Customer Privacy Notice
Date: 21 August 2020
1.1 This is the Privacy and Cookies Notice ("Notice") for the website hosted at www.laybuy.com ("site") and the Laybuy app "App" (together, the "Platform"). The Platform is operated by or on behalf of Laybuy Holdings (UK) Limited trading as Laybuy ("Laybuy", "we", "us" and "our"). This Notice applies to individuals browsing our Platform, and individuals using our services and our Platform ("you" and "your"). We are committed to protecting and respecting your privacy.
1.2 This Notice sets out:
- What information do we collect about you?
- How do we use your information?
- Who do we share your information with?
- Where do we store your information?
- Where do we store your information?
- What about payment processing?
- How do we protect your information?
- How long we keep your information?
- What rights do you have?
- Changes to this Notice
- Contact Us
- Cookies and other technologies
1.3 Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1.4 By using our services you acknowledge you have read and understood this Privacy Notice.
1.5 If you are in the United Kingdom or the European Economic Area, then under your local data protection law, (the "Data Protection Law"), the data controller is: Laybuy Holdings (UK) Limited. In certain circumstances, Laybuy (UK) Limited will also be a data controller.
2. What information do we collect about you?
We will collect and use the following categories of personal data from you, from other organisations and automatically via our Platform -- for example, when you fill in any of the application forms on our Platform. We explain what we do with each of the categories in the next section.
2.1 You provide us with the following categories of information about you
This is information about you that you give us, usually via our Platform, or by phone, e-mail or otherwise. It includes information you provide when you register to use our Platform, subscribe to our service, search for a product, place an order, submit a query, and when you report a problem with our Platform.
- Contact: basic contact information, such as your first and last name, email address, home address, as well as billing and shipping details
- Identity: additional information you provide, including your photo, gender, date of birth, and personal information in or about the content you provide
- Log-in: information in connection with an account sign-in facility, your log-in and password details
- Communications: records of any correspondence and communications if you contact us, including information you supply if you report a problem with our Platform to us. This covers information we learn about you from:
- Texts, in-app messaging & other digital messaging
- Face-to-face conversations you have with us
- Financial: Laybuy does not access, collect or store your payment information. We use a payment processor to manage this for us.
- Marketing: you may also provide us with your personal direct marketing preferences, like whether you would like to receive email or text updates from us
You must keep your personal information up-to-date -- please tell us promptly about any changes, for example if you have a new address.
2.2 Information we receive from other sources.
We are working closely with third parties (including, for example, retailers, sports teams, ticketing partners, business partners, sub-contractors in technical, payment and delivery services, debt collection agencies, advertising networks, analytics providers, and search information providers). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.
We may receive information about from other organisations, including:
- Credit: credit score and insolvency information, from our third party credit score providers and identity verification providers (including Experian). Laybuy will assess and keep your Laybuy credit limit.
- Advertising: Advertisers may share technical information and information about your visits with them, including your experiences or interactions with them (see the next section for more detail about what this means).
2.3 Information we collect about you from your use of our Platform:
We will automatically collect information from you each time you use our Platform.
(a) Technical information
Technical information may include the Internet protocol (IP) address, login information, browser type and version and, browser plug-in types and versions, device settings (e.g. language, time zone), device or similar IDs, operating system and platform, hardware version, mobile operator or ISP.
(b) Information about your visit
Information about your visit may include the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number or social media handle used to connect with our customer service team and our social media accounts.
(c) Location data
Location data includes specific geographic locations (such as through GPS, Bluetooth, or Wi-Fi signals) which we use to provide location services (if you ask or permit us to), so that we can deliver content, advertising or other services that are dependent on knowing where you are, like checking for fraudulent transactions.
Location data may be collected in combination with device ID, so we can recognise your mobile browser or device when you return to the Service.
