VUSE SOUTH AFRICA PRIVACY NOTICE
Welcome to Vuse. This Privacy Notice explains what we do with your personal information when you are visiting www.vuse.com/za (“Website”) or making a purchase on the Website, or engage with us over the phone. It describes how we collect, use and process your personal information, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your rights.
This Privacy Notice applies to the personal information of our consumers. If you are not a consumer, please contact us and we will advise you of the applicable Privacy Notice for your situation.
For the purpose of applicable data protection legislation British American Tobacco South Africa (Pty) Ltd, whose registered office is at 3 Dock road, Waterway House, V&A Waterfront, Cape Town, South Africa, 8000 and our affiliate Twisp (Pty) Ltd whose registered office is at 3 Dock road, Waterway House, V&A Waterfront, Cape Town, South Africa, 8000 (“we”, “our” or “us”) are the ‘controllers’ of your personal information. This means we decide why and how your personal information is used and are responsible for protecting it. Please refer to the end of this notice for our contact and company information.
We may amend this Privacy Notice from time to time. Please visit this page regularly as we will post any changes here. Where appropriate, we may also notify you of the changes by email. Please see further the section Changes below.
If you are dissatisfied with any aspect of this Privacy Notice, you may have legal rights which we have described below where relevant.
1. INFORMATION WE COLLECT ABOUT YOU
When you use the Website or interact with us offline we collect and use information about you in the course of providing you with our products and services and with customer support. We may collect some or all of the information listed below to help us with this:
- information that you submit online via the Website or give to us by phone, including your name, contact details, date of birth, age, your vaping history and preferences, login credentials and bank details. We collect this in a number of ways, including when you register for an account with us and/or make a purchase online or offline;
- information that you submit via any contact forms on the Website and any correspondence we have with you over email or phone or via the webchat function on the Website;
- details of transactions you carry out or orders you place through the Website, or by phone or in-store;
- details of your marketing preferences;
- extra information that you choose to tell us; and
- technical information about your visit, including details of your visits to the Website and your navigation around the Website, traffic data, communication data, information about the device you use to access the Website, your Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
Some of the personal information we collect from you are required to enable us to fulfil our contractual duties to you or to others. For example, when buying products from us, we need to collect your financial bank details in order to be able to process your payment and we need to verify your age to comply with laws that apply to us. Other items may simply be needed to ensure that our relationship can run smoothly.
Depending on the type of personal information in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship with you.
For details of the legal bases that we rely on to be able to use and process your personal information, please see Our legal basis for using your information.
2. HOW WE USE YOUR INFORMATION
Use of your information
We use your information in the following ways:
- to carry out our obligations arising from any contracts with you when you make a purchase on the Website or by phone and for billing and delivery purposes;
- to ensure that the Website’s content is presented as effectively as possible for you;
- for our internal purposes, such as quality control, Website performance, system administration and to evaluate use of the Website, so that we can provide you with enhanced services;
- to notify you about changes to our services;
- to provide you with information about products or services that you request from us, or which we feel may interest you (where necessary, after obtaining your consent) – see details below;
- to tailor and personalise the marketing communications we send you. For example, we may send you marketing information at times such as your birthday;
- to create reports to assist with future marketing;
- to verify your age (please see below for further details);
- to authenticate you when logging into your account (if you have created one) and to allow you to register for other websites and services we or our BAT entities operate to make those registration processes more convenient for you;
- in the rare event that we stop providing the Website, to move and combine your personal information held within our databases relating to the Website with those of another similar or related online service (whether a Website or App) that we or one of our BAT entities operate. If we do so we will always email you to inform you of these changes in advance;
- to provide you with customer support, respond to your queries and resolve your complaints; and
- to enable you to participate in the features of the Website, when you choose to do so.
As this Website relates to vaping and vaping products, we must ensure that all users are aged 18 years or over.
In order to enable us to do this we will require certain information about you. Our double age gate on site entry will require that you enter your date of birth and confirm that you are either under or over 18 years of age.
On delivery of any of our vapour products, the delivery partner will request that you verify your age by showing either an ID or driver’s licence.
In some cases, we may need to ask for further information in order to verify your age. If this is necessary, we will contact you to explain why.
We may collect your preferences to receive marketing information directly from us by email in the following ways:
- if you register for an account on the Website, we will ask you if you would like to opt in to receive marketing information directly from us;
- when you make an in-store purchase and request to receive your receipt via email, in that email, we will ask you if you would like to opt in to receive marketing information directly from us;
- if you click on the link on our Website to sign up to our newsletter; or
- if you place an order using the Website we may contact you with marketing information, except where you indicate you would prefer otherwise using the option we provide at the time.
