ChinChin Privacy Policy V2
1. INTRODUCTION and IDENTIFYING the CONTROLLER of your personal data
This privacy policy applies to HEINEKEN’s mobile application called ChinChin which is for use by consumers in the United Kingdom (the "App"). Heineken UK Limited and Heineken International BV (“we”, “us” or “our”) are part of the HEINEKEN group and each company acts as an independent data controller in respect of the personal data that it collects and processes when you use the App.
Personal data is any information about an individual from which that person can be identified. When we mention “we”, “us” or “our” in this privacy policy, we are referring to the relevant company responsible for processing your personal data and we have indicated in section 2 which company has access to and processes the different types of personal data.
We respect your privacy, and we are committed to keeping your personal data secure and managing it in accordance with our legal responsibilities under applicable data protection laws. Please read this Privacy Policy carefully as it contains important information on our processing activities.
If you have any questions, we can be contacted as follows:
- Mail: 3 – 4 Broadway Park South Gyle Broadway Edinburgh EH12 9JZ, marked for the attention of the Privacy Officer; or
- Email: protectingyourdata@heineken.co.uk
2. WHAT personal data we collect, what our LEGAL basis for processing your personal data is, and HOW we use your personal data
A. Guest Mode Data (Heineken International B.V.)
You do not need to set up a ChinChin account to use the App in Guest Mode. However, you will still need to provide the following personal data:
- date of birth, to verify that you are of legal drinking age.
B. Account Data (Heineken International B.V.)
You will need to provide the following personal data (“Account Data”) to create an account in the App and access its full functionality:
- date of birth, to verify that you are of legal drinking age;
- name; and
- telephone number.
Push notifications.
If you have enabled push notifications when downloading the App, we will send you push notifications with service-related content that may be of interest to you. If you have, in addition, consented to receiving marketing communications from Heineken UK Limited when creating your account in the App, we will send you push notifications with marketing-related content. If you no longer wish to receive any push-notifications, you can unsubscribe at any time by using the unsubscribe functionality in your phone settings, which can also be accessed via the ‘profile’ settings in the App.
Lawful basis for processing: performance of a contract with you.
Retention period: until we delete your account following receipt of a deletion request from you.
A. Location Data (Heineken UK Limited)
When enabled in the App, your GPS-based location information is used to:
- show you nearby ChinChin venues (‘Venues’) and enable you to mark Venues as “favourites”; and
- present you with three recommended Venues to hold an event you are organising (‘Recommendations’).
- provided your contacts have also enabled this functionality, show you nearby ChinChin friends.
Recommendations are based on your indicated event criteria - for example location or Venue type - combined with the score which Heineken UK Limited has allocated to each Venue, taking into account whether the Venue serves HEINEKEN products. The more HEINEKEN taps that a Venue has on its bar, the higher it will be ranked.
Lawful basis for processing: consent.
Retention period: depending on the choice you make when you download the App, date will only be processed when using the App or alternatively all the time i.e. continuously.
B. User Contact Data (Heineken UK Limited)
B1. When using the App to “add friend from Phonebook” for the first time, you will be prompted to allow the app to access your Phonebook & contacts. If you allow this, the App will compare your phone’s contact list with the ChinChin user base to allow you to connect to people you know, who are also on ChinChin.
Each time you use this ‘add friends from phonebook’ functionality, the App:
- imports your phonebook into the App’s temporary memory;
- makes an API request to a “friend lookup” endpoint in the ChinChin cloud, looking for matches between the contact numbers submitted by you and ChinChin user phone numbers;
- The API returns a response which confirms all phone numbers which match ChinChin user IDs; and
- presents you with a list of which of your phone contacts are users of ChinChin, allowing you to send them a friend request in the App.
B2. You can view the usernames of all ChinChin users who have attended the same events as you, as well as the name of the Venue and the date that the event took place. You can also send these ChinChin users a friend request in the App.
Lawful basis for processing: C1: consent. C2: necessary for our legitimate interest in order to ensure we offer a good quality service, to improve the App and to protect, promote and grow our business for C1.
Retention period: we limit the use of this function to when users are actively intending to use it. The phonebook data which is imported is held in memory/RAM only for the duration of time when you use the App. The ChinChin backend does not save or log each ‘add friend request’ but purges the contents of each request to avoid indirect storage of contact-numbers. The App also does not import or save/store/persist a copy of your phonebook or the lookup-response. No phonebook data is uploaded, saved, stored, or otherwise persisted in the ChinChin cloud.
C. App Performance, Analytics and Engagement Measurement Data (Heineken International B.V. and Heineken UK Limited)
We also collect certain performance, analytical and engagement information when you use the App (“App Performance, Analytics and Engagement Measurement Data”). Such data includes unique identifiers such as your device category, operating system, IMEI number, IP address and (subsequently) the country you are in.
User interactions will also be tracked as part of App Performance, Analytics and Engagement Measurement Data to analyse and further enhance your activity within the App. To do so, we use techniques which reveal your geo-location or your network location. This data is used in the same way as cookies, e.g. to analyse and improve services.
The information about your interactions with the App enables us to:
- monitor and improve the stability, bugs and other technical information of the App; and
- measure and gain insights on (i) App acquisition, such as downloads, App activation and which channels users are coming from; (ii) retention, i.e., do users continue to use the App; (iii) user engagement; (iv) uninstalls and churn rates; (v) opt-in rates on push notifications; and (vi) click-through rates.
Lawful basis for processing: necessary for our legitimate interest to conduct and manage our business, to enable us to give you the best service and to protect, promote and grow our business. Where required, by privacy laws, consent.
