Gallaher Limited (trading as “JTI UK”) is a company incorporated in England and Wales with company registration number 01501573 and whose registered office is at Members Hill, Brooklands Road, Weybridge, Surrey KT13 0QU England ("JTI”, “we”, “us”, “our”) are committed to protecting and respecting your data protection and privacy rights.
For the purposes of the UK General Data Protection Regulation, and any other applicable data protection legislation, the data controller is JTI.
3. YOUR DUTY TO INFORM US OF CHANGES
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
4. INFORMATION WE MAY COLLECT
- Full name
- Contact details (e.g. address, e-mail address and phone number)
- Information in relation to our products/services you have purchased or used, including information about your account, purchase history, orders, customer feedback, market research and other sales data
- Details of your interactions with us, including service messages and notes of your communications and conversations with us
- Details of your visit to a retail store or at an event, how frequently you visit, which areas you visit and for how long, and which purchases you make
- Personal preferences and habits in relation to the products and services we provide
- Marketing and communications information, including marketing preferences for receiving marketing communications from JTI and/or third parties.
Where you provide financial and credit card information on our Platforms, please note that we do not access or store this personal data. We use trusted third parties to process your payment and we have no access to your financial and credit card information.
We may collect personal data about you either directly from you or from other sources, in the following ways:
5. WHERE WE OBTAIN PERSONAL DATA DIRECTLY FROM YOU
You may give us information about you in a number of ways, including when you:
- register to be a member of our databases (e.g. Customer relationship management) in person or online;
- register directly with us to take part in our business initiatives and activities (e.g., surveys, promotions, competitions, campaigns, 21 Day Ploom Trial, trade tools etc.) in person or online;
- use our Platforms;
- fill in forms on our website www.ploom.co.uk, our associated Platforms and micro-sites;
- register a device with us;
- register to receive email alerts or marketing communications (where permitted by law);
- participate in events organised by us;
- sign up to the 21 Day Ploom Trial; or
- by corresponding with us via our Customer Contact Centre, Platforms, phone, e-mail, social media or otherwise (e.g. Trial SMSs, Chatbot etc.). This includes information you provide when you register to use our Platforms, subscribe to our service, search for a product, place an order on our Platforms, enter a competition or survey and when you report a problem with our Platforms.
6. WHERE WE OBTAIN PERSONAL DATA FROM OTHER SOURCES
As well as obtaining personal data directly from you, we may also collect your personal data indirectly in the following ways:
- We receive information from our Platform providers and their related third parties. We may receive information about you if you use any of the other Platforms that we operate or the other services we provide;
- We are also working closely with other third parties (including, for example, other JTI group companies, hosting providers, payment service providers, delivery providers, retailers, customer services providers, product assistants, loyalty and review platform providers, information services providers, age verification providers, events organisers, consumer feedback providers, sub-contractors in technical, payment and delivery services, analytics providers, search information providers, credit reference agencies) and we may receive information about you from them;
- Information about your purchases, preferences and participation in our initiatives and activities (e.g. surveys, promotions, campaigns, competitions, 21 Day Ploom Trial), provided by our trusted network of agents, customers and partners, including at events organised by our business partners, retail stores, agents, experts and mentors, where you interact with them online or offline.
If you have provided your personal data to marketing agencies, and in doing so consented to being contacted by third parties with information or products relevant to you, we may contact you if we feel we have a legitimate interest to do so.
7. INFORMATION WE RECEIVE FROM YOU AS PART OF THE AGE VERIFICATION PROCESS
We are legally required to verify your age. You will therefore be required to complete age verification process conducted on our behalf by a third party, GB Group plc, to prove to our satisfaction that you are at least 18 years old before you can order any of our products. Your personal data collected from you as part of this process is only shared with GB Group plc for the purposes of verifying your age.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you at the time.
8. LAWFUL GROUNDS AND PURPOSES FOR WHICH WE USE YOUR INFORMATION
We will only use your information where the law allows us to. Most commonly, we will use your information where we have a lawful ground to do so. In particular,
- Where we need to perform the contract we are about to enter into, or have entered into, with you
- Where we need to comply with a legal or regulatory obligation
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Please contact us if you would like any further guidance concerning how we assess legitimate interests against any potential impact on you.