Delivery of location services will involve us checking any of the following:
- the coordinates (latitude/longitude) of your location;
- your current country or region, by referencing your current IP address against public sources; and/or
- your Identifier for Advertisers (IFA) code for your Apple device, or the Android ID for your Android device, or a similar device identifier.
You can opt-out of location sharing.
3. How do we use your information?
We use information held about you in the following ways, and we explain the legal reason (or 'lawful basis') for each use as well. For more information about what these legal reasons mean, please read the next section: 'Legal reasons explained'.
3.1 If you browse our Platform, we use automatically collected information to:
- understand how individuals use our Platform, and how we can improve it.
- ensure content from our site is presented in the most effective manner for you and for your computer.
- provide you with the information, products and services that you request from us or we think you may be interested in.
We do this with your consent, where required, or in our legitimate interests, where we have considered these are not overridden by your rights.
3.2 If you create and use your account with us, we use your Contact, Identity, Log-in, Financial, Credit, Verification and Automatically Collected information to:
- create and administer your account with us.
- verify your identity (including appropriate screening processes).
- conduct credit checks, and receive results from our third party credit check providers.
- verify and carry out financial transactions in relation to payments you make online/through the Platform.
- provide aggregated reporting information to, and otherwise manage and fulfil our agreements with, our shareholders, investors and finance providers.
- identify you when you sign-in to your account and give you appropriate access to our Platform (in accordance with your agreement with us).
- enforce or apply our terms or other agreements with you.
- notify you about changes to our service.
We may conduct some profiling and automated decision-making to help us determine whether or not to verify and approve your account, including on the basis of your credit history. If you would like more information about our automated-decision making practices, or would like to request a manual review of any decision, please contact us.
We do this to take any steps to enter into any contract, or carry out our obligations under any contract, between you and us (including our Consumer Terms & Conditions and Website Terms & Conditions). We also do this to comply with our legal obligations.
3.3 When you contact or engage with us, we use your Contact, Identity, Log-in, Financial, Credit Verification and Communications information to:
- provide you with customer support, including
- contacting you if you've asked us to do so, including troubleshooting problems, and helping with any issues concerning our Platform, and
- providing you with the information, products and services that you request from us.
We do this to take any steps to enter into any contract, or carry out our obligations under any contract, between you and us (including our Consumer Terms & Conditions and Website Terms & Conditions). We may also do this with your consent or in our legitimate interests.
3.4 If we share marketing or advertising with you, we may use your Contact, Marketing, Advertising and Automatically Collected information to:
- provide you with promotional update communications by email, SMS, in-App alerts, and phone about our services about goods or services we feel may interest you.
- contact you for your opinions about our Platform, including through surveys and other market research.
- understand how you use and interact with our services and the things you're connected to and interested in, both on our Platform and (on the basis of aggregated social media information across our social media profiles, and to undertake marketing analysis.
- provide you with personalised recommendations, promotional updates and marketing to improve your experience with our Platform (based on, for example what we know about what our UK customers like, or your own past orders).
- only if you opt in, we may use your location information to provide you with local offers and promotions. For example, if you are near a store we partner with, we may provide you with a specific promotional update. You can opt out again at any time.
- measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
We may conduct some profiling and automated decision-making to help us provide you with relevant information, suggestions and recommendations for products. If you would like more information about our automated-decision making practices, or would like to request a manual review of any decision, please contact us.
We do this if permitted in our legitimate interests (where we have considered these are not overridden by your rights) or with your prior consent (where required by law).
You can opt-out of further marketing at any time by selecting the "unsubscribe" link at the end of all our promotional updates and marketing to you, by sending us an email at email@example.com (or, if applicable, by changing your marketing preferences in your account).
3.5 When we maintain and improve our Platform, we may use your Account, Marketing Advertising and Automatically Collected information (including Location data) to:
- administer our Platform and services and for internal operations, including audits, troubleshooting, data analysis, testing, research, statistical and survey purposes.
