Privacy and Data Protection Policy
V1.2 – June 23, 2022
This privacy policy provides information on the processing of the personal data of our Users who interact with us and users of the contact form on our website or web application, as provided in the General Data Protection Regulation (“GDPR”).
Data Processed
Information supplied directly by Users:
Registration Data: the information provided by Users when they create an account on the P&P Platform: e-mail.
User Profile Information: the information added by Users on the Platform in order to be able to use the P&P services, i.e. their mobile phone number. Users can view and edit the personal data on their profile whenever they wish. P&P does not store Users’ credit card details, but these are provided to licensed electronic payment service providers, who receive the data included directly and store it in order to facilitate the payment process for Users and to manage it on P&P’s behalf. This information is under no circumstances stored on P&P’s servers. Users may delete the details of the credit cards linked to their account at any time. This will trigger the service provider to delete the information, which will have to be re-entered or selected in order to place new orders through the Platform. Users may request such providers’ privacy policies at any time.
Additional information that Users wish to share: any information that a User could supply to P&P for other purposes. Examples include a photograph of the User or food preferences.
Information about previous communications with P&P: P&P will have access to the information supplied by Users for the resolution of any queries or complaints about the use of the platform, whether through the contact form, by e-mail or by phone through the customer service.
Information on accidents involving any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by P&P.
Transcription and recording of conversations held between the USER and P&P for the processing of incidents, queries or any other consultations that may be made.
Information on Communications between Users and Restaurants: P&P will have access to the communications exchanged between Users and the Restaurants that collaborate with the Platform.
Information indirectly supplied by Users:
Data arising from the Use of the Platform: P&P collects the data arising from Users’ Use of the Platform every time they interact with the Platform.
Data on the application and the device: P&P stores data on the device and the Application used by Users to access the services.
This data is:
The information provided by the external third party may be controlled by the User in accordance with the third party’s own privacy policy.
Geolocation Data: provided that this has been authorised by Users, P&P will collect data relating to their location, including the real-time geographic location of their computer or mobile device.
Purpose
P&P uses the data collected from Users to enable them to access and communicate with the P&P platform and to provide the services requested by them through their account on the P&P Platform, in accordance with the procedure described in the “Terms of Use”.
P&P uses Users’ personal data to communicate via e-mail and/or send them SMS messages relating to the operation of the service.
P&P may send messages to the User’s mobile phone with information relating to the status of the order requested. When the order is completed, P&P will send a summary/receipt of the order and price thereof to the User’s e-mail.
P&P also uses the information to research and analyse how to improve the services it provides to Users, as well to develop and improve the features of the service it offers. Internally, P&P uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the P&P Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.
P&P uses third-party technology integrated in its Platform for the purpose of collecting Users’ data and preferences and using this with CRM systems and advanced technology for the benefit of Users. The following processing will thus be carried out on their data through the information collected:
P&P may send e-mails with promotional messages and/or offers relating to the service offered by it that may be of interest to Users. P&P may gauge and personalise such advertising in accordance with its users’ preferences. If a P&P User does not wish to receive this information and/or commercial communications, he/she may at any time opt to “Unsubscribe” in the e-mail, and P&P will immediately stop sending the aforementioned information.
P&P may also send Users messages and/or offers relating to such services through “push” notifications consisting of sending such promotional messages and/or offers to their mobile phones. If a P&P User does not wish to receive the commercial communications described in this clause and in 3.1 above, he/she may remove them all by disabling them with a single click in the privacy preferences of his/her profile.
P&P and/or the third parties associated with P&P may use the order delivery address entered by the User for the purpose of carrying out promotional activities for the delivery of samples or free products of the service related to P&P which may be of interest to the User (e.g. home delivery of free samples or advertising brochures) at the same time as delivering the order.
Users may use their privacy management centre to unsubscribe from online marketing services or to close their account if they do not wish to receive samples with their P&P orders.
P&P uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the P&P Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.
P&P also uses the information to research and analyse how to improve the services it provides to Users, as well as to develop and improve the features of the service it offers.
P&P also processes User’s statistics based on the Users Personal data in order to assist Users in their decisions and use of the service, including the possibility to quickly reorder from the stores where Users have ordered in the past or suggest Users stores based on their past orders or “popularity” among new users. Additionally, P&P could assist Users in their decisions through automatically determined filters by the historical order Users have placed in the past.
Anonymized data can be shared with third parties in order to help development of new services
If a User contacts P&P to report the occurrence of any damage or unforeseen event that may be covered by P&P’s insurance policy, P&P shall process all data relating to the incident for the purpose of handling and responding to requests.
Legal Basis of Processing
Users’ data is processed in accordance with the following legal bases:
Recipients of the Data
In order to continue providing the services offered through the Platform, P&P may share certain personal data of Users with:
E-invoicing service providers: P&P may share User data with electronic invoicing service providers in order to send the respective invoices.
Payment Service Providers: When a User enters his/her card number on the P&P Platform, this is stored directly by the Payment Platforms contracted by P&P, which will allow payment to be charged to the User’s account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PC1 Compliant under the Payment Card Industry Data Security Standard or PCI DSS. P&P does not store such data in any event.
Service providers for fraud control purposes: P&P will share Users’ data with fraud control service providers to assess the risk of the transactions carried out.
