logo
logo

Privacy Policy

    1. Privacy Policy

    Gallaher Limited (trading as “JTI UK”) is a company incorporated in England and Wales with company registration number 01501573 and whose registered office is at 1 Werter Road, Putney, SW15 2LL England ("JTI”, “we”, “us”, “our”) are committed to protecting and respecting your data protection and privacy rights.

    This Privacy Policy ("Privacy Policy") (together with our Website Terms of Use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

    For the purposes of the UK General Data Protection Regulation, and any other applicable data protection legislation, the data controller is JTI.

    2. Scope of this Privacy Policy

    This Privacy Policy covers how we comply with data protection law where we use personal data of customers of our products and services and other individuals, including the visitors of our website, online platforms, systems and applications that we are responsible for (our "Platforms") and accredited users of our Platforms (e.g. mentors and experts appointed by our contracted agencies).

    Please read this Privacy Policy together with any other document or information that we may provide to you from time to time in relation to specific initiatives and activities that we may undertake.

    Questions, comments and requests regarding this Privacy Policy and the personal data that we process about you are welcomed and you can contact us using the Contact Us Form.

    3. Your duty to inform us of changes

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

    4. Information we may collect

    In order to provide you with the services and products you have requested and perform our legal obligations and business operations, as detailed in section 8 of this Privacy Policy, we may use the following categories of personal data:

    - Full name;

    - Age;

    - Birthday;

    - Contact details (e.g. address, e-mail address and phone number);

    - Information in relation to our products/services you have purchased or used, including information about your account, purchase history, orders, customer feedback, market research and other sales data;

    - Details of your interactions with us, including service messages and notes of your communications and conversations with us;

    - Details of your visit to a retail store or at an event, how frequently you visit, which areas you visit and for how long, and which purchases you make;

    - Details of whether you have reffered a friend to us;

    - Recordings of your voice that we make and store on our servers when you contact our Ploom Care Team;

    - Personal preferences and habits in relation to the products and services we provide;

    - Technical information about the use of our Platforms and contact centre, including time and duration, the Internet Protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, traffic data, browser plug-in types and versions, operating system and platform and information about the use of cookies and tracking technologies. Strictly necessary cookies will always be switched on and you may also enable additional cookies as well. For more information on cookies and how to accept or refuse cookies, please see our Cookies Policy.

    - Marketing and communications information, including marketing preferences for receiving marketing communications from JTI and/or third parties.

    Where you provide financial and credit card information on our Platforms, please note that we do not access or store this personal data. We use trusted third parties to process your payment and we have no access to your financial and credit card information.

    We may collect personal data about you either directly from you or from other sources, in the following ways:

    5. Where we obtain personal data directly from you

    You may give us information about you in a number of ways, including when you:

    - register to be a member of our databases (e.g. Customer relationship management) in person or online;

    - register directly with us to take part in our business initiatives and activities (e.g. surveys, offers, competitions, prize draws, campaigns, 21 Day Ploom Trial, Ploom Club, trade tools etc.) in person or online;

    - use our Platforms;

    - fill in forms on our website www.ploom.co.uk, our associated Platforms and micro-sites;

    - register a device with us;

    - register to receive email alerts or marketing communications (where permitted by law);

    - participate in events organised by us;

    - sign up to the 21 Day Ploom Trial; 

    - by corresponding with us via our Ploom Care Team, Platforms, phone, e-mail, social media or otherwise (e.g. Trial SMS, Live Chat etc.). This includes information you provide when you register to use our Platforms, subscribe to our service, search for a product, place an order on our Platforms, enter a competition or survey and when you report a problem with our Platforms.

    6. Where we obtain personal data from other sources

    As well as obtaining personal data directly from you, we may also collect your personal data indirectly in the following ways:

    - We may receive information about you if you use any of the other Platforms that we operate or the other services we provide, which may be run by our Platform providers and their related third parties;

    - We are also working closely with other third parties (including, for example, other JTI group companies, hosting providers, payment service providers, delivery providers, retailers, customer services providers, product assistants, loyalty and review platform providers, customer relationship management services, consumer data platform providers, marketing automation providers,  information services providers, age verification providers, events organisers, consumer feedback providers, sub-contractors in technical, payment and delivery services, analytics providers, search information providers, credit reference agencies) and we may receive information about you from them;

    - Information about your purchases, preferences and participation in our initiatives and activities (e.g. surveys, offers, campaigns, competitions, prize draws, 21 Day Ploom Trial), provided by our trusted network of agents, customers and partners, including at events organised by our business partners, retail stores, agents, experts and mentors, where you interact with them online or offline.

    We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out in this Privacy Policy (depending on the types of information we receive e.g. name and address).

    If you have provided your personal data to marketing agencies, and in doing so consented to being contacted by third parties with information or products relevant to you, we may contact you if we feel we have a legitimate interest to do so.

    7. Information we receive from you as part of the age verification process

    We are legally required to verify your age. You will therefore be required to complete the age verification process conducted on our behalf by a third party, GB Group plc, to prove to our satisfaction that you are at least 18 years old before you can order any of our products. Your personal data collected from you as part of this process is only shared with GB Group plc for the purposes of verifying your age.

    Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you at the time

    8. Lawful grounds and purposes for which we use your information

    We will only use your information where the law allows us to. Most commonly, we will use your information where we have a lawful ground to do so. In particular,

    - Where we need to perform the contract we are about to enter into, or have entered into, with you

    - Where we need to comply with a legal or regulatory obligation

    - Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Please contact us if you would like any further guidance concerning how we assess legitimate interests against any potential impact on you.

    - Where we require your consent to process your data.

    The above justifications of the uses of your personal data are known as “lawful grounds”. Note that we may process your information for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

    Please note that we do not use any automated decision-making.

    Purpose for processing

    Legal basis/lawful ground for processing

    It is necessary to process personal data to comply with our legal obligations to verify your age and only sell age restricted products to adults.

    To comply with legal or regulatory obligations

    We use personal data to process and discharge our contractual obligations to you as a buyer of our products, including fulfilling orders, sending receipts, processing payments and providing warranty services.

    To perform the contract we are about to enter into, or have entered into, with you

    Providing sales-related services including dealing with your queries and requests, general administration, troubleshooting and corresponding with you. We may also use your data for administering trial, warranty and loyalty programs.

    Where the processing of your personal data is not necessary for performing our contractual obligations but relates to general customer and sales services, we have a legitimate business interest in providing sales-related services to our customers that is not overridden by your interest, rights and freedoms to protect information about you.

    Market our products and services to you (or provide you with information about third party products and services) by email, mail, telephone, SMS, social media or other online platforms.

     

    We will process your personal data in this way if we have obtained your consent or we where we have a legitimate business interest to market our products and services to you. We will gain your consent to market our products and services to you where this is required by law.

    Allow other third parties to directly contact you with marketing messages.

    We will process your data in this way if we have obtained your consent to do so.

    To determine which of our products and services may be of interest or relevance to you.

    We do this on the basis that we have a legitimate business interest to understand what products and services our  customers are interested in.

    To personalise your customer experience on our website based on what we have learned about your interests, preferences and how you use our Platforms.  

     

    Where necessary, we will process your data in this way if we have obtained your consent to do so. Otherwise, we will do so on the basis that we have a legitimate business interest to market our products and services to you.
    To undertake customer surveys and market research.

    Unless we have sought your consent in advance, we do this on the basis that we have a legitimate business interest to understand what our customers think about our products and services and the market in which we operate.

    Where you sign-up to be part of Ploom Club, to enable you to receive services such as:

    ·      earning points by completing specific tasks (such as registering your device, purchasing a device or accessory, referring a friend);

    ·      viewing your points in your Ploom Club account;

    ·      redeeming your points at checkout to receive a discount on your purchase;

    ·      accessing your personalised referral code to refer a friend to Ploom to receive points to spend at checkout; and

    ·      receiving points on your birthday and Ploom Club anniversary.

    For more information about the Ploom Club, see our FAQs

    		 If you sign-up to join Ploom Club, we use your personal data on the basis that we have a legitimate business interest to market Ploom by creating a points based system that rewards you (our customer), in  way that is not overridden by your interests, rights and freedoms to protect information about you. 

    Support for all the above purposes, including:

    • to administer this Platform, our systems and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes;
    • to measure or understand the effectiveness of marketing we serve to you and others (where permitted by law);
    • to allow you to participate in interactive features of our service, when you choose to do so;
    • to improve our Platforms to ensure that content is presented in the most effective manner for you and for your computer;
    • to notify you about changes to our service, changes to our Platform or other changes which might otherwise affect you;
    • as part of our efforts to keep our Platforms safe and secure;
    • to enable you to remain logged in to sections of our Platforms or other micro-sites that are reserved for authorized users only;
    • corresponding with you.
    		 We use your data on the grounds that correspond to the purpose for using the information that we are supporting. For example, where we administer your account to support a purchase or to provide after-sales service, we use the information to discharge our contractual obligations to you as a buyer of our products; where we administer your account to show you our products, we are supporting marketing and so we use it on the grounds that we have a legitimate business interest to market our products that is not overridden by your interests, rights and freedoms to protect information about you, and so on.

    Business analytics and improvements to allow us to inform you of potential opportunities to get involved in promoting our products or other services (where permitted by law).

    		 We use it on the grounds that we have a legitimate business interest to assess and to improve our business performance, our products, Platforms and other touchpoints, to invite you to promote JTI products or services, where this is not overridden by interests, rights and freedoms to protect information about you.

     

    9. Marketing (where permitted by Law)

    We will only send you direct marketing messages about our products and services via the communication channels (email, mail, telephone, SMS, social media or display pop-ups on other online platforms) where we have a legitimate business interest to do so or we have obtained your consent. We will gain your consent to market our products and services to you where this is required by law.

    We will always provide you with the opportunity to opt-out of receiving direct marketing communications from us in the future. You can do this through updating your Contact Preferences in your account, unsubscribing from email marketing by clicking on the unsubscribe link in the email you receive, following any opt-out instructions provided in the marketing communication or contacting us. Please note that it may take up to 30 days for us to process your request.

