1. INTRODUCTION TO DODDLE – WHO WE ARE AND WHY PRIVACY MATTERS
2. THE PERSONAL INFORMATION WE COLLECT & USE
3. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
4. HOW WE USE YOUR INFORMATION
5. DISCLOSURES OF PERSONAL INFORMATION
6. INTERNATIONAL TRANSFERS
7. DATA SECURITY
8. DATA RETENTION
9. YOUR RIGHTS ON INFORMATION WE HOLD ABOUT YOU
1. Introduction to Doddle – Who We Are and Why Privacy Matters to us
1.2 We are contactable at our registered office at 22 Manchester Square London W1U 3PT, or via email at DPO@Doddle.com.
1.3 Doddle is the primary entity which sets standards and policies on behalf of its affiliates and group of companies – subject to prevailing laws in those local jurisdictions. Other companies in Doddle’s group includes Doddle Australia PTY Ltd registered in Australia, Doddle Inc registered in the USA and Doddle K.K. registered in Japan.
1.4 Doddle is at the forefront of creating fulfilment and returns technology products to facilitate the growth of global e-commerce. We own and utilise a website, a pioneering technology platform and a suite of applications and partner integrations which support a range of logistics and retail operations, including (but not limited to) click and collect, returns, ship-from-store, buy online pick-up in-store and others (our “Services”). These Services are informed by our consultations with leading retailers, carriers and consumers to better understand their specific needs and optimise customer journeys.
Examples of when Doddle is a data processor & a data controller*
Doddle is a Data Processor
- Providing a whitelabel service to retailers (it is the retailer who controls your data in this case)
- Providing our Services to a carrier and coordinating data flows to/from the platform, messaging between retailers and consumers and data stored on our applications
- Feedback & analytics requests. We assist the retailers when they request feedback information from us
Doddle is a Data Controller
- Technical Information we generate. Analytics, App usage, frequency of visits
- Software & Platform updates/modifications. We control the technology and are responsible for its performance, upgrade, customer support
- Registering users / onboarding /hosting our own platform
*This list is not exhaustive but is illustrative of the different kinds of relationships we have with personal information
2. The Personal Information We Collect & Use
2.1 We may collect, use, store and transfer different kinds of personal information about you which we have documented in internal data mapping exercise. That exercise allows us to group together the different kinds of personal information we hold as follows:
- identity data includes first name, last name, Order ID, user number, username or similar identifier, title, date of birth and gender.
- contact data includes locational details which may come from a partner or you directly such as delivery/collection address, email address and telephone numbers. It can also include other contact information which then allows you to track an order or parcel. Note that you might authorise a third party (e.g. a social network such as Facebook) to share your data with us, and here is a link to details on how you can manage what you share with us via Facebook: https://www.facebook.com/about/login/;
- specific transaction/order data includes information provided by our retail partners when you choose to use our Services (e.g. collect a parcel).
- technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. We also include some statistical data in this category where we can quantify your browsing actions and patterns. This can extend to your unique mobile device identifier (UDID), International Mobile Equipment ID (IMEI), Android ID, device MAC address, browser information, operating system, timestamps, the pages that you request, applications downloaded, traffic data, location data, weblogs and other communication data, and the resources that you access.
- profile and usage data we may build about you and this includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- marketing and communications data includes all kinds of correspondence and messaging. It can cover your preferences in receiving marketing from us and our third parties and your favoured modes of communication.
- personal data relating to prospective employees including, but not limited to, name, address, contact details, previous employment and salary expectations.
2.2 It is important to note that the Doddle platform does not store ANY payment card information. It is also important to take assurance from the fact that Doddle makes use of “non-personal” data as much as possible. But what do we mean by “non-personal” data?
2.3 We may collect, use and share aggregated data such as statistical or demographic or product specific data. We look at trends over time, popular products and services, underperforming products and services – and when we collate a great many instances and transactions we don’t need and don’t seek to pull the personal information through to take the benefit of such aggregated data and the associated learnings for the business.
2.5 To the best of our knowledge, nothing in our technology or our applications or internal processes has the purpose or result of collecting any special categories of personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
2.6 Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. How is Your Personal information Collected?