- evaluate and improve our products, services and Platform, including developing and testing new features.
- keep our Platform safe and secure.
- to detect and protect against error, fraud or other criminal activity.
- improve our Platform to ensure that content is presented in the most effective manner for you and for your computer, and to alert you to any hardware or software incompatibility issues.
- allow you to participate in interactive features of our service, when you choose to do so.
We do this in our legitimate interests, where we have considered these are not overridden by your rights. We also do this to comply with our legal obligations.
3.6 Information we receive from other sources
We may combine this information with information you give to us and information we collect about you in our legitimate interests (where we have considered that these are not overridden by your rights). We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).
We may pseudonymise and/or anonymise and aggregate any of the above categories of information.
What does this mean?
- Pseudonymised means that you cannot be identified from the data unless it's combined with additional information hold.
- Anonymised means that you cannot be identified from the data -- for example, if we create aggregated statistics.
We use aggregated information (such as statistical data or customer profile information) to help us analyse how visitors use our site (including behaviour patterns and the tracking of visits across multiple devices) and interact with us on social media (for example, statistics about demographics or users per country), provide more useful information to our customers, and understand which of our services are of most interest.
We may provide aggregated data (for example, demographic statistics about our customers) to our partners or other third parties in exchange for access to the products or services that they provide, or to promote our Platform.
Where such aggregate information is derived from your personal data we will take steps to pseudonymise or anonymise your personal data, so that you cannot be easily re-identified from aggregate information retained or used for these purposes.
While our anonymisation and aggregation of data is based on our legitimate interest in developing and improving our services, you may let us know if you would prefer we do not use your data for this purpose. This will not affect any data which has already been anonymised, but we can stop using your personal data for this purpose going forward. Please contact us at firstname.lastname@example.org if you would like to ask about your data not being used to help us improve and develop our Platform and services.
3.8 Legal reasons (or 'lawful bases') explained
In accordance with applicable data protection law, we rely on one or more of the following grounds when processing your data:
- Consent: We'll use your personal information to send you promotional or marketing content if you have given us consent to us doing so, where required by law.
You can opt-out of further marketing at any time by selecting the "unsubscribe" link at the end of all our promotional updates and marketing to you, by sending us an email to email@example.com (or, if applicable, by changing your marketing preferences in your account).
We also rely on consent for some of the cookies we use (see our Cookies Notice in Section 12 for more detail).
- Contract: We collect, store and process your personal information where it is necessary for performing a contract you have with us (such as our Terms & Conditions), or where you have asked us to take specific steps before entering into that contract. This includes notifying you about changes to our Services and organisation.
- Legal Obligation: We may need to process your personal information to comply with our legal obligations, including under applicable local, UK and EU law, and/or any court orders. This may include compliance with know-your-client and anti-money laundering rules.
- Legitimate interests: We may process your personal information if it is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests.
Our legitimate interests include:
- Providing you with the information, products and services that you request from us.
- Providing you with our promotional updates and marketing if we reach out to you and/or you are interacting with us in a business-to-business context (or in certain cases if you have purchased a service from us and have not opted-out at the time of purchase or any time since) (you are free to opt-out at any time).
- Providing you and our other customers with personalised recommendations, promotional updates and marketing to improve your experience with our Services (based on, for example what we know about what our UK customers like, or your own past orders).
- Gaining insights into how customers use our Services; delivering, developing and improving our Services, and growing our business and informing our marketing strategy.
- Measuring and understanding the effectiveness of advertising we serve to you and others, and delivering relevant advertising to you.
- Keeping our Services safe and secure.
- Improving our Site to ensure that content is presented in the most effective manner for you and for your computer.
- Administering our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- Carrying out our obligations in our agreements with our business partners (for example, providing high-level statistics and summaries about how Laybuy users engage with them).
In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests. If you would like further information about how we assess our legitimate interests, please contact us at firstname.lastname@example.org.