If you do not complete a purchase and have not indicated that you would prefer otherwise, we may send a reminder to you about your incomplete purchase or ask why you did not complete the purchase so that we may better refine the service we offer.
From time to time, we may ask you to refresh your marketing preferences by asking you to confirm that you consent to continue receiving marketing information from us.
You have the right to opt-out of our use of your personal information to provide marketing to you in any of the ways mentioned above at any time. Please see Your rights below for further details on how you can do this.
Use of non-personal information
We may monitor your use of the Website and record your email address and/or IP address, operating system and browser type for system administration and to report aggregate information to our advertising partners. The information we report to our partners is statistical information about our users’ browsing actions and patterns which does not identify any individual.
We collect non-personal aggregated statistics data about visitors to the Website and sales and traffic patterns. This information does not identify users in any personal capacity and we do not use this information to build profiles on individual users: it just contains generalised information about the users of the Website.
3. OUR LEGAL BASIS FOR USING YOUR INFORMATION
There are different legal bases that we rely on to use your personal information, namely:
Entrance into and performance of a contract – the use of your personal information may be necessary to enter into a contract or perform a contract that you have with us. For example, when you buy a product from us, we need to use your personal information to process your order, send you your product, and respond to any requests you may have. We also need to use your personal information to enable you to use some parts of the Website, and to notify you about changes to our services.
Consent – we will rely on your consent, in certain cases, to send you marketing communications. You may withdraw your consent at any time.
Legal obligation – as explained above, we have a legal obligation to ensure that we do not sell our vaping products to people under 18 years old. We need to carry out age verification checks in order to comply with this obligation. We also may need to use your information to comply with other legal obligations that apply to us.
Legitimate interests – we have a legitimate interest in using your information in the other ways described in this Privacy Notice, for example to improve and personalise our products, services, and the Website, and to conduct certain marketing and market research activities.
We may make automated decisions about you based on your personal information in the following circumstances:
- to select personalised offers, discounts or recommendations to send you based on your shopping history, Website browsing history, and other information you provide to us (none of these will have a legal or other significant effect on you); and
- verify your age when you attempt to enter the website (see the explanation above for further information about this).
4. SHARING YOUR INFORMATION WITH THIRD PARTIES
- any of our BAT entities (which includes Twisp (Pty) Ltd), where this is necessary, and in accordance with laws on data transfers;
- tax, audit, or other authorities, when we believe that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
- third party service providers who perform functions on our behalf (including external consultants and professional advisers such as lawyers, auditors and accountants, technical support functions, analytics, delivery partners engaged for the purposes of delivering our products to you and IT consultants carrying out testing and development work on our business technology systems);
- third parties for the purposes of credit card clearance, credit reference, order fulfilment, delivery, customer support services and storage services;
- third party outsourced IT providers where we have an appropriate data processing agreement (or similar protections) in place;
- if a BAT entity merges with or is acquired by another business or company in the future, we may share your personal information with the new owners of the business or company (and provide you with notice of this disclosure); and
- if we have to share your information to comply with legal or regulatory requirements (for example, for age verification purposes), or if we have to enforce or apply our Terms and Conditions or any other agreements or to protect our rights, property or our customers, etc. This may involve exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We may share the non-personal aggregated statistics data about visitors to the Website with third parties for analytics and statistical purposes.
We do not send any personal information that we collect about you on the Website to any social media sites that you link to your account, e.g. Facebook, nor do we share that information with such sites. We do not collect any personal information about you from those sites.
5. WHERE WE STORE YOUR INFORMATION
Your personal information may be transferred outside of the Republic of South Africa to the third parties described in Sharing your information with third parties.
We want to make sure that your personal information is stored and transferred in a way which is secure. We will therefore only transfer data outside of the Republic of South Africa where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
- by way of an intra-group agreement between BAT entities;
- to countries that have equal or better data protection laws in place;
- by way of an agreement with a third party incorporating strict data protection and security clauses;
- where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract; or
- where you have consented to the transfer.
Where we transfer your personal information outside South Africa and where the country or territory in question does not maintain adequate data protection standards, we will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Notice. You can ask to see these by contacting us using the contact details below.
6. HOW WE SAFEGUARD YOUR INFORMATION
We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal information.