    We will only share your contact details with third parties for the purposes of sending direct marketing communications to you where you have given us your consent to do so.

    10. Links to other websites

    Our Platforms may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection, security and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Policy. You should exercise caution and read the Privacy Policy applicable to the website in question before proceeding to visiting that website.

    11. Disclosure of your information with third parties

    We may share information about you with third parties, where required or permitted by law, including:

    - with our third party service providers to support us provide you with our services and goods, carry out our business operations and comply with our legal obligations (e.g. hosting providers, payment service providers, delivery providers, retailers, customer services providers, product assistants, loyalty and review platform providers, information services providers, age verification providers, event's organisers, consumer feedback providers, sub-contractors in technical, payment and delivery services, analytics providers, search information providers, credit reference agencies, providers of customer relationship management services, consumer data platform providers, marketing automation providers, SMS service providers, cloud services and information technology services).

    - in order to provide you with a more tailored and effective customer service experience certain of our service providers may, on a secure basis, pool the information we provide to them with information provided by other companies to which you have also provided information. Our service providers analyse this information and provide technical data which enables you to receive an enhanced customer experience, including being contacted at times which are most convenient for you. If you wish to receive further information regarding the information collected for this purpose, please contact us using the Contact Us Form.

    - with our trusted network of agents, customers and partners, including retail stores, agents, experts and mentors.

    - with JTI group companies to provide you with our services and goods, carry out our business operations and comply with our legal obligations.

    - if you are referred as part of one of our referral programmes we will share limited personal identity data with the person who referred you.

    - with regulatory authorities and government departments where required by law, including in response to a request from law enforcement authorities or other government officials.

    - when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.

    - in the context of organisational restructuring.

    - in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.

    - if JTI or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

    - in the event that we need to disclose your personal data to external professional advisers such as accountants, bankers, insurers, auditors and lawyers.

    12. Where we store your personal data

    Depending on the nature of the personal data and the purposes of data processing, the personal data we collect may be transferred from the UK to a third party country outside of the European Economic Area.

    Some of these third party countries to which personal data may be transferred may not provide the same level of data protection as that provided in the UK. However, whenever we undertake such transfers, we ensure a similar degree of protection is afforded to your personal data by ensuring at least one of the safeguards is implemented:

    - the recipient country that has been deemed by the UK to provide an adequate level of protection for personal data;

    - where an adequacy decision has not been provided with respect to a recipient country, we rely on the standard contractual clauses as approved by the European Commission (or equivalent clauses adopted and approved in the UK).

    In some occasional circumstances, we may rely on a derogation to the data protection laws that apply to transfers of personal data to third countries. For example, if such transfers are based on your consent or necessary for the performance of a contract between us.

    Please contact us if you want further information on the specific mechanism used by us when transferring your personal data to third countries.

    If you want more information on where your data is processed, please use the Contact Us Form.

    13. Data security

    Once we have received your information, we will use appropriate procedures and security features to try to prevent unauthorised access, and to prevent your information from being accidentally lost. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your information on our instructions and they are subject to a duty of confidentiality.

    Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Platforms. We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

    Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

    14. How long we will keep your information

    We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

    To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

    You can contact us and ask us for details of the retention periods for different aspects of your personal data in case you want to learn more.

    In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

    15. Your legal rights

    Under certain circumstances, you have rights under data protection laws in relation to your information, though these are subject to exemptions.

    - Request access to your personal data (known as a “data subject access request”).

    - Request a copy of your personal data we are processing.

    - Request correction of your personal data where there is incomplete or inaccurate information.

    -  Request erasure of your information where there is no good reason for us to be processing your information, or where you have successfully exercised your right to object to processing of information.

    - Object to processing for direct marketing purposes, as referred to above.

    - Object to processing of your information where we are relying on legitimate interests (or those of a third party) and you believe this impacts on your fundamental rights and freedoms. (Note, we may have compelling legitimate grounds to process information which override your rights and freedoms).

    - Request restriction of processing your information in the following circumstances: (a) if you want us to establish the accuracy of your information; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

    - Request transfer of your information to you or a third party.

    - You have the right to withdraw consent where we are relying on your consent to process your data. You can do this by updating your contact preferences on your account or clicking the unsubscribe option on the communication. If you withdraw your consent for us to contact you with marketing communications by a certain method you will no longer receive those communications by that particular type of communication. Please note that it may take up to 30 days for us to process your request. 

    - Right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/make-a-complaint/ for how to do this, but please allow us the opportunity to resolve your complaints or queries first by using our details as set out below.

    If you wish to exercise any of the rights set out above, please use the Contact Us Form, or write to us at Ploom Care Team, or call 0800 876 6594.

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

    We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that your information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    16. Changes to our Privacy Policy

    Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy.

    EFFECTIVE October 2022 v1.2

    Useful Links

    Are you 18 or over and an existing tobacco or nicotine user?

    Yes, discover more
    Leave

    Our sticks, for use in combination with Ploom devices, contain tobacco and nicotine. These products are not risk free and are intended for existing tobacco or nicotine users only. Please note, we will need to confirm your age during the checkout process.

    For more information please visit the Terms of Use page.