Lollipop Privacy Notice and Cookie Policy

Privacy Notice

Contents

1.        Introduction        2

2.        Definitions        2

3.        Your Personal Data        3

5.        Our Lawful Bases        6

6.        Our Data Processors        10

7.        Sharing Your Personal Data        11

8.        International Transfers        11

9.        Marketing        12

10.        Your Views        12

11.        Data Security        12

12.        Business Continuity        13

13.        Retention        13

14.        Your Rights        14

15.        Contact Us        16

1. Introduction

We’re Total Food Control Ltd (company number 12721245) - registered office: 20-22 Wenlock Road, London, N1 7GU - but we operate under the name Lollipop AI. Our mission is to take the pain out of food shopping. Our launch product is an app which will allow you to do the big shop in as little time as possible. We operate the Lollipop mobile application and our website, available at https://www.lollipopai.com/. This Privacy Notice applies to both and may also apply to further mobile applications launched by us from time to time.

This Privacy Notice applies to you if you are:

• A service user of this website (https://www.lollipopai.com/);
• A service user of the Lollipop mobile application(s);
• A Lollipop account holder;
• An employee, contractor or other associated party contracted by Lollipop’s Service Providers; or,
• Any other individual with whom Lollipop may conduct commercial operations.

This Privacy Notice does not apply to any services offered, or businesses operated by, other companies, legal entities, or individuals. For example, to learn more about how Sainsbury’s process your Personal Data, you will need to visit Sainsbury’s Privacy Notice(s). Similarly, this Privacy Notice does not apply to any social media services which may be referenced by our products and services, such as Facebook or Twitter. To find out more about how these social media platforms process your Personal Data, you will need to visit their relevant Privacy Notice(s).

This Privacy Notice may change from time to time. We will post any changes to this Privacy Notice on the ‘Privacy’ section of our website.

At Lollipop, we want to be exceptionally clear and transparent about the Personal Data we collect, how we use that information, where we store it and how it’s protected. We’ve tried to keep this Privacy Notice as simple as possible. If you have any questions, please contact our Data Protection Officer - Dr. Lawrence Carter, The DPO Centre Ltd (privacy@lollipopai.com) - for all queries relating to data protection and this Privacy Notice.

2. Definitions

For the purposes of this Lollipop Privacy Notice:

Application refers to the Lollipop mobile application(s).

Company (referred to as “Lollipop” in this Privacy Notice) refers to Total Food Control Ltd t/a Lollipop (12721245), 20-22 Wenlock Road, London, N1 7GU.

Cookies are small files that are placed on Your computer, mobile device, or any other device by a website, containing the details of Your browsing history on that website among its many uses.

Data Controller, for the purposes of both UK and EU GDPR, refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data. For the purpose of both UK and EU GDPR, the Company is the Data Controller.

Data Processor, for the purposes of both UK and EU GDPR, refers to the Company’s Service Providers.

Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’), the United Kingdom General Data Protection Regulation (‘UK GDPR’), the Data Protection Act 2018 (‘DPA 2018’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the aforementioned legislation. This includes any replacement legislation coming into effect from time to time.

Device means any device that can access the Service such as a computer, a mobile phone, or a digital tablet.

Personal Data is any information that relates to an identified or identifiable individual.
For the purposes of both UK and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Service refers to the Website or Application, unless otherwise stated.

Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used. For the purpose of both UK and EU GDPR, Service Providers are considered Data Processors.

Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

Website refers to the Lollipop website, accessible from https://www.lollipopai.com/

You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

3. Your Personal Data

We only collect Personal Data^[1] that we know we will genuinely use in accordance with the Data Protection Legislation. The type of Personal Data that we will collect on you will depend on whether you are an existing Lollipop customer, which Lollipop services you use, and whether you are contacting us for a specific purpose:

When you sign up for our service

• Identity data

• Name.

• Contact data

• Email address.

• Profile and behavioural data

• Password;
• Profile Images;
• Household demographics;
• Dietary preferences; and,
• Food goals.

• Marketing and communications data 

• Marketing consent; and,
• Communication preferences.

When you use our website

• Profile and behavioural data

• Website cookies^[2] and tracking technologies; and,
• Interaction and user behaviour analytics data.

• Technical data

• Device details (including, but not limited to: model number; operating system; unique device identifiers; device event information; network information; storage information); and,
• IP addresses.

When you use our mobile application

• Profile and behavioural data

• Application cookies and tracking technologies;
• Notification preferences; and,
• Interaction and user behaviour analytics data.