*We also use different types of cookies (including automatically collected information) on our Services with your consent -- we explain this in the Cookies section.
4. Who do we share your information with?
We may share your personal information:
(a) with any member of our group (which includes our subsidiaries and our ultimate holding company and its subsidiaries, and Laybuy (UK) Limited), who support our processing of personal data under this Notice, who we support in processing your personal data, or who we otherwise share your personal data with. If any of these parties are using your information for direct marketing purposes, we will only transfer the information to them for that purpose with your prior consent.
(b) with selected third parties, including the credit reference agencies (CRAs) we work with.
Our selected third parties may include:
(i) Organisations who process your personal data on our behalf and in accordance with our instructions and the Data Protection Law. This includes in supporting the services we offer through the Platform in particular those providing website and data hosting services, providing fulfilment services, distributing any communications we send, supporting or updating marketing lists, facilitating feedback on our services and providing IT support services from time to time. These organisations (which may include third party suppliers, agents, sub-contractors and/or other companies in our group) will only use your information to the extent necessary to perform their support functions.
(ii) Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience and subject to the cookie section of this Notice.
(iii) Analytics and search engine providers that assist us in the improvement and optimisation of our site and subject to the cookie section of this Notice (this will not identify you as an individual).
(iv) Merchants and business partners who provide services to you, and with whom we have entered into agreements in relation to the processing of your personal data a list of whom can be provided upon request.
(v) Our shareholders, investors and finance providers in order to provide aggregated reporting data and to otherwise manage and fulfil our agreements with them (including in the USA).
(vi) Credit Reference Agencies for the purpose of assessing your credit score whether when setting up an account with us or on an ongoing basis. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We continue to exchange information about you, your settled accounts and debts not fully repaid on time with the Credit Reference Agencies while you use our services. The Credit Reference Agencies will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.
(vii) The identities of the Credit Reference Agencies we use, and the ways in which they use and share personal information, are explained in more detail at:
(A) Experian: www.experian.co.uk/crain
(B) Call Credit: www.callcredit.co.uk/crain
(C) Equifax: www.equifax.co.uk/crain
(viii) Payment processing providers who provide secure payment processing services.
(ix) Debt collection agencies, should your account fall into arrears, in order to collect the amount you owe us from you.
(c) any person to whom disclosure is necessary to enable us to enforce our rights under this Privacy Notice or under any agreement we have with you, or to protect our rights or the rights of third parties. This includes exchanging information with law enforcement agencies (including regulators) or other similar government bodies
(d) where required to do so by court order or where we are under a duty to disclose or share your information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation.
(e) in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer.
If we share your personal information with our group companies or other third parties, we will take steps to protect your personal information in our contractual agreements with these third parties, and to require that they have appropriate technical and organisational security measures in place, in compliance with applicable data protection laws.
5. Where do we store your information?
5.1 We are based in the UK. Our parent company is Laybuy Holdings Limited, in New Zealand.
5.2 We may transfer your information outside the United Kingdom ("UK") and/or European Economic Area ("EEA"), including to countries that may not be subject to equivalent data protection law. If we do, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on a recognised legal adequacy mechanism, and that it is treated securely and in accordance with this Privacy Notice.
5.3 We may transfer your personal information outside the EEA:
(a) in order to store it.
(b) in order to enable us to provide goods or services to you and fulfil our contract with you. This includes order fulfilment, processing of payment details, and the provision of support services.
(c) where we are legally required to do so.
(d) in order to facilitate the operation of our group of businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights.
5.4 We may transfer your personal information as detailed below.
We aim to keep this table up-to-date. If you would like a current list of international transfers or more detail about how we protect your personal information when we transfer it outside of the UK/EEA, please contact us at email@example.com.
6. What about payment processing?
6.1 Payment details you provide will be encrypted using secure sockets layer (SSL) technology before they are submitted to us over the internet.
