With the following information, we would like to give you an overview of the processing of your personal data within the scope of the installation and usage of the "Stocard" mobile application (hereinafter referred to as app) and your rights from data protection laws.
Which data is processed and how this is used is based on if you use the app without explicit consent to this data protection statement (see section 2 a) to c)) or you have given consent to the processing of your personal data within the app (see section 2 d) to h)).
1. Who is responsible for data processing and who can I contact?
The responsible position is:
C-Hub / Hafenstraße 25-27
Stocard UK Limited
71 Queen Victoria Street
London EC4V 4B
You can reach our data protection officer at:
Data protection officer
C-Hub / Hafenstraße 25-27
Stocard UK Limited
Data protection officer
71 Queen Victoria Street
London EC4V 4B
Email address: email@example.com
2. What sources and data do we use?
In connection with the installation and usage of the app, we collect, process and use the data described below to find out which companies, products or other topics you are interested in and which information and offers from our partner companies are relevant for you to be able to use the functions of our app on this basis as needed and to provide you with the most relevant information and offers from our partner companies in the app.
If you use the app, we collect, process and use the following data for the previously listed purposes to fulfill our contractual obligations in terms of art. 6 para. 1 b GDPR or based on entitled interest in terms of art. 6 para. 1 f GDPR (this means interest in the analysis, optimization and efficient operation of our app):
- a) Card data: To be able to use the functions of the app, you have to provide your loyalty card and customer number from a card provider. This card data is converted for the contractually agreed upon purposes, this means into the respective barcode, and then used within the scope of the app as well as to protect against abuse and - if additionally agreed upon - the provision of other services.
- b) Usage data: If you use the app, we collect and save how you use the card (for example, card used, time, number of points).
- c) Location data: If you allow the app to access the location function on your mobile device, Stocard is entitled to use the corresponding location data (so-called location-based data) to design the app as needed, to deliver location-related information and for advertising. Stocard only accesses this data in an anonymous form. There is no further usage or sharing of this location-based data from the respective user. For the location-based data, the Stocard app uses the GPS module from the mobile device, the IP address or cellular network data (cell ID) from the respective user.
We also use the previously listed data in an anonymized form for market research and to create anonymized statistics.
If you consent to the respective data processing within the scope of the app, we can process and use your data for the respectively specified purposes:
- d) Registration data: When applying for a new loyalty card, usually your name and your email address and any other mandatory information are needed (basic data). This basic data and further voluntarily disclosed data (for example, telephone number) is collected, saved and used by Stocard within the scope of the registration of the respective loyalty card. The basic data, any voluntary information and, if necessary, their changes (application data) will be sent to the partner company by Stocard for the further processing and issuing of the respective customer card where you apply for the respective customer card. If you have agreed to have your application data forwarded to a partner company, this consent also applies to other customer cards that you apply for through the app. Any transfer of personal data to third parties going beyond this only occurs - except in the case of a concrete suspicion of abuse - if and provided that you have given Stocard separate consent to this transmission. Furthermore, the customer card conditions from the respective partner apply, which are linked correspondingly and you have given separate consent.
- e) Interface data: if you have logged into your user account from a card provider through the app, we will collect and save the respective point status and the shared transactions or other offers provided to you (such as card-linked coupons or personalized offers). The respective login data is saved to ensure easy access to this interface or other interfaces in the future where you can also use this login data.
- f) Personalized offers: If you consent to the delivery of personalized offers from our partner companies (for example, rebate coupons), we can share your card number with general information about your usage of the app with the respective card provider so that we can send you personalized offers (including card-linked coupons) through the app or through other electronic channels (for example, by email or messenger).
- g) Data privacy statement for receiving PAYBACK points balance and transactions: You can enter the password for your PAYBACK account in the Stocard app in order to display your PAYBACK points and your PAYBACK transactions. After entering your credentials, we will collect and securely transmit your password to PAYBACK, in order to request your data from PAYBACK and display it in Stocard. To facilitate future requests, we will store your password in Stocard.
- h) Data privacy statement for receiving DeutschlandCard points balance and transactions: You can enter the password for your DeutschlandCard account in the Stocard app in order to display your DeutschlandCard points and your DeutschlandCard transactions. After entering your credentials, we will collect and securely transmit your password to DeutschlandCard, in order to request your data from DeutschlandCard and display it in Stocard. To facilitate future requests, we will store your password in Stocard.