• Technical data

• Device details (including, but not limited to: model number; operating system; unique device identifiers; device event information; network information; storage information; crash reports, etc.,); and,
• IP addresses.
• On Android devices downloaded from the Play Store:

• Primary Account information, uploaded to https://alpha.lollipopai.com.
• the default FCM token for push notifications

• Usage data

• User action data (e.g., which recipes you select, your recipe ratings, your recipe comments, etc.).

• Transaction data

• Order history.

• Photography Data

• Photography uploaded by user.

When you contact us for technical support or customer services^[3]

• Contact data

• Email address;
• Telephone number;
• Postal address; and/or,
• Social media details.

• Support data

• Email contents;
• Email attachments;
• Telephone conversation notes;
• Telephone conversation recordings^[4];
• Postal mail contents;
• Social media profile information;
• Social media message contents; and,
• Social media attachments.

• Technical data

• Device details (including, but not limited to: model number; operating system; unique device identifiers; device event information; network information; notification preferences; storage information); and,
• IP addresses.

When you sign up for customer research^[5]

• Identity data

• Name; and,
• Gender.

• Contact data

• Email address;
• Telephone number; and/or,
• Social media details.

• Research data

• Email contents;
• Email attachments;
• Telephone conversation notes;
• Telephone conversation recordings;
• Social media profile information;
• Social media message contents;
• Social media attachments;
• Household information;
• Demographic information; and,
• Income bracket.

• Profile and behavioural data

• Shopping habits;
• Food goals;
• Dietary preferences; and,
• Allergies.

• Usage data

• User action data (e.g., which recipes you select).

• Transaction data

• Order history.

4. Our Lawful Bases

Your privacy is protected by law. We are only allowed to use personal information about you if we have a legal basis to do so, and we are required to tell you what that legal basis is.

In some circumstances we can use your personal information if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable (you will see there are some examples in the table below).

We will only process your Personal Data when the law allows us to do so. We will provide you with our lawful basis for processing your Personal Data at the point the information is collected from you, either through this Privacy Notice or via other means. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.

Under Data Protection Legislation, the lawful bases we rely on for processing your information are:

• GDPR Article 6(1)(a) – your consent^[6];
• GDPR Article 6(1)(b) – We have a contractual obligation;
• GDPR Article 6(1)(c) – We have a legal obligation;
• GDPR, Article 6(1)(d) – In order to protect the vital interests of You or a third party;
• GDPR, Article 6(1)(e) – We have a public interest; or,
• GDPR, Article 6(1)(f) – We have a legitimate interest.

We may use your information for the following purposes:

5. Our Data Processors

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors who must comply with our instructions. They will hold your Personal Data securely and retain it for the period we instruct.

6. Sharing Your Personal Data

In addition to the third-party service providers listed in section 6 above, we may from time to time share Personal Data with external Data Controllers.

Examples of these Data Processors include, but are not limited to:

We may also share Personal Data with third party Controllers in the following circumstances:

• You have explicitly consented to the data sharing;
• If the law or a public authority obliges us to share the Personal Data;
• In order to protect your vital interests, or in the vital interests of a third party; or,
• If we need to share Personal Data in order to establish, exercise or defend our legal rights – this includes providing Personal Data to others for the purposes of detecting and preventing fraud.

7. International Transfers

Your Personal Data is processed at Lollipop’s offices in the UK and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when Lollipop shares your Personal Data with our trusted Data Processors, your Personal Data could be stored and processed within third countries. Where this occurs, Lollipop will ensure that:

• the security and confidentiality of your Personal Data is secure at all times;
• any Data Controller receiving your Personal Data has entered into an agreement with Lollipop which contains standard data protection clauses as required by UK and EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
• any Data Processor receiving your Personal Data has entered into an agreement with Lollipop which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where you are based in the UK or EU and we were required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting our DPO as identified in the Contact Us section below.

8. Marketing

We may use your Personal Data to tell you about products and services that we think may be of interest to you and upcoming promotional offers.

We can only use your Personal Data to send you marketing messages if we have either your consent or a legitimate interest to do so.

You can ask us to stop sending you marketing messages at any time – you just need to contact us or use the opt-out links on any marketing message sent to you.

We will get your express opt-in consent before we share your Personal Data with any company outside our group of companies for marketing purposes.

9. Your Views

When using our website and other Services, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so that you are comfortable with how your information is used and shared on them. Our Website may contain links to other sites operated by third parties, Including social networks. Lollipop does not control such other sites and is not responsible for their content, their privacy policies, or their use of personal information. Lollipop’s inclusion of such links does not imply any endorsement of the content on such sites or of their owners or operators except as disclosed through the Services. Any information, including Personal Data, submitted by you directly to these third parties is subject to that third party’s privacy policy. We expressly disclaim any and all liability for the actions of third parties, including, but without limitation to, actions relating to the use and/or disclosure of Personal Data by third parties.