6.2 Payments made on the Platform are made through our payment gateway provider, Stripe. You will be providing credit or debit card information directly to Stripe which operates a secure server to process payment details, encrypting your credit/debit card information and authorising payment. Information which you supply to Stripe is not within our control and is subject to Stripe's own Privacy Notice and terms and conditions.
7. How do we protect your information?
7.1 We take reasonable steps, including physical, technical and organisational measures, to protect your personal information from unauthorised access and against unlawful processing, accidental loss, destruction and damage.
7.2 All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. Do not share your password with anyone.
7.3 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
7.4 External links
Our site may, from time to time, contain links to external sites. If you follow a link to any of these websites, please note that these websites have their own privacy policies. Please check these policies before you submit any personal data to these websites. We are not responsible for the privacy policies or the content of such sites.
7.5 Child safety
Protecting the safety of children when they use the Internet is important to us. Our Platform is intended for use only by persons who are at least 18years of age. You may not use our Platform unless you are 18 or older.
8. How long we keep your information?
8.1 We will keep personal data for:
(a) as long as you have an account with us in order to meet our contractual obligations to you, and
(b) for six years after that to identify any issues and resolve any legal proceedings.
8.2 If you opt-out from us sending you promotional updates and marketing, or object to any other processing of your personal information, we may keep a record of your opt-out or objection so we can ensure we respect your direct marketing preferences.
8.3 We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.
9. What rights do you have?
9.1 If you are in the UK/EEA, you have the right under certain circumstances:
(a) to be provided with a copy of your personal information held by us;
(b) to request the correction or deletion of your personal information held by us;
(c) to request that we restrict the processing of your personal information (while we verify or investigate your concerns with this information, for example);
(d) to object to the further processing of your personal information, including the right to object to marketing;
(e) to request that your provided personal data be moved to a third party, and
(f) to withdraw consent.
Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us. You can also change your marketing preferences at any time.
9.2 You can also exercise the rights listed above at any time by contacting us at firstname.lastname@example.org. Please note that we may require you to verify your identity in order for us to help with your request. The information we require to verify your identity may depend on the nature of your request. We will keep this information for as long as required to respond to your request, to maintain records of our response (to demonstrate our compliance with applicable law), and in certain cases for six years after that to identify any issues and resolve any legal proceedings
9.3 If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority, (see http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html). If you are in the UK, this is the Information Commissioner's Office ("ICO").
10. Changes to this Notice
Any changes we make to our Privacy Notice in future will be posted on this page and, in relation to substantive changes, will be notified to you by e-mail. This Notice was last updated on 21 August 2020.
11. Contact Us
Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to:
Laybuy Holdings (UK) Limited, 33 Foley Street, Fitzrovia, London, United Kingdom, W1W 7TL
12. Cookies and other technologies
12.3 A number of cookies and similar technologies we use last only for the duration of your web or app session and expire when you close your browser or exit the App. Others are used to remember you when you return to the Platform and will last for longer.
12.4 We use strictly necessary cookies if they are necessary for the performance of a contract with you, or because using them is in our legitimate interests (where we have considered that these are not overridden by your rights). We use all other cookies with your consent.
12.6 Disabling cookies
The effect of disabling cookies depends on which cookies you disable but, in general, the website may not operate properly if all cookies are switched off.
If you want to disable cookies on our website, you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use.
Microsoft Internet Explorer
1. Select the Tools menu > Internet Options
2. Click on the Privacy tab
3. Click on Advanced within the Settings section and select the appropriate setting
1. Select Settings > Advanced
2. Under Privacy and Security > Content settings.
3. Click Cookies and select the relevant options
1. Select Preferences > Privacy
2. Click on Remove all Website Data
1. Choose the Tools menu > Options
2. Click on the Privacy icon
3. Select the Cookie menu and select the relevant options
Opera 6.0 and further
1. Choose Files menu > Preferences
2. Select Privacy