3.1 By accessing or browsing our platform, our website, our applications, products or our social media pages, logging on with authorised credentials, registering via a retailer, carrier or other partner of Doddle’s, contacting us on social media or via email, working with or for us, or otherwise providing your data to us (including when entering surveys or communicating with our customer support function), we inevitably collect your personal information. We collect your data in two main ways:
- user provided information
- automatically collected information
3.2 Through our technology, and our receipt of data and cookies from partners (such as Google Analytics and others) we are able to receive the automatically collected information referenced above. One good example is the collection of precise information about the location of your device’s IP address.
3.3 From time to time, we may also collect your data from LinkedIn and/or other social media platforms in connection with recruitment and potential job opportunities within the Doddle group.
4. How We Use Your Information
4.1 We use personal information in a secure and responsible way, covering a range of key purposes including the fundamental provision of the Services via the platform and our tech solutions.
4.2 Other purposes include:
- sending out service communications to notify users about changes to our Services,
- sending out marketing content such as special offers or campaigns (if consent is captured),
- customer identification at the point of service and to customise consumer’s experiences,
- when reporting to retailers, carriers or other partners and
- recruitment, screening, selection and identifying candidates for future job opportunities within the Doddle group.
4.3 We make it very easy for individuals to unsubscribe from marketing messages at any time via the link at the foot of each marketing email. If anyone changes his or her mind about us processing their personal information for marketing purposes, we enclose an unsubscribe link there.
4.4 As mentioned in section 2 of this policy, we use hash technology to deploy pseudonymisation so that the data sets are effectively masked and de-personalised – this enables our purpose of supporting long term analytics of transactions.
4.5 When using personal information, we only do so when the law allows us to. When embarking on a new product or major innovation we endeavour to capture and determine the level of privacy risk via proportionate internal data protection screening questionnaires. Where appropriate we will also use full data protection impact assessments as we have completed for our core technology platform (updated periodically). We have set out below a visual depiction of all the ways we can process your personal information under the GDPR, followed by a summary of the key “lawful bases” under UK GDPR and EU GDPR which apply most to Doddle’s activities:
4.6 In terms of Doddle’s platform and core Services, we rely on the following lawful bases in particular:
- necessary for performing our contract with you: In order to process your pick up, drop off, click and collect service, or to honour our terms and conditions for our products and apps, and facilitate your user journey on our platform or when you use a Doddle service, it will be necessary for us to engage with and process your personal information (normally via the retailer or partner with whom you have the primary contract);
- necessary for compliance with a legal obligation: we are subject to certain legal requirements which may require us to process your personal information – perhaps when supporting a retailer or carrier with whom you will have a direct relationship. For example, the supply of goods and services act 1982 or the Consumer Rights Act 2015 may able to your transactions with your retailer and we can support that process. We may also be obliged by law to disclose your personal information to a regulatory body or law enforcement agency;
- necessary for the purposes of our legitimate interests or the legitimate interests of a retailer or partner with whom you have a commercial relationship: We are continuously monitoring our need to process your personal information for the purposes of our legitimate business interests, or particular third parties, which include responding to requests and enquiries from you or a retailer, optimising our website and customer experience, informing you about our products and services and ensuring that our operations are conducted in an appropriate and efficient manner;. Our legitimate business interests have evolved over the years we have been trading. We are now a provider of technology solutions to retailers and carriers and other partners (on a business-to-business basis). We continually appraise our operations and Services against the three essential tests required for any “legitimate interests” examination and as a result, we believe the collation of limited Personal Information is integral and necessary for our business to function and for us to provide the technology and logistics solutions to our customers. We have also considered alternate modes of operating without our personal information sets and without our pseudonymisation techniques, and we have weighed the balance of the impacts of our secure data processing on individuals (and considered the risks to their rights and freedoms). We take the view that there is minimal or no likelihood of harm to the rights and freedoms of the valued shoppers, end-users and other individuals who come to use our platform, apps and services. We possess a legitimate business interest in collecting and using your Personal Information especially where it is to serve our contractual requirements towards our partners and retailers. We are a commercial enterprise which is constantly innovating in the parcels, collections and returns sector. We are having a positive impact on the sustainability of the industry we are in and on the efficiency of our services which benefit shoppers and end—users.
- Consent – it will be on the rarest of occasions when we need to take consent from individuals directly. Most of the time, whilst performing an API/integration or a contractual obligation for a retailer, carrier or partner they will have taken an individual’s consent (or we may occasionally collect consent indirectly on behalf of our customer – through white label or other means).
