Privacy and Cookies Policy

Last Updated: 06 June 2021

At Oneworld, we are working hard to serve shoppers a little better every day. Looking after the personal data members share with us is a hugely important part of this. We want members to be confident that their data is safe and secure with us, and that members understand how we use it to offer them a better and more personalised shopping experience.

We reserve the right to change this policy at any time, so please check back regularly to keep informed of updates to this policy.

What this policy covers

The data controller (who determines the purpose and manner in which members’ personal data is used) is Loyalty Oneworld (Mauritius) Ltd (referred to in this policy as “we” or “us”).

We are committed to doing the right thing when it comes to how we collect, use and protect members’ personal data. That is why we have developed this privacy and cookies policy (“Policy”), which:

  • sets out the different ways members interact with us and the types of personal data that we collect
  • explains the reasons why we use the data we collect
  • explains when and why we will share personal data within the Oneworld ecosystem and with other organisations; and
  • explains the rights and choices members have when it comes to their personal data

We offer a wide range of products and services, so we want members to be clear about what this Policy covers. This Policy applies to members if they use our services (referred to in this Policy as “our Services”).

Using our Services means:
  • Being a member of Oneworld loyalty scheme (“Oneworld”)
  • Shopping with us over the phone, online (this includes using our kiosks in any of Oneworld Partner’ stores) or otherwise using any of the websites (“our Websites”) or mobile applications (“our Mobile Apps”) where this Policy is posted; or
  • This Policy also applies if a member contact us or we contact a member about our Services

Notes

  1. Parts of this Policy also apply to our partners ‘store CCTV systems where they capture footage of members.
  2. Some other parts of our business, other Oneworld Group companies and Oneworld partners may need to collect and use personal data to provide a member with their products and services and for certain other purposes. They have their own privacy policies that explain how they use a member’s personal data.
  3. Our Websites or Mobile Apps may contain links to other websites operated by other organisations that have their own privacy policies. Please make sure you read the terms and conditions and privacy policy carefully before providing any personal data on a website as we do not accept any responsibility or liability for websites of other organisations.

Personal data we collect when we interact with a member

This section tells you what personal data we may collect from a member when a member use our Services and what other personal data we may receive from other sources.

Types of data

Aggregated data
We do not keep personal data we do not need. If we remove enough personal data it becomes anonymous. This means that a member cannot be identified. We might also take data we hold and remove certain information and replace it with other non-identifying information such as ID number or reference number. This is an extra technique we use to protect data. We normally use these techniques to look at large amounts of individuals customers. This includes information that is statistical or demographic data.
Identity data
This is information that helps us identify who is a member (e.g. his name, title or card number)
Contact data
This is information that details how we can contact a member i.e his/her address, email or telephone number.
Financial data
This is information about payment details.
Location data
In some cases our apps might ask for member’s location information to help better serve member. Member will be made aware at the time if we would collect this data.
Special category data
This is special information that the law says is more sensitive (sometimes it is referred to as sensitive personal data) and it needs more protection. If we collect sensitive personal data in our interactions with a member (for example a member is making a complaint to us), this will be done with member’s consent and its use made clear to member.
Transaction data
This is information about member’s purchase of a product or service from us. This includes when, where, what and how member purchased that item or service. It will also include where we sent that product or service and any Oneworld points or other benefits collected as part of the transaction.
Technical data
This is information about member’s device used to access our sites and apps. This could be information that identifies member’s device, its operating system, internet address, member’s login data; browser and plug-ins; location; where member came to our site from and where member leave to as well as how often a member visits. If a member use our in-store WIFI we will collect information about where and when he/she accessed our network; This is done via the use of cookies which is covered elsewhere in this notice.
User data
This is information collected about a member as a user of our partners’ stores, products and services more generally (compared to other types of data that relate to a member directly for us to deliver our specific service to the member). This may include where a member engage with Oneworld in a survey, provide feedback on his/her shopping experience, are captured by CCTV, or other camera technologies such as queue monitoring. We will also collect information about the member that allows us to create an analysis of the member as a consumer to better judge what products and services to offer in our partners’ stores.
Interaction data
This is information about how a member interact with our products and services, namely, what he/she clicks on and interact with on our sites and apps or products in partners ‘stores.
Marketing & communications data
This is the member’s marketing preferences and also his/her interaction with online marketing to be able to judge its effectiveness.