3. What do we process your data for (purpose of processing) and on which legal basis?
We process personal data in agreement with the regulations of the General Data Protection Regulation (GDPR) and the German Data Protection Regulation:
a) To fulfill contractual obligations (art. 6 para. 1 b. GDPR)
The processing of data occurs primarily to be able to provide the services and functions from our app.
b) Within the scope of the consideration of interests (art. 6 para. 1 f. GDPR)
If necessary, we will process your data beyond the actual fulfillment of the contract to preserve entitled interests from us or third parties, for example,
- to design the app as needed,
- to examine and optimize the procedure for the analysis of requirements for the purpose of direct customer contact,
- for advertising or market and opinion research, provided that you have not objected to the usage of your data,
- to preserve IT security,
- to control and develop our app.
c) Based on your consent (art. 6 para. 1 a GDPR)
If you have given us express consent (opt-in) to process personal data for the respective purposes within the corresponding functions of the app (for example, application for a customer card from a partner, login to your user account from a card provider, delivery of personalized offers (so-called card-linked coupons), the legality of this processing (for example, forwarding the data to third parties) is given on the basis of your consent. Granted consent can be revoked at any time. This also applies to the revocation of declarations of consent that have been granted to us before the applicability of the GDPR, therefore before May 25, 2018. The revocation of consent does not affect the legality of the data processed until revocation.
4. How are third-party services integrated?
On the basis of our entitled interests in terms of art. 6 para. 1 lit. f. GDPR (this means interest in the analysis, optimization and efficient operation of our app), we use the following third-party services:
- a) Mixpanel: we use Mixpanel in our app - a service offered by Mixpanel Inc. (Mixpanel), 405 Howard Street, Floor 2, San Francisco, CA 94105, USA to collect technical data from our app and website in a pseudo-anonymous manner so that we can better understand how users interact with our app. Mixpanel is used to be able to better understand and track activities within the app as well as to inform you based directly on your activities. You can find more information about Mixpanel at https://mixpanel.com/terms. You can opt out of this data processing at any time through https://mixpanel.com/optout.
- c) AppsFly Software Development Kit (SDK): we use the AppsFlyer Software Development Kit (SDK) from AppsFlyer Ltd. within our app. 141 5th Avenue Suite 9, New York, NY 1001, United States. AppsFlyer allows for different evaluations regarding the success of our advertising campaign and the installation of the app. Our app sends anonymous data and information that the app was started to AppsFlyer for this purpose. An anonymous advertising ID serves as a pseudonym. Only statistical analyses are created through AppsFlyer. We, therefore, do not have any information about the user's identity. AppsFlyer is certified under the Privacy Shield agreement and offers a guarantee to comply with European data protection regulations. You can find more information about the AppsFlyer SDK at https://www.appsflyer.com/product/data-privacy You can opt out of this data processing at any time through https://www.appsflyer.com/optout.
- d) Facebook Software Development Kit (SDK): in our app, we use the Software Development Kit (SDK) from Facebook Inc. (Facebook), 1601 S. California Ave, Palo Alto, CA 94304, USA. The Facebook SDK allows different types of evaluations on the installation of the app and regarding the success of the advertising campaign. Additionally, individual activities (events) from the user within the app can be analyzed to be able to define the target group for advertising campaigns in a more precise and better manner. Our app sends anonymous data to Facebook and the information that the app was started for this purpose. The advertising ID provided by the end device's operating system serves as a pseudonym. In the case of our app, however, the advertising ID does not serve to optimize advertisements through Facebook for the user, but rather is discarded by Facebook, because our app has prevented the use of the advertising ID for optimized advertising purposes by Facebook. We, therefore, do not have any information about the user's identity. Facebook is certified under the Privacy Shield agreement and offers a guarantee to comply with the European data protection regulations. You can find out more information about the Facebook SDK under iOS at https://developers.facebook.com/docs/ios. For Android here: https://developers.facebook.com/docs/and. If you would like to opt out of this data processing, you can use the settings and opt out options provided by Facebook under https://www.facebook.com/ads/preferences/edit.
5. Who gets my data?
Other than the processing listed above, your personal data will be only be shared with your consent.
Within Stocard, only those who need access to your data to fulfill our contractual and legal obligations will also receive access to it.
With the express consent to this data protection declaration, you give us the consent to share your data as specified in section 2 d) - h) with the respective card provider or the respective partner company.
6. Will data be transmitted to a third party country or an international organization?
Data transmission to sites in states outside of the European Union (so-called third-party states) occurs provided that
- it is required to execute your orders,
- it is legally prescribed,
- within the scope of order data processing or
- you have given us your consent.
If there are service providers in a third party state, they are additionally obligated to the written instructions through the agreement of the EU standard contract clauses or certification under the Privacy Shield to comply with the data protection level in Europe.
7. How long will my data be saved?
We process and save your personal data as long as it is required to fulfill our contractual and legal obligations. It must be considered that our business relationship is a continuing obligation that exists for years.
If the data is no longer required to fulfill contractual or legal obligations, it will be deleted regularly unless the limited further processing is required to preserve evidence within the scope of statutory limitation periods. According to §§ 195ff. of the Civil Code (BGB), these limitation periods can amount to up to 30 years, whereby the regular limitation period is 3 years.
