The Confused.com Rewards website (rewards.confused.com/choose) (the “Service”) is operated by The Marketing Lounge Partnership Limited (MLP) registered in England and Wales with Company Registration Number 06467245 and having its registered office address at The Cow Shed, Walnut Tree Farm, Lower Stretton, Warrington, Cheshire WA4 4PG ("We", "Us", "MLP") on behalf of Inspop.com Limited ("Confused.com", “client“) and is committed to protecting and respecting your privacy.
The personal information you input on the Confused.com Rewards website (e.g. first name, last name, e-mail address, telephone, vehicle registration, residential address) and your use of the site will be used by MLP, a service provider on behalf of Confused.com, to submit your rewards claim and manage your access to the Confused.com Rewards website, provide you with requested services and to improve the customer experience.
MLP is committed to protecting your right to privacy as a user of our online documents. It is our policy to respect the privacy of private communication.
The information you provide to us will be held for MLP on servers based in the UK, and, except as explained below, we will not transfer it, or authorise its transfer, outside the UK.
We collect information about our users in order to help us continually improve the products and services we offer as well as using that data help with our fraud checks.
MLP will always adhere to UK Data Protection Legislation, including but not limited to, the Data Protection Act 2018 and EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
Other than as stated below, we do not hold or use any information that you provide, or which we collect, outside the European Economic Area (“EEA”), nor do we transfer it to, or share it with, others within or outside the EEA (except when we believe in good faith that the law requires it).
In respect of the personal data collected and processed from you when you use the Website and the Services, the Controller is Inspop.com Limited trading as “Confused.com” and MLP acts as Processor.
Inspop.com Limited registered in England and Wales at 3rd Floor, Greyfriars House, Greyfriars Road, Cardiff CF10 3AL (Reg. No. 03857130). Inspop.com Limited is authorised and regulated by the Financial Conduct Authority (Firm reference number: 310635) with ICO registration number: Z5612229.
2. About MLP
MLP is the parent company for a number of organisations, including The Marketing Lounge Partnership LLP, MLP Fulfilment Services Limited. The full list of organisations that fall into the scope of this notice can be found in section 3 below, along with their associated websites.
MLP is the data controller for all the organisations within the group that are covered by the scope of this notice. This means that The Marketing Lounge Partnership (MLP) determines what data is collected by each organisation within the group, how this data is going to be used and how this data is protected.
Our registered office address is:
The Marketing Lounge Partnership Limited
The Cow Shed,
Walnut Tree Farm,
If you have questions about how we process personal data, or would like to exercise your data subject rights, please email us at firstname.lastname@example.org.
3. Companies and websites within scope
The Marketing Lounge Partnership, The Marketing Lounge Partnership LLP, MLP Fulfilment Services Limited - www.mlp.agency and the relating Service websites hosted for our clients.
We consider these predominantly UK-based websites; see section 8 below for more information on our limited non-UK data processing.
It includes personal data that is collected through our websites, by telephone, through LiveChat and through any related social media applications.
4. Collection of personal data
We collect personal data for one or more of the following purposes:
- To provide you with information that you have requested or that we think may be relevant to a subject in which you have demonstrated an interest.
- To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services.
- To fulfil a contract that we have entered into with you or with the entity that you represent. In these circumstances it may be your entity, rather than yourself, that has provided us with your personal data.
- To provide access to trial software and to deliver a range of free material on request.
- To ensure the security and safe operation of our websites and underlying business infrastructure.
- To manage any communication between you and us.
In addition, to ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:
- Technical information, including the IP (Internet Protocol) address used to connect your device to the Internet.
- Your login information, browser type and version, time zone setting, browser plugin types and versions.
- Operating system and platform.
- Information about your visit, including the URL (Uniform Resource Locator) clickstream to, through and from our site.
From time to time we may use technologies, such as tracking pixels (also called 1x1 pixels or pixel tags), to collect the above information from your interaction with emails we send you. This enables us to focus our marketing to your needs, leading to more relevant emails to our subscribers. It also helps us to identify subscribers that are not engaged with our marketing emails, enabling us to remove them from our send lists.
In section 11 below, we identify your rights in respect of the personal data that we collect and describe how you can exercise those rights.
5. Lawful basis for the processing of personal data
In order for us to fulfil our contractual and customer obligations, there is a requirement to collect specific personally identifiable information.