5. Disclosures of Personal Information
5.1 We may share your personal information with third parties in the following circumstances:
- back to the retailer, carrier or other partner that originally passed your information on to us to perform the Services, to facilitate a smooth service;
- for marketing purposes where you consent to this;
- to other members within Doddle’s corporate ecosystem which may include our international partners and service providers for the purpose of managing or administering certain aspects of our Services, for analytics purposes and to help us develop new products and services;
- to protect the rights, property or safety of us or other Service users;
- where we are obliged, or permitted, to do so by applicable law, regulation or legal process such as an essential audit or upgrade of our platform and supporting infrastructure; or
- if we (or substantially all of our assets) are acquired by a third party, in which case personal information held by us about our users will be one of the transferred assets.
5.2 Such third parties as referenced in paragraph 5.1 may include:
- companies that help us build and sustain the Doddle technology platform, including third party software as a service (SaaS) providers (like Twilio and Sparkpost), and other providers of IT infrastructure (including data storage providers);
- companies approved by you, such as social media sites (if you choose to link your accounts to us – e.g. when using Facebook Messenger or Whatsapp to arrange to return your parcels) or retailers from whom you buy products, or carriers that deliver or return those products for you;
- professional service providers, such as marketing agencies, advertising partners and website hosts, who help us run our business;
- law enforcement and fraud prevention agencies, so we can help tackle fraud; and
- the parties to a sale if we (or substantially all of our assets) are acquired by a third party.
5.3 We may pass aggregated information to third parties about how our users use our Services but this will not include information which could be used by them to identify you. We use Google Analytics, Amplitude and Facebook Tracking. For further information on how each of these processors uses data when you use our website or Services, see the following:
- Google Analytics
- Facebook tracking
5.4 We may, from time to time, use Google, Amplitude and Facebook tracking tools to track user behaviour over time and across third party sites to improve our understanding of customer behaviour and to track any affiliate sales.
5.5 We may collect information about what ads users view and whether they click on our ads. We use this information to improve and customise our advertising.
6. International Transfers
6.1 If you are based in the UK or in Europe, it is likely that we will process your data in the UK. If you are based outside of the UK or Europe (for example, in Australia, Japan or Saudi Arabia), we may process your data locally. Further. as a global business in an increasingly online marketplace, personal information may be transferred to, and stored at, a destination outside of the UK and the European Economic Area (EEA) from time to time. It may also be processed by persons operating outside the EEA who work for us, as a partner, reseller or agent, or it could be transferred to one of our associated companies or a third party engaged by us. To the extent that any personal information is provided to third parties outside the UK and EEA, or who will access the information from outside the EEA, we will ensure that approved safeguards are in place, such as the deemed application of standard contractual clauses approved by the European Commission (or as endorsed or modified for a UK-domiciled business by the Information Commissioner’s office as the case may be).
7. Data Security
7.1 Given that the internet is a global environment, using the Internet to collect and process personal information necessarily involves the transmission of data on an international basis. Unfortunately, the transmission of information via the internet (including via mobile applications which utilise the internet) is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our Service and any transmission is at your own risk.
7.2 We deploy provide a range of “technical and organisational” measures (as required by the UK GDPR and EU GDPR including physical, electronic, and procedural safeguards to protect information we process and maintain. Please be aware that, although we endeavour provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches. This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
7.4 In the event there is an occasion in future where there is an unauthorised use or breach with respect to personal information (such as a mis-sent email or a cyber hack), Doddle has a best practice Incident Management Policy containing a leading “data breach response protocol” which will immediately kick-in to mitigate the risk to individual’s rights and freedoms arising from the breach.
7.5 The protection of children also forms a part of our consideration. We do not use our platform to knowingly solicit data from or onboard children under the age of 13 . If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at DPO@doddle.com We will delete such information from our files as soon as is reasonably practicable. take appropriate organisational and technical measures to protect your personal information that we hold. We limit access to your personal information to those who we believe reasonably need to come into contact with that information in order to carry out their jobs at Doddle.