8. What data protection rights do I have?
Every affected person has the right to information according to article 15 GDPR, the right to correction according to article 16 GDPR, the right to deletion according to article 17 GDPR, the right to limit processing according to article 18 GDPR, the right to opposition from article 21 GDPR as well as the right to data transmission from article 20 GDPR. With the right to information and deletion, the restrictions according to §§ 34 and 35 GDPR apply. Furthermore, there is a right to lodge a complaint to a responsible data protection supervisory authority (article 77 GDPR in connection with § 19 GDPR).
You can opt out of the granted consent for the processing of your personal data. This also applies to opting out of declarations of consent, which have been granted to us before the applicability of the General Data Protection Regulation, therefore before May 25, 2018. Please remember that the opt-out will only work in the future. Processing that has occurred before the opt-out will not be affected by this.
9. Is there an obligation to me providing data?
Within the scope of our business relationship, you have to provide personal data that is required for the beginning and execution of a business relationship and the fulfillment of the affiliated contractual obligations or for the collection of which we are legally obligated to. Without this data, we are normally not able to complete the contract with you or execute it.
10. What type of automated decision-making exists?
We do not use fully automatic decision-making in accordance with article 22 GDPR. Partial automatic decision-making is used for providing the payment services (see Section 12).
11. Is there profiling?
Some of your data from section 2 are processed in an automated manner (so-called profiling) with the objective of designing the app to meet demands or to be able to inform you in the app about products and offers from our partners. This permits us communication and advertising as needed in the app including market and opinion research on the basis of anonymous data.
The following information applies to the application and usage of the payment services in addition to the information listed above.
a) Data collection
We collect, process and use the data described below for the purpose of providing the payment services to you:
- Identity and contact data you provide by signing up and using the payment services, such as your full name, date of birth, residential address, ID, selfie, e-mail address and mobile phone number;
- Due diligence data including information we receive from searches made in your name with KYC agencies;
- Financial and transaction data, including details about your Stocard card, transactions you carry out and any funding source you use to top up.
b) How we use your information
We may use your personal data to:
- provide you with the payment services;
- monitor, analyse and improve the services;
- search KYC agencies’ records to verify your identity;
- manage any policies, agreement, or correspondence you may have with us;
- fight illegal activities like fraud, money-laundering, terrorism and other crimes, and
- keep to any laws or regulations in any country
We use third-party services in order to provide the payment services to you and we may share some of the above data of yours with them:
- Global Processing Services (GPS): we use Global Processing Services (GPS), 2nd Floor, St Mary’s Court, 20 Hill Street, Douglas, IM1 1EU, Isle of Man as the issuing processor. GPS provides the card issuing, transaction processing and fraud monitoring system that is essential to the payment services. You can find more information about GPS at https://globalprocessing.net/privacy-policy
- Moorwand Ltd.: we use Moorwand Ltd, Birchin Court 20 Birchin Lane, London, EC3V 9DU, UK as the issuing financial institution of the Stocard payment services. Moorwand Ltd is an authorised Electronic Money Institution regulated by the Financial Conduct Authority. You can find more information about Moorwand at https://www.moorwand.com/privacy
- W2 Global Data Solutions Ltd.: we use W2 Global Data Solutions Ltd., Clarence House, Clarence Place, Newport, NP19 7AAW2, UK to screen you for politically exposed person (PEP) status and sanctions lists, and to verify your identity by checking databases for a match on the personal information provided by you. You can find more information about W2 at https://www.w2globaldata.com/useful-links/privacy
- ComplyAdvantage: we use IVXS UK Ltd, trading name ComplyAdvantage, 90 Long Acre, 4th Floor, London, WC2E 9RA, UK to screen you for politically exposed person (PEP) status and sanctions lists. You can find more information about ComplyAdvantage at https://complyadvantage.com/terms-and-conditions
- Onfido: we use Onfido, 3 Finsbury Avenue, London EC2M 2PA, UK to verify your identity online based on a selfie and a photo of your government-issued ID. You can find more information about Onfido at https://onfido.com/privacy
- Mastercard: we use Mastercard (Europe), Chaussée de Tervuren 198A, 1410 Waterloo, Belgium as the card network and token service provider to provide the payment services. Information concerning your card is transferred to Mastercard MDES to be tokenized. The tokens are used to authorize and to perform transactions with other service providers. You can find more information about Mastercard at https://www.mastercard.co.uk/en-gb/about-mastercard/what-we-do/privacy.html
- Certain authorities that detect and prevent fraud or other crimes (including authorities in the UK and abroad).
c) Data retention period
Records of your identity checks and transactions will be retained for 10 years in order to fulfill our regulatory obligations.
d) Automated decision-making and profiling
We may process your personal data partially automated to assess if you pose a fraud, money laundering or terrorist financing risk in the following situations:
- To complete sanctions and PEP status screening.
- To verify your identity as required by law in order to provide you with higher limits.
- To analyse your payment transactions and behaviour against that of known fraudsters or money launderers.
You have rights in relation to automated decision-making and profiling. Please contact our customer support if you want to know more about how we process your data.