;
  • to create aggregated insights and segmentations about HuYu users’ preferences, opinions and shopping behaviour. This will involve combining the data about all HuYu users so that we can identify trends and patterns of behaviour. When we do this, we may analyse all of our HuYu users or segments of our HuYu users. As part of this process, your data will be anonymised so we can no longer identify you or your data within the resulting aggregated insights and segmentations. We will use the insights and segmentations to create reports which we sell to our clients such as retailers and brand-owners. These will only ever report insights about all of our HuYu users or segments of HuYu users, not individuals. In some cases, we may share these aggregated insights with partners who publish statistical information on market trends or use our insights to market our products and services on their platform;
  • to understand your interests by analysing your online behaviour i.e. the websites you visit and how you spend your time online. The data helps our clients understand the best ways to communicate with their customers – we do this if you have given your explicit consent to share this data with us;
  • to issue your points and facilitate points redemption. We also keep a record of points redemption (including the date on which you exchanged your points, the number of points you exchanged, the reward you selected and the date on which your reward was sent to you) – we do this to perform the contract we have with you;
  • to understand and track how users interact with HuYu so we can improve your user experience and develop new features and functions based on how you and other users are using HuYu;
  • to invite you to take part in HuYu surveys that will be of interest to you, analyse your responses and create aggregated insghts. When we do this, we look at all HuYu users’ responses together or segments of users, not just yours;
  • to invite you to take part in HuYu surveys which are requested by our clients. We will analyse your responses, create aggregated insights and share these insights with our clients and partners;
  • to invite you to take part in HuYu focus groups and feedback sessions;
  • to respond to your questions or comments – we do this to perform the contract we have with you;
  • to send you emails, for example to let you know about new HuYu features or surveys, to remind you about HuYu activities or request feedback – we do this if you have given your consent by agreeing to receive these communications;
  • to send you notifications, for example to let you know about new HuYu features or surveys, to remind you about HuYu activities or request feedback – we rely on a ‘soft opt-in’ to send you these so you will receive these if you have not opted out e.g. via the notifications page and via your device settings;
  • to send you service communications to let you know about something important relating to HuYu or your use of HuYu, for example we may need to notify you about issues we’re experiencing with the app, essential updates or upgrades, updates to our privacy notice or terms of use and any other legal updates – we do this to perform the contract we have with you and to comply with a legal obligation;
  • to take the appropriate steps if you violate the HuYu Terms and Conditions; and/or
  • to take action against you if you do something illegal – we do this to comply with a legal obligation.

Your data will not be used to advertise or market third party products or services to you.

If you have questions about or need further information concerning the legal basis on which we collect and use data about you, please contact us (See paragraph 12).

5. Who does dunnhumby share my data with?

dunnhumby will never share your individual level data, i.e. data which identifies you or which someone can use together with other data to identify you, with third parties other than our trusted service providers. The main trusted service providers that we use for HuYu are listed below.

The insights we share with our dunnhumby clients (retailers and brand-owners) and other partners will never contain your personally identifiable data or enable our clients to identify you because the data we share is always aggregated. The insights will be general information about trends and behaviour patterns which we have created using data about a large number of HuYu users.We provide clients with insights into their customers' preferences and trends, to help them develop products and improve the shopping experience they provide to their customers.

We may disclose your data to our group companieswho operate around the world to help us make HuYu available to you or to create and deliver insights to our clients.

We will disclose your data to third party services providers who help us provide HuYu, for example by hosting it, enabling certain features or functionality, or by providing ancillary services such as data analytics, data storage, support and maintenance or security technology. The main third party service providers that we use for HuYu are:

  • Survey Monkey provides HuYu's survey functionality;
  • AppsFlyer provides mobile attribution and marketing analytics;
  • Tango Card fulfils the rewards available from HuYu and will receive your user ID and email address so that they can contact you with your rewards;
  • ResearchBods is our community manager and helpdesk provider;
  • Hitachi Vantara provides app development and app operations support; and
  • Google provides the following services:
    • Cloud Platform which is the cloud data storage platform that HuYu uses;
    • Big Query which is our cloud data warehouse for analytics; and
    • Firebase (including the following Firebase features: Authentication, Firebase Analytics, Cloud Messaging, Cloud Functions, Administration Console and Storage) which we use for app development.

These third-party service providers may automatically collect data about how you use their services. You can find out more about the ways in which they will use your data and how you can control the data they collect and uses about you here: Appsflyer (https://www.appsflyer.com/privacy-policy/); Survey Monkey (https://www.surveymonkey.com/mp/legal/privacy-policy/); Tango Card (https://www.tangocard.com/privacy-policy); and Google (https://policies.google.com/technologies/partner).

We will share your data with any competent law enforcement body, regulatory, government agency, court or other third party where we believe we need to share it (i) because the law or regulations requires us to, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.