7.6 We actively engage and train our employees on data protection awareness campaigns and drive a culture of vigilance across the organisation. One important feature at Doddle is our Data Champions Forum which involves pro-active engagement between key divisions in the business which have a role or interaction with personal information. Our Data Champions include representation from finance, marketing, product development, and legal disciplines and these individuals report up to our data protection officers (Mark Ransby – CTO and Dan Rose – General Counsel) on a regular basis. Newsletters and flash briefings from our DPOs to the rest of the organisation supports
8. Data Retention
8.1 We will retain your information for as long as is necessary to fulfil any of the Services we provide or to comply with applicable legislation, regulatory requests and relevant orders from competent courts. From a technical standpoint, personal information contained on the Doddle platform or applications shall be removed by way of pseudonymisation and hashing technology after approximately 370 days of live production use. Our Data Retention, Disposals and Pseudonymisation policy is periodically reviewed to make sure it is fit for purpose.
8.2 We have technical protocols in place to ensure personal information is held no longer than is necessary or proportionate.
8.3 We will not retain your personal recruitment data for longer than necessary and will delete it once it is no longer required. Our standard data retention periods for prospective employees are two years following collection of personal data, unless you object, or agree to a longer retention period.
9. Your Rights on Information we Hold About You
You have certain rights in relation to personal information we hold about you, which can be exercised in accordance with Doddle’s subject access processes and applicable data protection laws (mainly the UK GDPR and EU GDPR which applies to most of the personal information we hold as a UK headquartered business). Details of these rights and how to exercise them are set out below. We will require evidence of your identity before we are able to act on your request.
9.1 Right of Access
You have the right to access information held about you and you can ask us for a copy of the information at any time. Where we have good reason, and if the law permits, we can refuse your request for a copy of your personal information, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reasons for doing so.
9.2 Right of Correction or Completion
If personal information we hold about you is not accurate, out of date or incomplete, you have a right to have the data rectified, updated or completed. You can let us know by contacting us here firstname.lastname@example.org
9.3 Right of Erasure
In certain circumstances, you have the right to request that personal information we hold about you is erased for example if the information is no longer necessary for the purposes for which it was collected or processed or our processing of the information is based on your consent and there are no other legal grounds on which we may process the information.
9.4 Right to Object to or Restrict Processing
9.4.1 In certain circumstances, you have the right to object to our processing of your personal information by contacting us here. For example, if we are processing your information on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests. You also have the right to object to use of your personal information for direct marketing purposes. Right to Object: You have a legal right to object at any time to: (i) use of your personal information for direct marketing purposes; and (ii) processing of your personal information which is based on our legitimate interests, unless there are compelling legitimate grounds for our continued processing.
NOTE: If you do object, we may not be able to provide the Services to you.
9.4.2 You may also have the right to restrict our use of your personal information, such as in circumstances where you have challenged the accuracy of the information and during the period where we are verifying its accuracy.
9.5 Right of Data Portability
9.5.1 In certain instances, you have a right to receive any personal information that we hold about you in a structured, commonly used and machine-readable format. You can ask us to transmit that information to you or directly to a third party organisation.
9.5.2 This right exists only in respect of personal information that:
(a) you have provided to us previously; and
(b) is processed by us using automated means.
9.5.3 While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third party organisation’s systems. We are also unable to comply with requests that relate to personal information of others without their consent.
9.6.1 You have the right to ask us not to process your personal information for marketing purposes. We will inform you, before collecting your personal information, if we intend to use your personal information for such purposes or if we intend to disclose your personal information to any third party for such purposes. We will only process your personal information for such purposes where you agree to such processing (eg, by checking certain boxes on the forms or registration pages we use to collect your information).
9.6.2 If you have previously agreed to us using your personal information for marketing purposes, you may change your mind at any time by contacting us here. You will also be given the opportunity to unsubscribe when you receive marketing messages.
9.6.3 You can exercise any of the above rights by contacting us here.
9.6.4 Most of the above rights are subject to limitations and exceptions. We will provide reasons if we are unable to comply with any request for the exercise of your rights.
9.6.5 To the extent that we are processing your personal information based on your consent, you have the right to withdraw your consent at any time. You can do this by contacting us here.
9.7.3 All of the major browsers offer tips and guidance for managing the cookies available on your browser. There are also lots of different third party browser plug-ins and extensions available which you can download to make it easier to see and control your cookies.
9.7.4 You can find out more about internet advertising by visiting the following websites: www.allaboutcookies.org, www.yourchoicesonline.eu, and www.networkadvertising.org. Some of these sites enable you to opt out of online behavioural advertising and other tracking cookies (in addition to the control settings on your browser).