When a member registers for our Services

He/she may provide us with:

§ His/her personal details, including his/her region, email addresses, phone numbers, date of birth, NIC and title;

§ Information relating to his/her membership of any of our loyalty programmes;

§ His/her account login details, such as his/her username and the password that he/she  has chosen.

We may collect:

§ Identity data

§ Contact data

§ Financial data

§ Technical data

§ User data

§ Marketing and communications data

When a member shops with us online or browse our Websites or use our Mobile Apps

We may collect:

§ Information about member’s online purchases (for example, what a member has bought, when and where he/she bought it and how he/she paid for it);

§ Information about member’s online browsing behaviour on our Websites and Mobile Apps and information about when he/she clicks on one of our adverts (including those shown on other organisations’ websites);

§ Information about any devices a member has used to access our Services (including the make, model and operating system, IP address, browser type and mobile device identifiers).

What type of data might be collected:

§ Identity data;

§ Contact data;

§ Financial data;

§ Transaction data;

§ Technical data;

§ User data;

§ Interaction data;

§ Marketing and communications data.

 

When a member use Oneworld card to shop with us, or use Oneworld vouchers or coupons

We may collect:

Transaction information, including the in-store and online purchases member earns Oneworld points for and how he/she uses his/her Oneworld card coupons and vouchers within the Oneworld ecosystem and/or with Oneworld Partners.

What type of data might be collected:

§ Identity data;

§ Transaction data;

§ User data;

§ Marketing and communications data.

 

When you contact us or we contact you or you take part in promotions, competitions, surveys or reviews about our Services

We may collect:

§ Personal data the member provides about himself/herself anytime he/she contacts us about our Services (for example, his/her name, username and contact details), including by phone, email or post or when he/she speaks with us through social media;

§ Details of the emails and other digital communications we send to the member that he/she open, including any links in them that he/she clicks on;

§ His/her feedback and contributions to customer surveys or reviews.

What type of data might be collected:

§ Identity data;

§ Contact data;

§ User data.

 

When a member visits Oneworld partners’ stores

We may collect:

§ Footage of the member may be recorded on the CCTV systems.

What type of data might be collected:

§ Identity data;

§ User data;

§ Interaction data.

Other sources of personal data

We may also use personal data from other sources, such as specialist companies that supply information, online media channels, our Retail Partners and public registers. For example, this other personal data helps us to:

  • Manage member’s Oneworld account (including the allocation of points);
  • Review and improve the accuracy of the data we hold;
  • Improve and measure the effectiveness of our marketing communications, including online advertising.

Why we collect the data and why we are allowed to use it

This section explains in detail how and why we use personal data. We use personal data to:

Make our Services available to Oneworld members

This means that processing member’s personal data allows us to:

  • Manage the accounts the member holds with us, including his/her Oneworld account
  • Process member’s orders and refunds
Why do we process member’s personal data in this way?

We need to process member’s personal data so that we can manage member’s accounts, provide with the goods and services he/she want to buy and help him/her with any orders and refunds he/she may ask for.

Why we are using this data?
  • Contractual Necessity – at the time we collect it:
  • Purchase & transaction data;
  • Contact details;
  • Profile details;
  • Delivery/collection details.
  • We will not be able to provide the member with his/her products or services if he/she does not provide us with this data.
  • Legitimate Interests – following fulfilment of member’s order.

Manage and improve our day-to-day operations

Manage and improve our Websites and Mobile Apps
Why do we process member’s personal data in this way?

We use cookies and similar technologies on our Websites and Mobile Apps to improve customer experience. Some cookies are necessary so a member should not disable these if he/she want to be able to use all the features of our Websites and Mobile Apps. A member can disable other cookies but this may affect his/her customer experience.

Help to develop and improve our product range, services, stores, information technology systems, know-how and the way we communicate with a member

 

Why do we process member’s personal data in this way?

We rely on the use of personal data to carry out market research and internal research and development, and to improve our information technology systems (including security) and our product range, services and stores. This allows us to serve Oneworld members better as customers.

Detect and prevent fraud or other crime
Why do we process member’s personal data in this way?

It is important for us to monitor how our Services are used to detect and prevent fraud, other crimes and the misuse of services. This helps us to make sure that our members can safely use our Services.

Why we are using this data?
  • Contractual Necessity – at the time we collect it:
  • Purchase & transaction data;
  • Contact details;
  • Profile details;
  • Delivery/collection details.
  • We will not be able to provide you with your products or services if you do not provide us with this data.
  • Legitimate Interests – following fulfilment of a member’s order for the other personal data in that section.