- Where we require your consent to process your data.
The above justifications of the uses of your personal data are known as “lawful grounds”. Note that we may process your information for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Please note that we do not use any automated decision-making.
Purpose for processing
Legal basis/lawful ground for processing
It is necessary to process personal data to comply with our legal obligations to verify your age and only sell age restricted products to adults.
To comply with legal or regulatory obligations
We use personal data to process and discharge our contractual obligations to you as a buyer of our products, including fulfilling orders, sending receipts, processing payments and providing warranty services.
To perform the contract we are about to enter into, or have entered into, with you
Providing sales-related services including dealing with your queries and requests, general administration, troubleshooting and corresponding with you. We may also use your data for administering trial, warranty and loyalty programs.
Where the processing of your personal data is not necessary for performing our contractual obligations but relates to general customer and sales services, we have a legitimate business interest in providing sales-related services to our customers that is not overridden by your interest, rights and freedoms to protect information about you.
Market our products to you (where permitted by law) by email, direct mail, telephone, SMS or via social media, or through display pop-ups on other Platforms including:
- understanding your preferences (such as what products, Platform content or events may be of interest to you) and, where permitted by law, market to you.
- customizing your experience (for example, to personalize your visit to our Platforms, such as with products, Platform content or events that might interest you)
- provide you with information about, and to manage, products and services,
- administer trial and loyalty programs
- invite you to participate in, and administer surveys or market research campaigns
- for market research
- develop marketing strategies
- administer marketing campaigns
We use this data on the basis that we have a legitimate business interest to market our products, to operate Platforms and micro-sites, and to customize your experiences, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
Market our products to you (where permitted by law) by email, direct mail, telephone, SMS or via social media, including:
- to contact you regarding marketing relating to our products;
- to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you;
- to make suggestions and recommendations to you about goods or services that may interest you.
We will process your data in this way if we have obtained your consent to do so.
You have the right to withdraw consent where we are relying on consent to process your data. You can do this by updating your contact preferences on your account or clicking the unsubscribe option on the communications you receive from us. If you withdraw your consent for us to contact you with marketing communications by a certain method you will no longer receive those communications by that particular type of communication. Please note that it may take up to 30 days for us to process your request.
Support for all the above purposes, including:
- to administer this Platform, our systems and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes
- to measure or understand the effectiveness of marketing we serve to you and others (where permitted by law);
- to allow you to participate in interactive features of our service, when you choose to do so;
- to improve our Platforms to ensure that content is presented in the most effective manner for you and for your computer;
- to notify you about changes to our service, changes to our Platform or other changes which might otherwise affect you; and
- as part of our efforts to keep our Platforms safe and secure;
- to enable you to remain logged in to sections of our Platforms or other micro-sites that are reserved for authorized users only
- corresponding with you
We use your data on the grounds that correspond to the purpose for using the information that we are supporting. For example, where we administer your account to support a purchase or to provide after-sales service, we use the information to discharge our contractual obligations to you as a buyer of our products; where we administer your account to show you our products, we are supporting marketing and so we use it on the grounds that we have a legitimate business interest to market our products that is not overridden by your interests, rights and freedoms to protect information about you, and so on.
Business analytics and improvements to allow us to inform you of potential opportunities to get involved in promoting our products or other services (where permitted by law).
We use it on the grounds that we have a legitimate business interest to assess and to improve our business performance, our products, Platforms and other touchpoints, to invite you to promote JTI products or services, where this is not overridden by interests, rights and freedoms to protect information about you.
9. MARKETING (WHERE PERMITTED BY LAW)
We will contact you only by electronic or postal means (e-mail, SMS or mail, as determined by you when you select your contact preferences in your account, sign up to our mailing lists or share your marketing preferences with our retailers and partners) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you.
If you have not purchased any products or services from JTI, we will contact you by electronic or postal means about goods and services we think that may be of interest to you only if you have previously consented to this.
If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic or postal means only if you have consented to this.
If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please ensure your Contact Preferences, in your account, are updated. If you wish to unsubscribe from our mailing list please use the “unsubscribe” button in the email, or if you have an account sign in to change your Contact Preferences. Please note that it may take up to 30 days for us to process your request.