We may share your data with any other person if you consent to us sharing it with them.

6. How does dunnhumby keep my data secure?

We use appropriate technical physical and organisational measures to protect the data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your data.

Specific measures we use include:

  • applying encryption methods to your information both when we store your information on our internal databases and when we need to transfer it to a third party (or internally);
  • ensuring we have appropriate firewalls in place;
  • providing data protection training to our staff;
  • regularly monitoring our systems for possible vulnerabilities and attacks, and carrying out penetration testing to identify ways to further strengthen security;
  • asking for proof of identity (where appropriate) before we share your personal data with you;
  • restricting access to staff on a need to know basis;
  • treat your data in confidence and are required to comply with our data protection policies and procedures; and
  • • when we share your data with the other organisations referred to in section 5, we will put appropriate safeguards in place to protect your data including putting contracts in place and making sure that they treat your data confidentially.

7. International data transfers

The data held by HuYu is stored using Google Cloud Platform's servers in Belgium.

Our group companies and third party service providers operate around the world. As a result, your data may be transferred to, and processed in, countries other than the country you are in. These countries may have data protection and privacy laws that are different to the laws of your country and, in some cases, may not be as protective.

We have taken appropriate safeguards so that your data is protected in the way we've explained in this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of data between our group companies, which require all group companies to protect data they process from the EEA in accordance with European Union data protection and privacy law. If you're wondering what the EEA is, it's each country in the European Union plus Norway, Iceland and Liechtenstein.

If you would like to see our Standard Contractual Clauses, please contact us using the details in the How to Contact Us section below and we would be happy to provide a copy. We have similar safeguards in place with our third party service providers and partners, if you would like further details about these, please contact us (See Paragraph 12).

8. Data retention

The personal data HuYu holds on you will be kept for 117 weeks and then deleted, save for e-receipts where the raw data will be kept for 7 days and then deleted.

When you send us any receipt (paper or email), we only require the following raw data to create the insights:

  • Retailer name
  • Order date
  • Order time
  • Spend total
  • Item name
  • Item quantity
  • Spend on item
  • Promotions
  • Product category

We will delete the raw data, but once data about you and other HuYu users is aggregated to create insights and trends data, your data will be anonymised and we won't be able to identify you or separate your data from other HuYu users. Because you are no longer identifiable, this data is no longer personal data and will be retained indefinitely.

We will keep information and records about you for as long as you're a HuYu user and for 117 weeks after you stop being a HuYu user (for example, to deal with any claims or complaints which you may make and to manage any requests you make to exchange your HuYu points for rewards).

If you have given us your phone number for the purposes of participating in a focus group or feedback session, we will only keep your phone number for the period necessary for the purposes of arranging the focus group or feedback session you have opted in for. Unless you request that we delete it earlier, your phone number will be deleted after the focus group or feedback session has taken place.

9. Minimum age of HuYu users

HuYu is for people who are 18 or over. If you are under 18, please do not download or use HuYu.

10. Your data protection and privacy rights

When you use HuYu, we will use your data as explained in this Privacy Notice, but you will always have the following rights over your personal data:

  • You can access, correct, update or request deletion of your data, by contacting us using the contact details provided under the “How to contact us” (see paragraph 12). If for any reason, you no longer wish to use HuYu and wish to close your account with us, you can delete the HuYu app at any time from your phone/tablet or you can get in touch with us using the “How to contact us” (See paragraph 12), sso that we can delete your account data. Please note that there are circumstances where the law allows us to retain your data – for example, where the law requires us to keep a copy of your data or where we need it to bring a claim or to defend ourselves against a claim. An example of this would be a record of the rewards which we have provided to you in exchange for your reward points – we would need to keep a record of this in case you felt that we hadn't provided the right rewards.
  • You can object to processing of your data, ask us to restrict processing of your data or request portability of your data. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” (See Paragraph 12). Please note, certain features and the third-party service provider tracking technology used by Firebase and Appsflyer cannot be turned off for individual users so you will need to cease use of HuYu if you wish to exercise your right to object to processing or restrict processing carried out through the relevant feature or tracking technology.
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right as follows:
    • Notifications: by switching off notifications via your device settings and via the Notifications sections of your Account (Note: the device settings override in-app settings so, if you switch off in-app but not via your device settings, you will still receive notifications).
    • Emails: by switching off the toggle in the Notifications sections of your Account or by clicking on the “unsubscribe” link in the marketing e-mails we send you.
    Where we use your data with your consent, then you can withdraw your consent at any time. If you withdraw your consent, this means that we can't use your data for that purpose any longer, unless we have another lawful ground for us to use it (for example, service communications). It also won't affect our use of your data before you withdrew your consent.
  • You can complain to an information authority about the way we have used your data. For more information, please contact your local authority. (Contact details for authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available at http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm).