Personalising member’s experience

Use member’s online browsing behaviour as well as his/her in-store and online purchases (including Oneworld transactions) to help us better understand him/her as a customer and provide him/her with personalised offers and services.
Why do we process your personal data in this way?

Looking at member’s browsing behaviour and purchases allows us to personalise our offers and services for members. This helps us meet member’s needs as a customer.

Provide member with relevant marketing communications (including by email, post or online advertising), relating to our products and services, and those of our suppliers, Retail Partners and the Oneworld ecosystem. As part of this, online advertising may be displayed on websites across the Oneworld ecosystem and on other organisations’ websites and online media channels. We may also measure the effectiveness of our marketing communications and those of our suppliers and Retail Partners.
Why do we process your personal data in this way?

We want to ensure that we provide members with marketing communications, including online advertising, that are relevant to their interests.

To achieve this, we also measure members’ responses to marketing communications relating to products and services we offer, which also means we can offer them products and services that better meet their needs as a customer.

A member can change his/her marketing choices, both when he/she register with us, and at any time after that. He/she also has choices when it comes to online advertising. We set out below his/her choices when it comes to cookies, and how he/she can control his/her online behavioural advertising preferences.
Why are we using this data?

§ Legitimate Interests.

 

Contact and interact with a member

Contact a member about our Services, for example by phone, email or post or by responding to social media posts that he/she has directed at us.
Why do we process your personal data in this way?

We want to serve the member better as a customer so we use personal data to provide clarification or assistance in response to his/her communications.

Manage promotions and competitions a member take part in, including those we run with our suppliers and Retail Partners.
Why do we process your personal data in this way?

We need to process member’s personal data so that we can manage the promotions and competitions he/she choose to enter.

Invite a member to take part in and manage customer surveys, reviews and other market research activities carried out by the Oneworld Group and by other organisations on our behalf.
Why do we process your personal data in this way?

We carry out market research to improve our Services. However, if we contact a member about this, he/she does not have to take part in the activities. If he/she tell us that he/she does not want us to contact him/her for market research, we will respect this choice. This will not affect his/her ability to use our Services or his/her Oneworld card.

Why are we using this data?
  • Legitimate Interests.

Claims

In order to resolve legal claims or disputes involving a member or us.
Why do we process the member’s personal data in this way?

For example if the member has any accident or there is an incident at our partners’ stores. This could include medical reports.

Why are we using this data?
  • Bringing or defending legal claims

CCTV

To monitor the safety of our partners’ stores in order to prevent and detect crime and anti-social behaviour.

If a member park in a Oneworld partner’s car parks, we may utilise Automatic Number Plate Recognition Technologies (ANPR) to identify if member’s vehicle has complied with parking rules. Where there is a security or claim incident involving a vehicle, we may use ANPR to assist in investigation into those incidents.

Why do we process your personal data in this way?

In order to protect our business, the local community, customers and colleagues.

 

Why are we using this data?
  • Legitimate Interests.

Our Legitimate Interests in using your personal data

This section explains how and why we share personal data with other companies within the Oneworld Group.

Where we have mentioned above our use of your personal data is based on our “legitimate interests”, these are:

  • to service our customers’ needs, including delivering our products and services;
  • to promote and market our products and services;
  • to service member’s account (such as your Oneworld account), manage complaints and resolve any disputes;
  • to understand our customers including their patterns, behaviours as well as their likes and dislikes;
  • to protect and support our business, colleagues, customers and shareholders;
  • to prevent and detect anti-social behaviour, fraud and other crime;
  • to test and develop new products and services as well as improve existing ones.

We may share the personal data we collect with other companies in the Oneworld Group.

Sharing personal data with Retail Partners and Service Providers

This section explains how and why we share personal data with Retail Partners and Service Providers.

When we share personal data with these companies, we require them to keep it safe and adhere all of the GDPR, DPA and relevant regulatory requirements. We work with carefully selected partners that can provide customers with services that complement the One World offering and the partner will use the data in accordance with this purpose only. Members agrees for their data being shared and contacted in correlation to digital payment solutions and any other complementary offerings.

Retail partners

We work with a number of Retail Partners who:

  • sell products through our services; or
  • offer products, services and/or the ability to earn points through Oneworld.

We only share personal data that enable our Retail Partners to provide their services.