10. LINKS TO OTHER WEBSITES
11. DISCLOSURE OF YOUR INFORMATION WITH THIRD PARTIES
We may share information about you with third parties, where required or permitted by law, including:
- with our third party service providers to support us provide you with our services and goods, carry out our business operations and comply with our legal obligations (e.g. hosting providers, payment service providers, delivery providers, retailers, customer services providers, product assistants, loyalty and review platform providers, information services providers, age verification providers, event's organisers, consumer feedback providers, sub-contractors in technical, payment and delivery services, analytics providers, search information providers, credit reference agencies, providers of customer relationship management services, SMS service providers, cloud services and information technology services).
- in order to provide you with a more tailored and effective customer service experience certain of our service providers may, on a secure basis, pool the information we provide to them with information provided by other companies to which you have also provided information. Our service providers analyse this information and provide technical data which enables you to receive an enhanced customer experience, including being contacted at times which are most convenient for you. If you wish to receive further information regarding the information collected for this purpose, please contact firstname.lastname@example.org.
- with our trusted network of agents, customers and partners, including retail stores, agents, experts and mentors.
- with JTI group companies to provide you with our services and goods, carry out our business operations and comply with our legal obligations.
- with regulatory authorities and government departments where required by law, including in response to a request from law enforcement authorities or other government officials.
- when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
- in the context of organisational restructuring.
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- if JTI or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- in the event that we need to disclose your personal data to external professional advisers such as accountants, bankers, insurers, auditors and lawyers.
12. WHERE WE STORE YOUR PERSONAL DATA
Depending on the nature of the personal data and the purposes of data processing, the personal data we collect may be transferred from the UK to a third party country outside of teh European Economic Area.
Some of these third countries to which personal data may be transferred may not provide the same level of data protection as that provided in the UK. However, whenever we undertake such transfers, we ensure a similar degree of protection is afforded to your personal data by ensuring at least one of the safeguards is implemented:
- the recipient country that has been deemed by the UK to provide an adequate level of protection for personal data; or
- where an adequacy decision has not been provided with respect to a recipient country, we rely on the standard contractual clauses as approved by the European Commission (or equivalent clauses adopted and approved in the UK).
In some occasional circumstances, we may rely on a derogation to the data protection laws that apply to transfers of personal data to third countries. For example, if such transfers are based on your consent or necessary for the performance of a contract between us.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data to third countries.
If you want more information on where your data is processed, please use the Contact Us Form.
13. DATA SECURITY
Once we have received your information, we will use appropriate procedures and security features to try to prevent unauthorised access, and to prevent your information from being accidentally lost. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your information on our instructions and they are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Platforms. We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
14. HOW LONG WE WILL KEEP YOUR INFORMATION
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
You can contact us and ask us for details of the retention periods for different aspects of your personal data in case you want to learn more.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
15. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your information, though these are subject to exemptions.
- Request access to your personal data (known as a “data subject access request”).
- Request a copy of your personal data we are processing.
- Request correction of your personal data where there is incomplete or inaccurate information.
- Request erasure of your information where there is no good reason for us to be processing your information, or where you have successfully exercised your right to object to processing of information.
- Object to processing for direct marketing purposes, as referred to above.
- Object to processing of your information where we are relying on legitimate interests (or those of a third party) and you believe this impacts on your fundamental rights and freedoms. (Note, we may have compelling legitimate grounds to process information which override your rights and freedoms).
- Request restriction of processing your information in the following circumstances: (a) if you want us to establish the accuracy of your information; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your information to you or a third party.
- You have the right to withdraw consent where we are relying on your consent to process your data. You can do this by updating your contact preferences on your account or clicking the unsubscribe option on the communication. If you withdraw your consent for us to contact you with marketing communications by a certain method you will no longer receive those communications by that particular type of communication. Please note that it may take up to 30 days for us to process your request.
- Right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/make-a-complaint/ for how to do this, but please allow us the opportunity to resolve your complaints or queries first by using our details as set out below.
If you wish to exercise any of the rights set out above, please use the Contact Us Form, or write to us at Ploom Customer Contact Centre, or call 0800 876 6594.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that your information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
EFFECTIVE July 2021 v1.2