We will respond to any request which you send to us and we will manage your request in accordance with applicable laws.

11. Updates to this Privacy Notice

We want HuYu to get bigger and better and for you to get more out of HuYu in the future, so we will introduce more features. As HuYu evolves, we may collect more data about you and we may use your data in different ways – we will always be completely transparent with you about the data we collect and what we will do with it – we will send you updates to this privacy notice as we introduce new features where they change the data we collect about you or the way we use it.

We will also update this Privacy Notice as things change around us – this may be due to change in law, a change in technology – or it may be due to change in our business. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection and privacy laws.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

12. How to contact us

If you have any questions or concerns about our use of your data, please contact our Data Protection Officer using the following details: individualrights@dunnhumby.com. The data controller of your data is dunnhumby Limited. If you have any concerns or would like to make a complaint to the Information Commissioner's Office, which is the UK regulator responsible for data protection issues, you can contact them using these details: https://ico.org.uk/make-a-complaint/..

Supplemental Privacy Notice: COVID-19

Last Updated: 15/06/2020

Our HuYu Privacy Notice explains who we are, what we do and about HuYu in general. It also explains how we transfer your data between countries, how we keep it secure and your rights in relation to your personal data. This Supplemental Privacy Notice explains how we will be requesting, sharing and using additional personal data about you during the COVID-19 pandemic and gives you more information in addition to our general HuYu Privacy Notice.

What additional data are we requesting during this period?

We will be asking you (by email and other communication channels) to provide personal data related to the impact of COVID-19 via surveys and quick polls through HuYu. In addition to the information listed in our general HuYu Privacy Notice, we will be asking about your attitudes, opinions and responses to COVID-19 and the impact this unprecedented event has had upon your confidence in the economy, retailers and the government, and how it has changed your shopping experiences, shopping behaviours, work, personal finances and lifestyle.

As part of these surveys, we may ask you questions about your health. If we do, we will inform you at the time we collect this data and ask you to consent to us processing it.

If we do not ask you for data about your health please ensure you do not provide it. If you provide data that relates to your health we will treat your voluntary provision of such data as your consent to our use of such data for the purposes specified in this Privacy Notice.

How we use this additional data and our legal bases

As is explained in our general HuYu Privacy Notice, we use the data that you provide and other data that we collect or receive from third parties to create "insight data" for our retail or brand clients to enable them to improve customer experiences and build loyalty among their customers. Specifically, the additional data we collect during the COVID-19 pandemic will help retailers to understand and meet shoppers' needs during this time, as well as help them be ready for any future challenges. Our processing of data for this purpose is necessary to pursue our legitimate interest in providing data insight services to our clients.

In particular, we match your COVID-19 pandemic related-survey data to your shopping data provided when you scan receipts (such as shopping behaviour in our retailers’ physical and online stores) to learn about consumer attitudes toward COVID-19, for example, how worried you are about it and how it has changed your shopping behaviour or levels of satisfaction with physical and online grocery stores.

We will use this data to help our clients predict your (and other shoppers’) behaviour, habits or preferences as the pandemic continues. To do this we use data science, for example to predict changes in shopping habits (e.g. increases in online shopping, or purchases or non-perishable foods). We only ever report this information to our clients on an aggregated basis (i.e. in a way that does not identify you). This helps retailers and their suppliers make important decisions around how to best serve you, for example by ensuring they can more accurately predict demand for certain products and services.

Where the personal data we collect is specific to the COVID-19 pandemic, we will only use that personal data for the purposes described in this Supplemental Privacy Notice. Where we ask you for personal data unrelated to the COVID-19 pandemic, our collection and use of that data is as described in in our general HuYu Privacy Notice.

Who will dunnhumby share this additional data with?

We may disclose your data to the recipients and in the formats described in our general HuYu Privacy Notice under 'Who does dunnhumby share my data with?' and 'How does dunnhumby share my data?'.

Data retention

We will keep data collected as described above for the periods of time set out in our general HuYu Privacy Notice under 'Data retention'.

Updates to this Supplemental Privacy Notice

We will update this Supplemental Privacy Notice while we continue to collect and store the data described above. When we update this Supplemental Privacy Notice, we will take appropriate measures to inform you as appropriate in relation to the significance of the changes we make. You can see when this Supplemental Privacy Notice was last updated at the top of the page.

How to contact us

If you have any questions or concerns about our use of your data, please contact our Data Protection Officer using the following details: individualrights@dunnhumby.com.

The data controller of your data is dunnhumby Limited. If you have any concerns or would like to make a complaint to the Information Commissioner's Office, which is the UK regulator responsible for data protection issues, you can contact them using these details: https://ico.org.uk/make-a-complaint/.