Service Providers

  • We work with carefully selected Service Providers that carry out certain functions on our behalf. These include, for example, companies that help us with technology services, storing, combining and analysing data, processing payments, provide us with legal or other professional services as well as delivering orders. We only share personal data that enable our Service Providers to provide their services.
  • Some of the Service Providers we work with operate online media channels, and they place relevant online advertising for our products and services, as well as those of our suppliers and our Retail Partners, on those online media channels on our behalf.
  • When we introduce a customer to a product or service this is referred to as onboarding. We use partners to help us ‘onboard’ a member as a customer to any marketing he/she receive from us.

Examples of our Service Providers include Facebook, Youtube, WhatsApp and Instagram.

Sharing personal data with other organisations

We may share personal data with other organisations in the following circumstances:

  • if the law or a public authority says we must share the personal data or for the administration of justice;
  • if we need to share personal data in order to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud);
  • where we restructure, sell or transfer our business (or a part of it). For example, in connection with a takeover or merger.

How we protect member’s personal data

We know how important it is to protect and manage member’s personal data. This section sets out some of the measures we have in place.

  • We apply physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data;
  • We protect the security of your information while it is being transmitted by encrypting it;
  • We use computer safeguards such as firewalls and data encryption to keep this data safe;
  • We only authorise access to employees and trusted partners who need it to carry out their responsibilities;
  • We regularly monitor our systems for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security;
  • We will ask for proof of identity before we share member’s personal data with him/her.

Note

Whilst we take appropriate technical and organisational measures to safeguard member’s personal data, it is important that he/she keeps his/her login details and devices protected from unauthorised access.

The personal data that we collect from a member may be transferred to, and stored at, a destination outside Mauritius and the European Economic Area (“EEA”). It may also be processed by companies operating outside Mauritius and the EEA who work for us or for one of our service providers. If we do this, we ensure that your privacy rights are respected in line with this Policy. The most common way we do this is to put in place a specific type of contract or through an approved scheme such as the Privacy Shield.

How long we use personal data for

We will not keep member’s personal data longer than we need to, and will only use his/her personal data for the purposes set out in this Policy. We will always keep member’s personal data in accordance with applicable legal and regulatory requirements. In most circumstances, this means we will not keep member’s personal data for more than 7 years after the end of your relationship with us. However, for certain data sets we have the following retention periods:

  • Customer complaints and feedback will be deleted 3 years after the date of last communication.
  • Information a member submit when participating in research panels/market surveys will be deleted 3 years after its creation.
  • CCTV data will be deleted 1 month after its creation.
  • Health and safety records (example: incident reports) will be deleted 7 years after their creation.
  • Where member’s personal data is needed because we are in serious dispute with him/her (such as litigation), member’s personal data will be deleted 7 years after closure of the matter.

Cookies and similar technologies

We and our partners use cookies and similar technologies, such as tags and pixels (“cookies”), to personalise and improve customer experience as a member use our Websites and Mobile Apps and to provide him/her with relevant online advertising. This section provides more information about cookies, including how we use them and how a member can exercise his/her choices about our use of cookies.

How we use cookies

Cookies are small text files containing a unique identifier, which are stored on computer or mobile device so that the device can be recognised when a person is using a particular website or mobile app. They can be used only for the duration of the person’s visit or they can be used to measure how the person interacts with services and content over time. Cookies help to provide important features and functionality on our Websites and Mobile Apps, and to improve customer experience. Cookies can also be used help us to detect fraudulent activity or to prevent security breaches and so we may record information about a device within the cookie.

When a member consents to cookies on our Services, these may be used to do the following:

Improve the way our Websites and Mobile Apps work

Cookies allow us to improve the way our Websites and Mobile Apps work so that we can personalise experience and allow a member to use many of their useful features.

Improve the performance of our Websites and Mobile Apps

Cookies can help us to understand how our Websites and Mobile Apps are being used, for example, by telling us if a user get an error messages as he/she browses. These cookies collect data that is mostly aggregated and anonymous.

Deliver relevant online advertising, including via social media

We use cookies to help us deliver online advertising that we believe is most relevant to members on our Websites and other organisations’ websites and using social media. Cookies used for this purpose are often placed on our Websites by organisations providing specialist services to us. These cookies may collect information about members’ online behaviour, such as their IP address, the website they arrived from and information about their purchase history or the content of their shopping basket. This means that members may see our adverts on our Websites and on other organisations’ websites. Members may also see adverts for other organisations on our Websites.

To help us to deliver online advertising that is relevant to members, we may also combine data we collect through cookies in the browser of members’ desktop computer or other devices with other data that we have collected, for example member’s use of Oneworld card and in-store purchases.