There are legal bases for the processing of such personally identifiable information; primarily personal information is processed on the basis of consent. We retain evidence of consent which has been collected by MLP or provided by our clients. Where consent cannot be obtained for various reasons, we may legally process the information you provide to us because we have a legitimate interest in doing so.
We have a legitimate interest in further processing the information which is provided by you or our client. We may also use your information for other specific legitimate purposes such as:
- To ensure that content from our site is presented in the most effective manner for you.
- To provide you with information, products or services that you request from MLP
- To carry out our obligations arising from any contracts entered into between you and MLP.
- To notify you about changes to our service.
We may also use your data, or permit selected third parties (outlined in Section 6), such as but not limited to; participating partners, to use your data to provide you with information about goods and services which may be of interest to you and we may contact you about these by post or telephone. If you are an existing customer, we will only contact you by electronic means with information about goods and services like those which were the subject of a previous interest to you.
Information collection and use
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). The data we collect about you may include, but is not limited to:
- Name (first, surname, other)
- Residential address
- Email address
- Car registration
- Telephone numbers
- If you contact us, we may keep a record of that correspondence and for training and quality purposes
- Details of your visits to our site and the resources that you access.
- Account Identifiers
- Insurance policy details including but not limited to insurance product, insurance provider, policy number, insurance purchase date
We may also collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit or an email opened, the time spent on those pages, unique device identifiers and other diagnostic data.
6. Do We Share Your Personal Data?
We share your personal data with selected third parties exclusively to provide services to you and our contractual obligations with our client.
Data being supplied is also limited with the minimum being used for each of the below services:
Used to tracking page views. Sending the 3rd party Page Information (URL, Title), Browser Information (Browser name, Viewport or Viewing pane, Screen resolution, Java enabled, Flash version), User Information (Location - IP address, Language). More information can be found here https://policies.google.com/privacy?hl=en-US
Used as a fraud prevention tool. Sending the 3rd party, Reward Choice chosen, IP and various device information. More information can be found here https://www.transunion.com/privacy/iovation
Used to verify and obtain a list of UK postal address’ within a postcode. Sending the 3rd party a postcode only. More information can be found here https://ideal-postcodes.co.uk/privacy_policy
UK Vehicle Data
Used to verify a UK vehicle registration and provide additional vehicle details such as vehicle make and model. Sending the 3rd party a vehicle registration only. More information can be found here https://ukvehicledata.co.uk/policies/GDPR-Privacy-Policy
LIDL (“LIDL PLUS”)
Used to process and apply the claimants’ £20 Lidl Plus coupon to a Lidl Plus app account and to provide information about which Lidl Plus coupons are redeemed by the customer. Sending the 3rd party - Lidl Stiftung & Co. KG, Stiftsbergstr. 1, 74167 Neckarsulm, Germany – the email address provided by the customer which is linked to their Lidl Plus app account only. This is provided to Lidl in order to carry out information matching included in the Lidl Plus data base for the purpose of assigning a corresponding coupon. After successful matching, the email address and the date of coupon redemption will be returned to MLP for the purposes of invoicing and analysis. In the case that the referred e-mail address cannot be matched in the Lidl Plus data base, Lidl will return the invalid e-mail address to MLP so that MLP can inform the customer to make the required changes.
The legal basis for processing your personal data is based on the performance of a contract (Article 6 (1) (b) GDPR).
More information can be found here https://www.lidl.co.uk/confused.com-lidl-plus-data-protection-information-clause
7. What Are Your Rights As A Data Subject?
Individual data subjects have the following rights under the GDPR which we will always work to uphold:
- The right to access your personal data by means of a subject access request (see below).
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to erasure (also known as the right to be forgotten).
- The right to restrict or object to our processing of your personal data for particular purposes.
- The right to data portability. This means that you can ask us for a copy of your personal data to re-use with another service or business. Please note, however, that this right applies only if you have provided personal data to us directly, we are using it with your consent or for performance with a contract, and your data is processed using automated means.
- Rights relating to automated decision-making and profiling. We do not, however, use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us.
Further information about your rights can be obtained from the Information Commissioner’s Office. You also have the right to lodge a complaint with the Information Commissioner’s Office if you feel that your rights have been breached.
8. Storage of personal data
MLP is a UK-domiciled organisation whose offices are in the UK.
- The majority of our websites and web applications are hosted in the UK and are accessed only by our UK and EU-based staff.