Service providers for the anonymisation of some data: In order to prevent the misuse of Users’ data by third-party service providers, P&P may disclose Users’ data for the purpose of anonymising it so that it can be used solely for the provision of the service to Users. For example, P&P may assign Users’ telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by Users.
Security companies and Law Enforcement Forces and Agencies: P&P may disclose personal information and data on its customers’ accounts if it believes that such disclosure is necessary to comply with the law, to enforce or apply the “Terms of Use” or to protect P&P’s, its users’ or third parties’ rights, property or safety. The above therefore includes the exchange of information with other companies and organisations as well as with Law Enforcement Forces and Agencies to protect against fraud and reduce credit risk. After being required to do so by law, P&P may share information with bodies of executive authorities and/or third parties in relation to requests for information relating to criminal investigations and alleged illegal activities.
Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure Users’ degree of satisfaction and the provision of administrative support services, P&P may disclose Users’ data to companies located outside the EEA, provided it is authorised to do so and the security requirements mentioned in the preceding section have been met.
Telecommunications services: In order to be able to provide Users with telephone contact services, P&P may contact telecommunications companies that provide secure lines and systems for the purpose of contacting Users.
Social media connected by Users: If a User connects his/her P&P account to other social media or to a third-party platform, P&P may use the information provided to such social media or third party, provided that it has been made available to P&P in compliance with the privacy policy of the social media or third-party platform in question.
Third parties associated with P&P for the purposes of commercial communications: P&P may, with a User’s express consent, transfer his/her personal data to third parties associated with P&P, provided that the User has given his/her express informed and unequivocal consent to such transfer of data and is aware of the purpose and recipient of such transfer.
Changes of ownership: If P&P’s ownership changes or the majority of its assets are acquired by a third party, Users are informed that P&P will transfer their data to the acquiring organisations in order to continue to provide the services subject to the processing of data. The new file controller will inform Users of its identification data. P&P states that it will comply with its duty of information to the relevant Supervisory Authority in the event of such circumstances arising, and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with P&P.
Insurance companies: P&P may provide users’ data to those insurers and insurance brokers with which it has an agreement in place for the management and processing of claims and losses arising from the activity carried out by P&P and the parties that collaborate with it.
P&P Users’ data will not be disclosed to any third parties unless: (i) this is necessary in order to provide the services requested if P&P is collaborating with third parties; (ii) if P&P has the User’s express and unambiguous authorisation; (iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions); or (iv) finally, where required by law.
International Data Transfers
When choosing service providers, P&P may transfer users’ data outside the borders of the European Economic Area. In such cases, P&P will ensure before sending the data that such service providers are in compliance with the minimum security standards established by the European Commission and that they always process the data in accordance with P&P’s instructions. P&P may have a contractual relationship with them under which the service providers agree to comply with P&P’s instructions and to put in place the necessary security measures to protect Users’ data.
Retention Periods
Users’ data will be retained during the performance and maintenance of the contractual relationship; i.e. for as long as they are P&P Users or until they exercise their right to restrict the processing of their data.
Once a User has cancelled his or her registration with the Platform, P&P will keep his or her data for the time established in the tax, health, criminal and any other legislation that may apply, for the purpose of filing and defending any actions to which P&P may be a party. P&P will in any event block Users’ data so that it can only be consulted if an action has to be filed or defended in connection with it.
Regarding anonymous information, P&P will apply everything set forth in Recital 26 of the GDPR, according to which “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
Profiling and decision making
P&P does not adopt any decision that could affect User significantly based solely on automated processing of User’s data (for example, reordering from the stores where Users have ordered in the past). The only decision-making processes of P&P are conducted by applying human intervention.
When using the application, P&P classifies Users based on the information provided by them about their usage of the application to adapt it to their needs and to improve it. The classification is conducted by solely using first party data. P&P use information that Users provide P&P, such as their historical orders and popularity among new users to suggest similar stores that could be of Users’ interest.
Exercise of Rights
Users may exercise their rights free of charge at any time using the form available on the Platform. They may also exercise their rights by sending an e-mail to the following e-mail address: gdpr@P&Papp.com. The e-mail must specify which right they wish to exercise, as well as, where applicable, the identifying data registered on the Platform. We will contact the User if we need additional data to that provided in order to verify his or her identity.
You may exercise the following rights vis-à-vis P&P:
The right of access to your personal data in order to know which data is being processed and the processing operations carried out thereon;
If you believe that P&P is in breach of data protection law, please do not hesitate to contact us at the e-mail address gdpr@P&Papp.com telling us what you consider to be the case, so that we can resolve the problem as soon as possible. In any event, you may also report it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) and file a claim with the said body for the protection of your rights.
Security Measures
P&P has taken the necessary steps recommended by the European Commission and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.
Notifications and Modifications
As stated above, all Users have the right to access, update and erase their data, as well as object to its processing. You may exercise these rights, or make any enquiries in relation to P&P’s Privacy Policy, through the Contact Form.
Due to the constant evolution of P&P’s activities, this Privacy Policy, the Cookie Policy and the Terms of Use are also subject to change. P&P will send Users notifications about substantial changes and modifications to such documents by e-mail or through any other method that ensures their receipt. In any case, P&P will in no event modify its policies or practices to make them less effective in the protection of our customers’ previously stored personal data.
In the event of discrepancies between the translations and the Spanish version of this document, the Spanish version will prevail.