Privacy Policy
Language and translations
To the fullest extent permitted by law, the controlling language of this Privacy Policy is English. Any translation has been provided for your convenience.
With the following information, we would like to give you an overview of the processing of your personal data in connection with the installation and use of the Soy Club application (hereinafter referred to as "application") and of your rights under the Data Protection Act.
What data is explicitly processed and how it is used depends primarily on whether you choose to use the application without having agreed to the terms of the privacy statement (see paragraphs 2 a) to c)) or after having agreed to the processing of your personal data in the context of the application (see paragraphs 2 d) to h)).
1. Who is responsible for processing the data and who can I contact?
The lead agency is:
Soy Club
Woodrow Wilson, 6 Pl. du Président Thomas Wilson
31000 Toulouse
France
E-mail address: dpo@soyclub.com
2. What sources and data do we use?
As part of the installation and use of the app, we collect, process and use the data described below to find out which stores, products or other areas and which information and offers from our partner companies are of interest to you in order to personalize the functions of our app on this basis and to be able to provide you with the most relevant information and offers from our partner companies listed in the app.
When you use Soy Club, we collect, process and use the following data for the above purposes to fulfill our contractual obligations under Art. 6, para 1 b GDPR or due to legitimate interests under Art. 6, para 1 f GDPR (i.e. interest in analysis, optimization and economic operation of our application):
a) Card data: In order to use the functions of the application, you must provide the loyalty card number and the individual customer number of a card provider. This card data will be used for the contractually agreed purpose, i.e. converted into the respective barcode, used for the display of the application as well as for protection against misuse and, after mutual agreement, used for the provision of other services.
b) User Data: When you use the application, we collect and store how you use the maps (e.g. type of map inserted, time, score).
c) Location Data: If you have approved the application's access to the location feature of your mobile device, Soy Club is allowed to use the corresponding location data (geo-location data) for application optimization, delivery of location-related information and advertising. Soy Club only accesses this data in anonymous form. No other use or disclosure of the respective user's location data is made. The Soy Club application uses the GPS module of the mobile device, the IP address or the mobile network data (cell ID) of the respective user for location data.
In addition, we use the above data anonymously for market research and the production of anonymous statistics.
If you consent to the respective data processing within the scope of the application, we will also process and use the following data for the specified purposes.
d) Registration Data: When applying for a new Customer Card, your name, e-mail address and other mandatory information are usually required (Basic Data). The basic data provided in the registration form and any other optional information (e.g. telephone number) are collected, stored and used by Soy Club in connection with the registration of the respective customer card program. Soy Club forwards the basic data, the optional information and any changes (application data) for further processing and issuing of the respective customer card to the partner company from which you apply for the customer card. So far as you have consented to the transfer of application data to a partner company, this consent also applies to other customer cards that you apply for via the application. Any further transfer of personal data to third parties, except in the case of concrete suspicion of misuse, will only take place if and insofar as you have separately given your consent to Soy Club for such transfer. In addition, the terms and conditions of the respective partner company's customer card, which are linked accordingly and which you accept separately, shall always apply.
e) Interface Data: When you log in to a card provider's user account via the application, we collect and store the respective points and relevant transactions or other offers available to you (such as card-related coupons or personalized offers). The respective login data is stored in order to facilitate access to this or other interfaces for which you also use this login data in the future.
f) Personalized offers: If you consent to receive personalized offers from our partners (e.g., coupons), we may transmit your card number along with general information about your use of the App to the relevant card provider to enable us to offer you personalized offers (card-linked coupons) via the App or other electronic channels (e.g., email or messaging).
Soy Club participates in and complies with all the Specifications and Policies of the IAB Europe's Transparency & Consent Framework. Soy Club uses Consent Management Platform No. 92.
You can modify your choices at any time by clicking on the cookie icon on the left-corner of the website.
3. Why do we process your data (purpose of processing) and on what legal basis do we do so?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act:
a) For the fulfilment of contractual obligations (art. 6, paragraph 1 b. of the GDPR)
The processing of data is mainly used to provide the services and features of our application.
b) In the context of balancing interests (art. 6, paragraph 1 f. of the GDPR)
If necessary, we process your data beyond the actual performance of the contract for the protection of our own or third parties' legitimate interests, for example:
for the optimization of the application,
for the analysis and optimization of the needs analysis procedures for the direct approach of the customer,
for advertising or market research and opinion surveys, as long as you have not objected to the use of your data,
for the guarantee of computer security,
for the control and development of our application.
c) Based on your consent (art. 6, paragraph 1 a of the GDPR)
Insofar as you give us explicit consent (opt-in) for the processing of personal data for the respective purposes in the corresponding functions of the application, (e.g. applying for a loyalty card, logging in to a card provider account, sending personalized offers, or even card-related coupons), the legality of this processing (e.g. transferring the data to a third party) is based on your consent. You can revoke your consent at any time. This also applies to the revocation of consent statements issued to us before the validity date of the GDPR, i.e. before May 25, 2018. The revocation of your consent does not affect the lawfulness of the data processed until the revocation.