Retention Period: until we delete your account following receipt of a deletion request from you, or, when our lawful basis is consent, until consent is withdrawn.
D. Customer Service Data (Heineken International B.V. and Heineken UK Limited)
If you have a question or other remark about the App, you can contact us at hello@letschinchin.com. We will process your email address, your request, complaint or question, our response, and any other interaction with you (together “Customer Service Data”).
Lawful basis for processing: Necessary for our legitimate interest to conduct and manage our business, to enable us to give you the best service and to protect, promote and grow our business.
Retention period: 12 months after your request, complaint or question is resolved.
E. Survey Data (Heineken International B.V. and Heineken UK Limited)
We may contact you to ask you to complete a survey about how we can improve the services we offer you, or to ask you for information on how we can improve our App or our Engagements with you.
Lawful basis for processing: Necessary for our legitimate interest in order to ensure we offer a good quality service, to improve the App and to protect, promote and grow our business.
Retention period: until the survey feedback has fulfilled its intended purpose.
F. Inferred Data (Heineken International B.V. and Heineken UK Limited)
This relates to data which is inferred or derived from the data we collect, for example inferences about your interests based on your Account Data, Profile Data, Push Notification settings, App Performance, Analytics and Engagement Measurement Data and Location Data.
Lawful basis for processing: necessary for our legitimate interest to conduct and manage our business, to enable us to give you the best service and to protect, promote and grow our business. Where required, by privacy laws, consent.
Retention period: until we delete your account following receipt of a deletion request from you or, when our lawful basis is consent, until an opt-out / objection is received, or consent is withdrawn as applicable.
We will only use your personal data for the purposes above, unless we reasonably consider that we have another appropriate reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
3. WHO do we share your personal data with?
We may need to share personal data with third parties to help us provide our services and products to you and to run the App. These third parties are:
- HEINEKEN group companies for the purpose of storing personal data processed via the App, due to shared IT systems;
- service providers where this is needed to provide us with a service and to provide data analytics and data storage services, such as Microsoft Azure, Microsoft Application Insights, Triple, Mesh, New relic, Google Firebase and Analytics;
- Merkle Denmark for the purpose of developing and maintaining the App;
- service providers that help us for research purposes;
- service providers such as solicitors and accountants;
- courts, parties to litigation and their professional advisers where we reasonably deem it necessary in connection with the establishment, exercise, or defence of legal claims;
- Law enforcement bodies in order to comply with a legal obligation or court order; and
- a purchaser or parties interested in purchasing any part of our business (and professional advisors.
4. International transfers
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and/or the UK Information Commissioner’s Office.; and
- Where we use certain service providers, we may use specific contracts approved by the European Commission and/or the UK Information Commissioner’s Office, which give personal data the same protection it has in Europe (or the United Kingdom).
5. How SECURE is my personal data?
We will take appropriate technical and organizational measures (‘TOMs’) to protect the personal data we process in connection with the App from misuse or accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure, acquisition, or access. Such TOMs are consistent with applicable privacy and data security laws and regulations. However, no internet-based (mobile) application can be 100% secure and we cannot be held responsible for unauthorised or unintended access that is beyond our control. The App may contain links to other websites. We are not responsible for the privacy practices, content or security used by such other websites, which shall not be governed by this Privacy Policy. We advise you to always read the privacy policies carefully on these other websites.
6. Social media
You may choose to share information on the App via social media, such as i.e., Facebook, Instagram, Twitter, LinkedIn, and YouTube. This means that the information you share, with name and preferences, shall be visible to visitors of your personal social media pages. We advise you to carefully read the privacy policies of the social media parties, these are applicable to the processing of your personal data by such parties.
7. How LONG will my personal data be used for?
We will only retain your personal data to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
You can ask us to delete your App account including your personal data at any time in the ‘profile’ section in the App. We will complete the deletion process within fourteen working days of receipt of your request.
We will take reasonable steps to destroy or de-identify personal data we process if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.
Further retention details for specific aspects of your personal data are noted in Clause 2.
8. Cookies
Some of the personal data referred to in this privacy policy is collected via the use of cookies and other cookie-like techniques including tracking pixels, Java scripts and tags. These techniques can be necessary to remember your account settings, language, and country, but also enable us to measure and analyse your behaviour within the App and to make our advertisements relevant to you and your interests. Where required, you will be asked for consent to the use of such techniques. For more information on what techniques, we use and how we use them, please review our separate Cookie Policy.
9. Children's Privacy
The App is not intended for use by individuals under the age of 18 (or the applicable legal drinking age). We do not knowingly collect personal data from individuals under the age of 18.
10. What are my RIGHTS?
Under data protection laws, you have various rights which are set out below. The rights available to you depend on our reason for processing your personal data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. We have one month to respond to you (unless you have made several requests or your request is complex, in which case we may take up to an extra two months to respond). Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.
- Right of access. You have the right to ask us for copies of your Personal Data. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
- Right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
- Right to erasure. You have the right to ask us to erase your Personal Data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it, or where you have successfully exercised your right to object to processing.
- Right to restriction of processing. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it;
- Right to object to processing. You have the right to object to processing of your Personal Data where we are relying on a legitimate interest or conducting direct marketing.
- Right to withdraw consent. Where we are relying on consent to process your Personal Data, you may withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance using the details at the start of this policy.
11. Updates
We will keep this privacy policy under review and make updates from time to time. Any changes to this privacy policy will be posted in the App and to the extent reasonably possible, will be communicated to you.
This version was last updated in March 2024.