We respect your privacy. This policy explains what to expect from us when we collect and use your personal data. It also explains what we use the data for.
- Why do we collect personal data
- We collect personal data so that we can provide our customers with a great shopping experience, to verify your age and identity and to manage job applications. In most cases you choose to provide the personal data to us.
- When do we collect personal data
- You provide personal data when you shop in store, fill in a form online at evapo.co.uk (such as the account registration, email newsletter and contact us forms), complete a paper form to become an Evapo Club loyalty scheme member, contact us (by email, phone, post, online live chat or social media) or apply for a job.
When you use our website or sign up for email newsletters some additional information may also be collected such as your browsing behaviour, purchase history, approximate location, device, operating system and IP address.
- What personal data do we collect
- If you contact us
We will collect your name and contact details (usually email address and/or phone number) along with any other personal data that you provide. We will also collect details of your enquiry which may include details of your shopping history such as online order numbers or in store visit feedback, location and purchase details.
If you shop in store
If you pay by card we will collect the payment card details (which we do not store). If you are an Evapo Club member we will also collect details of your purchases.
If you shop online
We will collect your first and last name, contact details (email address, phone number, billing and delivery addresses), password, date of birth, order details, payment card information and whether you agree to receive email marketing from us.
We also collect data on your online browsing activity and location, type of device, operating system, manufacturer and settings.
If you become an Evapo Club member
We will collect your name (including title, first name and last name), email address, password, date of birth, gender, postal address, phone number, local store and whether you agree to receive email marketing from us.
If you sign up to our newsletters
We will collect your first and last name, email address and your local store if you have one. We will also collect data on how you interact with our newsletter campaigns and the purchases you make.
If you use our social media pages
If you visit and use our social media pages including Facebook, Twitter, Instagram and YouTube you may have provided permission for us to access your personal data based on your user settings and their own privacy policies.
If you apply for a job at Evapo
We will collect your full name and title, contact details (email address, phone number and postal address), date of birth, gender and nationality. We will also collect additional data needed to process your application such as qualifications, employment history, skills and experience.
If you start work at Evapo we will also collect your bank details, tax information, National Insurance number and any legally required documents such as a work permit or copy of your passport or visa.
We do not collect personal data relating to children and our website is intended for adults only. We never collect data in ‘special categories’ including details of race, health, political views, religious beliefs or sexual orientation.
- Your rights relating to personal data
- If you decide that you are no longer interested in the information we provide in our email newsletters you can opt out at any time by clicking the unsubscribe link at the bottom of any email.
In addition to this you have a number of additional rights relating to your personal data:
You have the right of access - please contact us to request a copy of the personal data we hold. Full details are provided in the next section ‘How to contact us’.
You have the right to rectification - if you believe your data is incomplete or inaccurate please contact us and we will update it.
You have the right to erasure - you may contact us and request that we erase all of your personal data. If it is no longer needed for the purpose you originally provided it and it is lawful for us to do so we will erase it and provide you with confirmation.
You have the right to object or restrict processing – if you have any concerns please contact us and we will stop or restrict processing of your personal data if it is no longer necessary for the purpose originally provided.
You have the right to data portability – this allows you to request and then transfer personal data from one system to another in certain circumstances.
You have the right to complain – the Information Commissioner’s Office provides guidance on how to make a complaint if you have a concern about how we process your data.
If you would like to exercise any of your rights relating to personal data or have any questions please contact us using the details provided in the next section. We may request proof of identity in order to be able to progress your request.
- How to contact us
- If you would like to contact us about your personal data or this policy you can email firstname.lastname@example.org, call 0203 044 2811 or write to Evapo Ltd, 50 Trident Court, One Oakcroft Road, Chessington, Surrey KT9 1BD.
Evapo Ltd is a company registered in England and Wales with the company number 09227206. Our registered office address is 1 Villiers Grove, Cheam, Sutton, Surrey SM2 7NN. Our website is evapo.co.uk.
- How do we use personal data
- Evapo use your personal data in the following ways:
To identify and manage our contact with you and keep a record of our relationship, including through our social media pages
To enable you to shop with us and provide you with products
To manage any accounts you have registered with us
To provide the shopping experience at our evapo.co.uk website
To verify your age and identity
To detect and prevent crime and fraud
To manage our loyalty scheme
To provide you with email newsletters with products, offers and news updates
To understand your needs and for research
To fulfil our legal obligations
To process job applications
How long do we keep personal data
We will not keep your personal data for longer than necessary for our purposes outlined above. We do not normally retain your personal data for more than six years unless we have a legal obligation to do so. You have the right to request we erase your personal data at any time.
Sharing data with our partners
Evapo may share your personal data with carefully selected third party service providers (‘processors’) where it is necessary to facilitate the provision of our goods and services to you. This includes our warehouse, fulfilment, hosting, IT and online marketing service providers. We use industry-leading secure payment processing partners but do not store credit or debit card information. We may also securely share or obtain data with a reputable third party such as TransUnion to verify your identity and age. More information about TransUnion's activities are available here.
Evapo will not pass on, sell or share your data with any other third parties unless we are under a legal obligation to do so.
Sometimes we need to transfer your data outside of the UK and European Union where our third party partner is not located within the EU. Where this is the case we ensure our partner has sufficient safeguards in place to protect your data and adopt standard data protection clauses in our contracts which have been approved by the European Commission.
- How do we protect personal data
- We take the security of your personal data very seriously and have measures in place to keep it safe and secure. These include data encryption, cyber security measures, password protection and the use of secure servers.
Additionally we utilise user permissions to restrict access to the minimum level of data required to fulfil our obligations. We do not collect, use or store data that is not required to provide our services. Paper documents such as registration forms are always retained in locked storage areas.
Wherever possible we use pseudonyms (such as using reference numbers to identify individuals and orders) and data anonymization (converting data into a format that does not uniquely identify individuals) to minimise access to your personal data.
We also regularly check the security arrangements of the approved third party partners that act on our behalf to ensure their provisions meet accepted standards. This is reflected in our contractual agreements and non-disclosure agreements.
Whilst transmitting data over the internet (including via email) is not totally secure we do make every effort to ensure the security of data you share us.
- Legal basis for processing personal data
- We collect and process your data on one of four legal bases.
We will only send you email newsletters if you have opted in to receiving them from us. You can withdraw consent at any time by clicking the unsubscribe link at the bottom of any email we send or emailing us directly at email@example.com. We use an industry-leading third party product (MailChimp) to manage our newsletters and collect information about your interaction with our campaigns. We do not share newsletter subscriber data with anyone other organisations.
If you purchase from us we will process your personal data in order to meet our contractual obligations under the Sale of Goods Act 1979.
There a number of situations where we have a legitimate interest in processing your data to conduct or business. These are often related to fulfilling our obligations to you and include the promotion, sale and supply of our goods and services (including targeted communication with loyalty scheme members), responding to your enquiries, understanding your needs, developing our products and managing in-store events that you have booked.
It also includes processing job applications, protecting the health and safety of individuals, complying with our legal obligations, managing claims and preventing crime.
We have a legal obligation to verify your age (using a passport or ID in store or your name, address and date of birth online) under The Nicotine Inhaling Products (Age of Sale and Proxy Purchasing) Regulations 2015 in England and Wales and the Health (Tobacco, Nicotine etc. and Care) (Scotland) Act 2016 in Scotland.
This policy was updated in May 2018.