10. Data Security

We work hard to protect our systems and any information that we hold from unauthorised access or unauthorised alteration, disclosure or destruction. In particular, we:

• Limit access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
• Manage data security breach reporting and notification systems which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
• Implement access controls to our information technology;

Deploy appropriate technical and organisational and security measures (including encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores;

• Regularly review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems; Restrict access to Personal Data to Lollipop employees, contractors, service providers and agents who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations; and,

Close your account on request. However, we may still need to retain a record of the account, for example to protect against fraud. Data held for this reason will be deleted within 3 years of account closure.

11. Business Continuity

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal Data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

12. Retention

We retain a record of your Personal Data in order to provide you with high quality Services. We will always retain your Personal Data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary. Lollipop considers the retention period to begin from the point at which Lollipop last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, unless otherwise required by law, your data will be retained for the period specified in the summarised table below and then securely deleted in accordance with our internal policies and procedures.

13. Your Rights

If you are Data Subject in the UK, the European Union (EU), or the European Economic Area (EEA) and/or your Personal Data is processed in the context of our UK office, you have certain rights in respect of your Personal Data. These rights include:

The Right to be Informed about our collection and use of personal data;

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

The Right to Access Your Personal Data

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. We may ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If you would like to exercise this right, please Contact Us as set out below.

The Right to Rectify Your Personal Data

If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. We may ask for proof of identity in order to process this Request. If you would like to exercise this right, please Contact Us as set out below.

The Right to Erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. We mayask for proof of identity in order to process this Request. If you are a Lollipop user, you can select ‘Delete my account’ from your account settings to make a Right to Erasure Request. If you would like to exercise this right, please Contact Us as set out below.

The Right to Restrict Processing

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We may ask for proof of identity in order to process this Request. If you would like to exercise this right, please Contact Us as set out below.

The Right to Portability

Where we are processing your Personal Data on the lawful bases of consent or contractual obligation, the right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller. We may ask for proof of identity in order to process this Request. If you would like to exercise this right, please Contact Us as set out below.

The Right to Object

You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation. We may ask for proof of identity in order to process this Request. If you would like to exercise this right, please Contact Us as set out below.

Rights Related to Automated Decision-Making

You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. Lollipop does not intend to conduct any automated decision-making for your Personal Data. We may use Artificial Intelligence (AI) to help you import and access a wider range of recipes. This processing does not actively process your Personal Data and, in any case, is not used to solely make decisions which may have a significant or legal effect upon your rights and freedoms. If you would like to contact us regarding this right, please Contact Us as set out below.

The Right to Withdraw Consent

Where the lawful basis for processing your Personal Data is your Consent, you can withdraw your consent at any time, and we will no longer process your Personal Data for that purpose going forward. If you would like to exercise this right, please Contact Us as set out below.

The Right to Object to Direct Marketing

Where we are processing your Personal Data for the purposes of direct marketing, you can object to this purpose, and we will no longer process your Personal Data for this purpose going forward. If you would like to exercise this right, please Contact Us as set out below.

The Right to Complain to the Supervisory Authority

You can make a complaint to the Information Commissioner’s Office (ICO), or any other supervisory authority, at any time about the way we use your information. You can contact the ICO through their website located here: https://ico.org.uk/for-the-public However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

Children’s Rights

We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a minor child who has provided us with personal information, you may contact us using the information below to request it be deleted.

More Information about your Privacy Rights

Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you are a Data Subject in the EU, you can find your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below. In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public.

14. Contact Us

If you have any questions about this Privacy Notice, or should you need to raise a complaint concerning your Personal Data, please contact us at privacy@lolllipopai.com.  

Cookie Policy

Our website and mobile application use cookies to distinguish you from other users and to remember you either for the duration of your visit (a ‘session cookie’) or for repeat visits (a ‘persistent cookie’). This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive. They may be set by the website you are visiting or by third parties who provide content or services for that site. We and the third parties we work with use cookies and similar tracking technologies to collect information about your use of the Services, such as your IP address, browser type, browser version, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Services and other websites, provide customer support, troubleshoot issues with and improve the operation of our Website and Services, and better understand your online activity. The third parties used in connection with our site may include, for example, advertising networks and providers of external services like web traffic analysis services (see the table below for further details).

We use the following types of cookies:

Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, place an order or make use of payment services.

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your name and preferences (for example, your choice of language or region).

Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below (please note, the individual cookies used may change and we will update this table from time to time to reflect such changes):

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity. For more information on how Google collects and processes data click here. To opt out of tracking by Google Analytics, click here.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en