Measuring the effectiveness of our marketing communications, including online advertising

Cookies can tell us if a member has seen a specific advert, and how long it has been since he/she has seen it. This information allows us to measure the effectiveness of our online advertising campaigns and control the number of times a member is shown an advert.

We also use cookies to measure the effectiveness of our marketing communications, for example by telling us if a member has opened a marketing email that we have sent.

Third parties operating through our Websites and Mobile Apps

Our key partners are listed below with information about the services they provide to us. This list is not exhaustive but it does include those partners with whom we have an established relationship and whose cookie technologies are most frequently deployed through our Services.

Measurement & Personalisation

To analyse how our services are used, including to test different content versions. This data may also be used to enable us to personalise our services and the marketing of our services.

§ Adobe

§ Optimizely

§ Google

§ Integral Ad Science

Product recommendations

To enrich member’s shopping experience by delivering personalised recommendations to him/her on some of our websites.

§ Rich Relevance
Online marketing

To personalise Oneworld adverts shown to members via Oneworld and on other websites based on members’ interactions with Oneworld. For example, by using data about member’s transactions with Oneworld, what he/she has in his/her basket and the pages and products he/she looks at. We may also use Oneworld data to better personalise our marketing via our main data partner, Bramston & Associates.

§ Bing

§ Google

Social media

To market to member via social media platforms and to enable social sharing and engagement on our websites. These companies may use members’ data for their own purposes, including to profile and target members with other advertising.

§ Facebook

§ Twitter

§ Instagram

§ WhatsApp

 

Commenting

To power commenting on our websites.

§ Disqus
Delivering ads for our Retail Partners

To enable us to personalise and deliver online advertising on behalf of our Retail Partners.

§ Google
Security of our websites and apps

To enable us to personalise and deliver online advertising on behalf of our Retail Partners.

§ Akamai

Your choices when it comes to cookies

Web browser cookies A member can use his/her browser settings to accept or reject new cookies and to delete existing cookies. He/she can also set his/her browser to notify him/her each time new cookies are placed on his/her computer or other device. If a member choose to disable some or all cookies, he/she may not be able to make full use of our Websites. For example, he/she may not be able to add items to his/her shopping basket, proceed to checkout, or use any of our products and services that require him/her to sign in.
Mobile Apps

 

Cookies work differently on Mobile Apps as they are coded into the App itself and will use a unique identifier created by the mobile device for use for advertising activities. A user can turn off or reset this advertising identifier through his/her mobile device’s privacy settings.
Managing cookie preferences We use cookies to improve member’s experience on our website. However, member’s consent is needed for certain cookies before they can be used. Member can also choose which cookies he/she allow us to use, apart from essential cookies, which can’t be turned off.

Subject access rights

A member has the right to see the personal data we hold about him/her. This is called a Subject Access Request.

To comply with government guidance and enable our office colleagues to work from home, if you would like a copy of the personal data we hold about you, please email us at subjectaccess.request@oneworld.mu.

Other data protection rights

In relation to member’s personal data, a member also have the right to:

have inaccurate information corrected

if he/she believes we hold inaccurate or missing information, he/she may let us know and we will correct it.

object to our use of it

general objection – We will then consider member’s objection to our use of his/her personal data. If on balance, his/her rights outweigh our interests in using his/her personal data, then we will at his/her request either restrict our use of it or delete it.

objection in relation to direct marketing – If a member makes such an objection, we will stop using your personal data for direct marketing purposes.

restrict our use of it

There are several situations when a member can restrict our use of his/her personal data, this includes (but is not limited to):

§ he/she successfully made a general objection;

§ he/she is challenging the accuracy of the personal data we hold;

§ we have used his/her personal data unlawfully, but he/she does not want us to delete it.

 have us delete it

There are several situations when a member can have us delete his/her personal data, this includes (but is not limited to):

§ we no longer need to keep member’s personal data;

§ he/she has successfully made a general objection;

§ He/she has withdrawn his/her consent to us using his/her personal data (and we do not have any other grounds to use it);

§ we have unlawfully processed his/her personal data.

have us transfer or “port” a copy of it

Data portability is a member’s right to obtain and reuse the personal information that he/she has provided to Oneworld for his/her own purposes across different services.

complain to the data protection regulator

We’d like the chance to resolve any complaints a member have, however he/she also have the right to complain to the Mauritius Data protection Office about how we have used his/her personal data. Their website is https://dataprotection.govmu.org.