Privacy Policy

Personal Data Protection Policy
PopSquare Limited
Last updated: 7 Nov 2019

Introduction

PopSquare is an AI-enabled pop-up store that helps brands around the world to penetrate to overseas markets more cost effectively with artificial intelligence technology. Unlike other traditional pop-up stores or vending machines, our strength is a good combination of product experience, branding, customer behaviour data collection and analysis for O2O2O (online to offline to online) conversion. Being a professional & responsible solution provide, PopSquare has implemented guideline and policy to ensure that appropriate measures are put in place to protect the customer data we collected.

 

This policy explains what, how, and why of the personal information we collect when you visit our website(s), or when you use our Services.  This policy also explains how we use and disclose the information we collected.  We take your privacy extremely seriously, and we never sell the personal data to any third parties.

If you choose to use our Service, then you agree that we will collect and use of your personal information in relation with this policy. The personal information that we collect are used for providing and improving the Service. We will not use or share your information with anyone except as described in this Privacy Policy.

Compliance with the Personal Data (Privacy) Ordinance (Cap. 486)

We, as a Data Controller and also a Data Processor, will use our effort to comply with the requirements of the Personal Data (Privacy) Ordinance and ensure that the personal data we have collected are accurately, securely kept and used only for the purpose as they are collected for.

All our staff who handle identifiable personal data would take extra precaution to ensure that the relevant laws on personal data (privacy) and our guidelines are complied with and that effective security measures are adopted to protect personal and sensitive data concerning a wide spectrum of data subjects such as our clients, business parties, job applicants, etc.

Commitment to General Data Protection Regulation (GDPR)

We take data protection and people’s privacy very seriously and we are committed to comply with the GDPR.

 

Type of Data and Means of Collection 

 

• Traffic data when you approach our kiosks within 1 meter and 4 meters through camera
• Product pick-up data when your pick-up product on our kiosks by image through camera
• Demographics data including gender and age range when you approach our kiosks in 1 meter through camera (not applicable at France)
• Engagement data such as clickstream data when you provide to us via our kiosk screen, or QR code scan data when you scan the QR code on our kiosk screen/product tag cards besides the products
• Your personal identifiable information, including but not limited to your name, email address, phone number, postal address, location when you enter on the screen, fill in our survey, fill in our membership registration form, or place an order for any of our products or services
• Log data on our website(s) when you use or visit our website(s) via your browser’s cookies. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser version, pages of our Service that you visit, the time and date of your visit, the time spent on those pages, and other statistics.

 

The Use of Data

 

The data that we collect will be used to operate our pop-up store service. The data analytics report we collect can allow ourselves, as well as the brand owners and the space owners, to better understand the traffic around the kiosks across the days, to understand different product popularity as break-down by the number of pick-up, pick-up time, different gender and age range segments (not applicable at France), to understand different customer segmentations’ engagement level towards different product. We can also make use of the data to further personalize the shoppers’ experience on our kiosks and the screens, to send the shoppers any special offers on our products as per their request or we think that they may be interested in, to process their order, to send them e-newsletter about our promotional news, to contact them for prize redemption, to collect market intelligence via a survey, or for internal research study for our future service improvement. They can object to the use of their data by contacting us at privacy@popsquare.io anytime.

 

Data Ownership

 

All kinds of customer data collected through our kiosk belong to PopSquare.

 

Data Transfer, Storage, Retention and Disposal

 

We value your trust in providing us your personal data, thus we take reasonable precautions and take appropriate security measures to follow the industry best practices to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data, and following organizational procedures and modes strictly related to the purposes indicated.

 

Data Transfer

All data collected by PopSquare are encrypted and sent over the Internet through the Hypertext Transfer Protocol Secure (HTTPS). All data transferred carries an end-to-end encryption (E2EE) from service to service with public key encryption. Such encryption secures communication that prevents the third-party from accessing the data while it's transferred from the PopSquare localhost machine to the cloud servers.

 

Data Storage (outside EU)

The data collected by PopSquare are analysed and stored in the database server hosted in the cloud platforms at Singapore or the USA as operated by the third-party service providers as below. All storage services are safeguard by anti-hack mechanisms. Our third-party service providers are committed themselves to comply with the GDPR.

1. Microsoft Azure at Singapore: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/gdpr-overview
2. Linode at Singapore: https://www.linode.com/compliance

• Face++ at the USA: https://www.faceplusplus.com/privacy-policy/

As a result, your personal data may be transferred to the third countries outside EU by riding on the above international service providers’ platforms and may have a risk of illegitimate access, unwanted modification or data leakage because of intentional hacking or human fraud. We will take reasonable steps to ensure that these companies clearly identify themselves and handle your information appropriately. We strongly advise you to review the Privacy Policy in their websites if you want to understand more details. We have no control over, and shall assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

 

In any circumstances, we collect the permission from the customers or data subjects before sharing their information to the brands or partners. The customers or data subjects have the right to request PopSquare to prohibit uses or sharing of their personal data by contacting us at privacy@popsquare.io for such a request. 