We may from time to time use third party advertisers or sponsors on our Service. In the event that we do so we will not disclose identifiable information about individuals but we may provide them with aggregated information about our users. We may also use such aggregated information to help advertisers reach the kind of audience they want to target. We may make use of the personal information we have collected from you to enable us to comply with our advertisers’ and sponsors’ wishes by displaying their advertisement to that target audience.
9.10 Keeping your account secure
9.10.1 Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Service, you are responsible for keeping this password confidential and you are responsible for any misuse of such information. You must change your password on a regular basis and must not share your password with anyone.
9.10.2 You are solely responsible for the security and confidentiality of your account. Please ensure that you do not allow anyone else to access the Service in your name and sign off after you have finished accessing your account.
9.10.3 You are responsible for all orders, and for the accuracy of all information, sent via the internet using your user ID, password or any other personal identification used to identify you on the Service.
9.10.4 You will be liable to us for all orders or transactions placed by use of your user ID and password, even if such use might be wrongful. We will not be liable to you for any loss that you may incur as a result of misuse of your user ID and password, and we accept no liability resulting from its unauthorised use, whether fraudulent or otherwise.
If you are unhappy about our use of your personal information, you can contact us here. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:
(a) Telephone: 0303 123 11113
(b) Website: https://ico.org.uk/concerns/
(c) Post: Information Commissioner’s Office
If you live or work outside the UK or you have a complaint concerning our activities outside the UK, you may prefer to lodge a complaint with your local supervisory authority.
If you have any enquiries or if you would like to contact us about our processing of your personal information, including to exercise your rights as outlined above, please contact us by any of the methods below. When you contact us, we will ask you to verify your identity. Contact us here….
Our registered office is at:
22 Manchester Square, London, W1U 3PT
What are cookies?
Cookies are small text files containing a string of characters that can be placed on your computer or mobile device that uniquely identify your browser or device.
What are cookies used for?
Cookies are an essential part of how our site works. Some of these cookies are required by our site to enable you to transact whilst other cookies enable us to give you an enhanced, personalised web experience.
What types of cookies does Doddle use?
There are generally four categories of cookies: “Strictly Necessary”. “Performance”, “Functionality”, and “Targeting”. Doddle routinely uses only strictly necessary cookies on this Service. You can find out more about each cookie category below.
Strictly Necessary Cookies. These cookies are essential, as they enable you to move around the Service and use its features, such as accessing logged in or secure areas.
Functionality Cookies. These cookies allow us to remember how you’re logged in, whether you chose to no longer see advertisements, whether you made an edit to an article on the Service while logged out, when you logged in or out, the state or history of Service tools you’ve used. These cookies also allow us to tailor the Service to provide enhanced features and content for you and to remember how you’ve customized the Service in other ways, such as customizing the toolbars we offer in the right column of every page. The information these cookies collect may be anonymous, and they are not used to track your browsing activity on other sites or services.
Targeting Cookies. Doddle, our advertising partners or other third party partners may use these types of cookies to deliver advertising that is relevant to your interests. These cookies can remember that your device has visited a site or service, and may also be able to track your device’s browsing activity on other sites or services other than Doddle. This information may be shared with organizations outside Doddle, such as advertisers and/or advertising networks to deliver the advertising, and to help measure the effectiveness of an advertising campaign, or other business partners for the purpose of providing aggregate Service usage statistics and aggregate Service testing.
First and third party cookies
First-party cookies are cookies that belong to Doddle, third-party cookies are cookies that another party places on your device through our Service. Third-party cookies may be placed on your device by someone providing a service for Doddle, for example to help us understand how our service is being used. Third-party cookies may also be placed on your device by our business partners so that they can use them to advertise products and services to you elsewhere on the Internet.
How long will cookies stay on my device?
The length of time a cookie will stay on your computer or mobile device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay on your computer or mobile device until they expire or are deleted.
How to control and delete cookies
Doddle acknowledges and respects your rights to accept or reject those cookies which are not strictly necessary or which are not essential to the functioning of the Platform, website and applications. If you want to delete cookies follow the instructions at http://www.allaboutcookies.org/manage-cookies/clear-cookies-installed.html. Note that if you set your browser to disable cookies, you may not be able to access certain parts of our Service and other parts of our Service may not work properly. You can find out more information cookie settings at third-party information sites, such as www.allaboutcookies.org.
If you have any questions or suggestions regarding our Data Protection Officers Dan Rose and Mark Ransby, please contact us at DPO@Doddle.com.