- Our Customer Services and Fulfilment Team are UK-based, however may use system’s that reside within the EEA
- MLP may use 3rd party services, where data leaves the EEA. These are Tracking (Google analytics). Data transfers are made in accordance with the requirements of Regulation (EU) 2016/679 (the General Data Protection Regulation or “EU GDPR”) and may be based on the use of the European Commission’s Standard Contract Clauses for transfers of personal data outside the EEA.
- MLP use a range of CSPs (Cloud service providers) as part of our processing environment. Unless we specifically state otherwise, we are, in respect of all these CSPs, the data processor for our clients.
- Personal data supplied by a client or gather as a part of the agreed contractual processes will be control by the client.
- Unless we specifically state otherwise, all the CSPs that we use utilise UK processing facilities.
- Our banking arrangements are based in the UK.
- We ship and deliver physical and digital products around the world; we therefore use logistics companies that are based outside the UK and operate in other countries. We have appropriate legal and security relationships with those partners.
- We distribute products supplied by organisations outside the UK. This may mean that our partners will have access to information about data subjects who purchase their products.
- We operate a data retention policy in respect of all data, whether paper-based or digital.
- All backups of MLP’s systems and data reside within the EEA.
9. Removal of your data
MLP will store your personal data and other non-personal data relating to your submitted rewards claim or submitted query on the Website, insofar as is necessary to service your Rewards claim.
MLP will anonymise and remove your personal data and other data relating to your submitted rewards claim from MLP hosted systems, in line with the below timeframes. The timeframe of when data will be removed from MLP systems and anonymised will depend on the journey the data subject has been subjected to and ultimately the status of your rewards claim.
For claims whereby a Reward is issued with an affiliated bonus Greggs reward, all data affiliated with the claim – as per stated below - will be removed 3 months after the 12th and final bonus Greggs reward code has expired. This relates to the 12 Greggs hot drinks you automatically receive when your reward is verified. For claims whereby a Reward is issued without an affiliated bonus Greggs reward, all claim data will be removed 3 months after the Reward Code has expired, except in the scenario whereby a Lidl Plus reward is assigned, in which all claim data will be removed 6 months after the Reward Code has expired.
For claims whereby no Reward is issued due to an unsuccessful Rewards claim, all data affiliated with the claim – as per stated below - will be removed 6 months after the claim is assigned a rejected status.
- For claims whereby no Reward is issued due to the claimant failing to reveal their Reward in the permitted 30 days, all data affiliated with the claim – as per stated below - will be removed 6 months after the 30 day period to reveal has expired.
Data that will be removed will include:
- Personal data relating to a Rewards claim or query (first name, last name, vehicle registration, postcode and full address, email address, telephone numbers)
- Non-personal data relating to a Rewards claim or query (insurance policy purchase details such as insurance policy number)
- Information and collected data relating to a query submitted on the Website (including any data that relates to the personal and non-personal categories in the above two points and message histories)
- Statistical information relating to a Rewards claim or query (including emails have received from MLP about your Reward)
- Please note that any anonymised and removed data cannot be retrieved again.
10. Security measures
Our ISMS (information security management system) is certified to ISO/IEC 27001.
MLP have what we believe are appropriate security controls in place to protect personal data. Risk assessment, including assessing risks to the rights and freedoms of data subjects, is at the heart of our ISMS. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information. We accept no liability in respect of breaches that occur beyond our sphere of control.
11. Your rights as a data subject
As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email email@example.com or use the information supplied in the ‘Contact us’ https://rewards.confused.com/choose/contact-us. To process your request, we will ask you to provide two valid forms of identification for verification purposes. Your rights are as follows:
The right to be informed
As a Data Processor, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy notice and any related communications we may send you.
The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients to whom the personal data has been disclosed.
- The retention period or envisioned retention period for that personal data.
- When personal data has been collected from a third party, the source of the personal data.
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data.
This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:
- The accuracy of the personal data is contested.
- Processing of the personal data is unlawful.
- We no longer need the personal data for processing but the personal data is required for part of a legal process.
- The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
The right to object
You have the right to object to our processing of your data where:
- Processing is based on legitimate interest;
- Processing is for the purpose of direct marketing;
- Processing is for the purposes of scientific or historic research; or
- Processing involves automated decision-making and profiling.
12. European Union representation
We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our Representative at firstname.lastname@example.org Please ensure to include the company name: MLP and the website address https://rewards.confused.com/choose in any correspondence you send to our Representative.
13. Contact Us