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately by contacting our Information Officer on the details provided at the end of this notice.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted to the Website and any transmission is at your own risk.
The Website may from time to time contain links to and from other websites. If you follow a link to any of those sites, please note that those sites ought to have their own privacy policies and that we do not accept any responsibility or liability for those sites or for their privacy policies. Please check those privacy policies before you submit your information to those sites.
7. HOW LONG WE KEEP YOUR INFORMATION
We will keep your information relating to orders you have placed with us as required by law or other regulation (for example, because of a request by a tax authority or in connection with any anticipated litigation).
If you have registered an account with us: we will store your personal information for as long as your account is open. If you no longer wish to hold an account with us, you can go into “My Account” on the Website and select the option to delete your account. By doing so, we will anonymise your details and remove you from our mailing list if you are on there. However, as noted above, we may still retain details of orders you have placed with us for legal or regulatory reasons.
If you have signed up to receive email marketing from us: we will store your personal information for as long as you are subscribed to our email marketing list (unless your account has been closed). If you unsubscribe or are otherwise removed from our marketing list, we will keep your email address on our suppression list to ensure that we do not send you marketing emails.
If you have contacted us with a complaint or query: we will store your personal information for as long as is reasonably required to resolve your complaint or query.
The exceptions to the above are where:
- we have carefully considered whether we need to retain your personal information after the periods described above to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
- we actually bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible;
- you exercise your right to require us to retain your personal information for a period longer than our stated retention period (see further Right to restrict processing below);
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see further Right to erasure below); or
- in limited cases, a court or regulator requires us to keep your personal information for a longer or shorter period.
When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we may aggregate the data (from which you cannot be identified) and retain it for analytical purposes.
8. YOUR RIGHTS
You have a number of rights in relation to your information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. We will endeavour to respond to you as soon as is reasonably practicable and in any event within any time limits stipulated by law. In some instances, we may be able to charge a fee for responding to your request and will advise you of this and any applicable amount prior to responding.
You should be aware that certain information is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege.
You should also be aware that in some instances, if you do not provide information or you exercise any rights regarding the deletion or restriction of your information or object to the processing of your information or withdraw consent, we may not be able to process your order for products sold via the Website, process your job application or engage you as a supplier.
Right to object
This right enables you to object to us processing your personal information for direct marketing purposes or where we have relied on the justification that our processing protects your legitimate interest or our own or a third party’s legitimate interest. If you wish to exercise this right, you must submit your request in the prescribed form (Form 1 of the Regulations to POPI) to the email address stated below.
Right to withdraw consent
Where we have obtained your consent to process your personal information for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
To withdraw your consent to marketing communications, please use the unsubscribe tool in the relevant communication or update your preferences in the account section on the Website.
Right of access (Data Subject Access Requests)
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
If you would like to request access to your information, it would assist us with dealing with your request if you could use the subject heading ‘Data Subject Access Request’. You are also required under the Promotion of Access to Information Act to submit your request in the prescribe Form 2 of the Regulations thereto.
Right to correction, destruction and/or deletion
You have the right to request the correction or deletion of your personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. You furthermore have the right to request that we delete or destroy personal information that is no longer necessary for us to retain.
If you wish to rectify, erase or restrict the processing of your personal information exercise any of these rights, you must submit your request in the prescribed form (Form 2 of the Regulations to POPI) to please contact us at the email address stated below.
We would only be entitled to refuse to comply with your request in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request we will take all reasonably practicable steps to delete the relevant data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete personal information that we hold about you. If we have shared this personal information with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal information to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
You can access and update certain parts of your information by logging into your account on the Website.
Right to complain
You have the right to lodge a complaint with the Information Regulator. You can contact them in the following ways:
The Information Regulator (South Africa)
27 Stiemens Street,
How to exercise your rights
If you would like to exercise any of these rights, please contact us on the details provided under How to contact us. Please note that we may keep a record of your communications to help us resolve any issues that you raise.
We may make changes to this Privacy Notice at any time by posting a copy of the modified notice on the Website or, where appropriate, by sending you an email with that notice. Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on the Website, whichever is the earlier.
10. HOW TO CONTACT US
If you have any queries about this Privacy Notice, including your rights in relation to your personal information, please contact the Head of Compliance by post or by email at:
British American Tobacco South Africa (Pty) Ltd,
3 Dock road,
When contacting us by email or post, please use the subject heading ‘Data protection query’ so that we can direct your query to the appropriate department and deal with it promptly.