 

Data Retention & Disposal

 

 

No.	Types of Personal Data	Retention Period & Purpose	Disposal
1	Image data	- 3 Traffic Cameras: no image is kept, only the number of people counted   - 2 Pick-up Cameras: no image is kept, only the number of pick-up counted   - 2 Gender/ Age Analytics Cameras: all faces are blurred and stored on cloud permanently (The cameras will be shut down and not applicable in France)  - Purpose: As for statistical reporting and internal research	- 3 Traffic Cameras: image automatically deleted in real-time after capture   - 2 Pick-up Cameras: image automatically deleted in real-time after capture   - 2 Gender/ Age Analytics Cameras: images will be blurred in real-time and stored in the cloud permanently (The cameras will be shut down and not applicable in France)   - Data Protection Officer will conduct quarterly check.
2	Membership data	- Permanent until the subscriber requests us to opt-out  - Purpose: for sending them future membership news and offers	- Directly delete the data subject's record from our email marketing system  - Data Protection Officer will conduct quarterly check.
3	Survey data	- (i) Opt-in case: Permanent until the respondents request us to opt-out; OR (ii) 3 months if the respondents did not opt-in  - Purpose: for internal analysis	-  (i) Directly delete the data subject's record from our email marketing system OR (ii) Directly delete the record  - Data Protection Officer will conduct quarterly check.
4	Transaction data	- 3 months  - Purpose: for product delivery & internal analysis	- Directly delete the file  - Data Protection Officer will conduct quarterly check.
5	IP address	- 3 months  - Purpose: for internal analysis	- Directly delete the file  - Data Protection Officer will conduct quarterly check.
6	Freelancer personal data at Europe	- 3 months after service termination  - Purpose: for settling payment	- Directly delete the file  - Data Protection Officer will conduct quarterly check.

 

The data subject can always request us to suspend or remove their personal data and ensure that the personal data we collected are accurately, securely kept and used only for the purpose as they were collected for by contacting our Data Protection Officer at privacy@popsquare.io

 

 

Data Sharing Policy and Procedure:

 

The data may be accessible to certain types of persons in charge, involved with the operation of the Service and the websites (system administration, sales, marketing, legal, location owners, brands) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications or marketing agencies) appointed. Their access control should be administrated by specific users as delegated by PopSquare. No data can be shared or distributed without the approval of PopSquare in advance.

 

The sharing of data would be in the format of a statistical dashboard report on a data visualization tool – Data Catalog. The dashboard report will not display any personal data that can identify the individual identity. The staff of PopSquare, the related staff of the product brand or the space owner partner (where our kiosks located at) will have the access right to login to the data visualization tool for reading the report.

 

The data collected from the kiosk will also be accessible or transferred between PopSquare and below service applications that  maybe located at a third country including but not limit to Singapore, Canada or the United States, subject to the internal policy of the third-party service providers as below:

 

• Shopify (at Canada) – it is a third-party online shop platform to which the PopSquare customers will be diverted and finish the process of product purchase. Active consent is collected from the customers before further processing by PopSquare.

 

• Brand’s e-commerce website – it is the brand’s own online shop platform to which the PopSquare customers will be diverted and finish the process of product purchase. The website is operated by the brand itself.

 

• Google Form (the United States) – it is an online form tool to collect and store the survey answers or membership subscription information. Active consent is collected from the customers before further processing by PopSquare.

 

Your personal data may be transferred to the third countries outside EU by riding on the above international service providers’ platforms and may have a risk of illegitimate access or leakage of the data. We will take reasonable steps to ensure that these companies clearly identify themselves and handle your information appropriately. We strongly advise you to review the Privacy Policy in their websites if you want to understand more details. We have no control over, and shall assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

 

In any circumstances, we collect the permission from the customers or data subjects before sharing their information to the brands or partners. The customers or data subjects have the right to request PopSquare to prohibit uses or sharing of their personal data by contacting us at privacy@popsquare.io for such a request. 

Data Subject Access Request (SAR) Policy and Procedure

In compliance with GDPR, you have the below rights in order to protect your privacy as long as the type of data can represent your identity.

Right to be forgotten
Individuals may request to delete all personal data on that individual without undue delay.

Right to object
Individuals may request to prohibit certain personal data uses.

Right to rectification
Individuals may request that incomplete data be completed or that incorrect data be corrected.

Right of access
Individuals may request to view the data we have collected on the individual.

Right of portability
Individuals may request that personal data held by on organization be transported to another.

Right to lodge a complaint
Individuals may request to lodge a complaint with a supervisory authority

Please contact us at privacy@popsquare.io for such a request by providing information that can represent your identity including but not limit to your full name, email address and mobile number. We will acknowledge your request by reply your email within 5 working days.

Links to Other Sites

Our website(s) may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the Privacy Policy of these websites. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Changes to This Privacy Policy

We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

Unsubscribe

If you do not wish to receive our newsletter or promotional email, you may click on a link named “unsubscribe” which is embedded in the email sent by us in order to not receive future messages from us.

Direct Marketing

We will use your personal data to send you marketing offers, information surveys and invitations through e-mails, text messages, phone calls and postal mail.

You may inform us any time that you no longer wish to receive our marketing offers and information by clicking on “Unsubscribe” through the links as indicated in our e-mails.

How to contact us

 

If you have any questions about our privacy policy, the data we hold on you, or you would wish to report a complaint if you feel that we have not addressed your concern in a satisfactory manner, please do not hesitate to contact our Data Protection Officer at:

 

Email us at: privacy@popsquare.io

Call us at: +852 3188 7418

Write to us at: Unit 611 & 612, 6/F, Lakeside 2, No. 10 Science Park West Avenue, Science Park, Shatin, Hong Kong