4. How are third-party services integrated?
On the basis of our legitimate interests within the meaning of Art. 6, para. 1, point f of the GDPR (i.e., the interest in the analysis, optimization and economic operation of our application), we use the following third-party services:
a) Webflow to receive the data and process them.
b) Amazon Web Services to store data on our allocated servers.
5. Who receives my data?
Apart from the above-mentioned processing, your personal data will only be passed on with your consent.
At Soy Club, only the entities mentioned have access to your data, which they need to fulfill our contractual and legal obligations.
By expressly accepting this Privacy Policy, you consent to the transfer of your data as specified in clause 2 d) - h) to the respective card provider or partner company.
6. Will the data be transferred to a third country or international organization?
A transfer of data to offices in countries outside the European Union ("third countries") may occur, insofar as
this is necessary for the execution of your orders,
the law requires it,
within the framework of the processing of order data or
if you have given us your consent.
If service providers operate in a third country, they are required to comply with written instructions by accepting the EU's standard contractual clauses or certification under the Privacy Shield to comply with European data protection levels.
7. How long will my data be stored?
We process and store your personal data for as long as is necessary to fulfill our contractual and legal obligations. It should be noted that our business relationship is a contract of successive performance, valid for years.
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted on a regular basis, unless its temporary processing is necessary for the preservation of evidence within the framework of the legal provisions on limitation.
8. What are my data protection rights?
Each data subject has the right to information pursuant to Article 15 of the BDSG, the right to rectification pursuant to Article 16 of the BDSG, the right to deletion pursuant to Article 17 of the BDSG, the right to restriction of processing pursuant to Article 18 of the BDSG, the right of recourse pursuant to Article 21 of the BDSG, as well as the right to data portability pursuant to Article 20 of the BDSG. With regard to the right to information and the right to deletion, the restrictions in §§ 34 and 35 BDSG apply. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us before the validity of the General Data Protection Regulation, i.e. before May 25, 2018. Please note that the revocation is only valid for the future. Processing that took place before the revocation is not affected.
9. Am I required to provide data?
As part of our business relationship, you are required to provide personal information that is necessary for the conclusion and performance of a business relationship or for the fulfilment of related contractual obligations or that we are required to collect by law. Without this data, we will not be able to conclude or execute the contract with you.
10. To what extent is decision making automated?
We do not use fully automated decision making in accordance with Article 22 of the GDPR.
11. Is profiling done?
We process your data from section 2 in a partially automated way (so-called profiling) for the purpose of adapting the app to the needs or informing you in a targeted way about products and offers of our partners within the app. This allows us to communicate and advertise in the application as needed, but also to conduct market research and opinion polls based on anonymous data.
12. Privacy Policy Specific to Payment Services
The following information applies to the application and use of payment services in addition to the information listed above.
a) Data collection
We collect, process and use the data described below for the purpose of providing you with payment services:
- The identity and contact data you provide when registering and using the Payment Services, such as your full name, date of birth, home address, user ID, selfie, email address and phone number;
- Financial and transaction data, including details related to your Soy Club card, the transactions you make and any funding sources you use to reload.
b) How we use your information
We may use your personal data to:
- provide you with payment services;
- monitor, analyze and improve services;
- manage any policy, agreement or correspondence you may have agreed to or made with us;
- to combat illegal activities such as fraud, money laundering, terrorism and other crimes, and to comply with the laws or regulations of any country
c) Data retention period
Records of your identity verifications and transactions will be kept for 1 year to fulfill our regulatory obligations.
d) Automated decision making and profiling
We may process your personal data in a partially automated manner to assess whether you are at risk of fraud, money laundering or terrorist financing in the following situations:
- To complete the sanctions and status review against the PEP list.
- To verify your identity as required by law in order to provide you with higher limits.
- To analyze your payment transactions and behavior against known fraudsters or money launderers.
You have rights in relation to automated decision making and profiling. Please contact our customer support department if you would like to know more about how we process your data.