Antavo Limited (company registration number: 08046168, registered seat: 9th, Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN) (hereinafter referred to as “Antavo”, “Us”, “Our”) takes privacy seriously. We design and operate our services with the protection of your privacy in mind. Please read the following to learn more about our Privacy Notice.
Welcome and thank you for visiting the Antavo website (“Website”).
Antavo offers a hosted software as a service platform to Clients (Loyalty platform) that have contracted with Antavo Limited for User (users of Loyalty platform) data orchestration and engagement (“Clients”). Clients include our partners or resellers that offer our Services in connection or combination with services they provide to their customers, most often through their websites, webshops or social media pages. Antavo helps Clients understand their Consumers (“Consumers”) and provide their Consumers with personalized offers, campaigns, and loyalty programs. Our platform includes tools for creating reward clubs, contests, quizzes, season campaigns and audience “segments” based on information about Consumers. These tools enable Clients to send relevant communications and promotions to certain customers. Using the Loyalty Management Platform or the Contest Tools (defined below), Clients can configure and manage contests and loyalty programs on their websites, as well as offer and manage promotions and rewards.
In this Privacy Notice, we refer to the Antavo Loyalty platform and applications as our “Services”.
This Privacy Notice provides information to Clients and business partners, and other third parties concerning the processing of their data.
The applicable regulations are the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and the UK GDPR which means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
Name and contact details of the controller:
Antavo Limited
company registration number: 08046168
registered seat: 9th, Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN
email: [email protected]
Data Protection Officer (DPO)
dr Annamária Nádai, [email protected]
Below, you can find the information on
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Making the Website more customizable to better accommodate the visitor's interests and needs by making it easier to use. Cookies are also designed to facilitate the user’s future activities and to improve the user experience. Cookies can also be used to create anonymous, aggregated statistics that help us understand how people use our Website, which allows us to optimize our Website content and structure. No natural person can be identified from this information. Necessary cookies are essential for the proper functioning of the Website Other cookies collect information about site usage (statistics) to make the Website more convenient and useful. | Please see the details in our Cookie Policy. | In case of necessary cookies, the legal basis is Antavo’ s legitimate interest. In the case of other cookies, the legal basis is consent. | Please see the details in our Cookie Policy. | Please see the details in our Cookie Policy. |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Handling, responding the messages, questions received via the contact form (https://antavo.com/contact/) Handling, responding to messages, questions received via emails. | First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (e.g requesting an offer) (optional) | Consent | Antavo’s employees dealing with inquiries | 6 months after responding the inquiry/request |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Sending newsletter to subscribers. Based on your consent, Antavo will process your personal data in order to provide you with the relevant materials. You may unsubscribe from receiving newsletters by simply clicking the unsubscribe link provided in all communications you receive. Email statistics | First name, last name, company email Without systematically doing so, we analyze and track the following rates: Open rate Click rate Reply rate Clicked links Time spent viewing email Engagement over time Opens by email client | Consent | Antavo’s employees dealing with newsletter Please see more details in Section below | Until unsubscription |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Based on your consent, Antavo will process your personal data in order to provide you with the demo. | First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (optional) | Consent | Antavo’s employees dealing with newsletter Please see more details in Section below | 1 year after providing the demo |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Based on your consent, Antavo will process your personal data to provide you with information required by an RFP considering Antavo in your vendor selection process. | First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (optional) | Consent | Antavo’s employees dealing with RFPs Please see more details in Section below | 1 year after providing the information for RFP. In case of contract, the retention period defined by the respective contract applies. |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Handling registration requests for Antavo’s events (e.g. Product releases, webinars, podcasts, etc.) | First name, last name, company email, phone nr (optional) | Consent | Antavo’s employees dealing with registration | 6 months after the event |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Carrying out loyalty industry surveys with voluntary participation | First name, last name, title/position, company email, phone nr, image, your responses, comments to the open-ended questions, quotes, testimonials | Consent | Antavo’s employees dealing with the surveys In addition, the results of the Survey can be published on Antavo’s LinkedIn profile. For details of how your personal data are processed, please refer to the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy We use Google services. For further details please refer to the Google privacy policy: https://policies.google.com/privacy | 3 years |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| We are designing Antavo Academy as an educational programme (“Educational Programme”) to share loyalty knowledge and to develop the next generation of loyalty professionals and business leaders. Topics we will be looking to cover as part of the study programme will include best practices, case studies, theories, planning and trends in the loyalty industry. | First name, last name, image (photo), company email, company you work at, your position, your result of the Educational Programme exams, your certificates | Consent | Antavo’s employees dealing with Antavo Academy Participation and certifications will be published on LinkedIn. For details of how your personal data are processed, please refer to the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy. We use Google services. For further details please refer to the Google privacy policy: https://policies.google.com/privacy. | 3 years |
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Providing Antavo’s hosted software as a service platform to Clients that have contracted with Antavo Limited for User data orchestration and engagement,including to allow Clients to offer their Users specialized offers, campaigns, or loyalty rewards or to allow Users to receive rewards and other promotions and to participate in contests, promotions or surveys. Our use of information on behalf of our Clients is governed by our contract with that Client, our General Data Processing Terms and Conditions and the Client’s own privacy policies. | First name, last name, company email, company phone nr Antavo’s Services are not intended to be directed to children under 16 years of age, and we do not knowingly collect or receive personal data from them. Our Clients are responsible for complying with applicable laws regarding the collection of information from children who may be under the age of 16. | Performance of contract concluded with customers | Antavo’s employees dealing with the contracts | The retention period defined by the respective contract applies |
Providing our Services to Clients, we receive personal data of Clients' Users which is necessary for operating our loyalty platform.
These personal data can be the following:
Mandatory: Customer ID, Opt-in Date, Loyalty membership status, Event ID, Action name, Date of registration (event date).
Other possible data: External ID, Last name, First name, Email address, Gender, Birthdate, Age, Handler, Image, Facebook ID, Language used, Mobile phone nr, Address, IP address, Labels, number of purchases, purchase totals, last purchase date - broken down into different time periods i.e. last 12 months, last 24 months, etc, Transaction ID, Date and time of transaction, Products, services purchased, Campaign bonus, Coupons (assigned, redeemed, expired, etc.), Point history (rewarded, added, spent, redeemed, burnt, unburnt, expired, transferred, refunded, referral bonus, etc.), Tiers (current, change).
Using our Services, Clients are the data controller in relation to processing of the Client’s Users personal data, and Antavo is the data processor.
| Purpose | Data processed | Legal basis | Persons/entities having access to the data | Period |
| Receiving and assessing CV, including unsolicited CVs and cover letter for recruitment | Personal data contained by the CV and cover letter, such as first name, last name, email, phone nr, address, nationality, visa-related data, job-related data, salary expectation, website, blog or Linkedin link | Consent | Antavo’s employees dealing with CVs and cover letters | In case of unsuccessful applications, we retain the CVs and cover letters for 1 year. For successful candidates, the retention period is defined by the respective internal policy of Antavo. |
Antavo may process personal data to meet applicable law, regulation, legal process or lawful government requests of any country of which Antavo will inform you immediately, unless it is required otherwise by the law.
Within the framework of its services, Antavo attributes the very highest importance to the security and integrity of its customers’ personal data.
Antavo undertakes to take all pertinent precautions in order to preserve the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorized circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorized persons. To this end, Antavo implements industry-standard security measures to protect personal data from unauthorized disclosure.
In order to avoid in particular all unauthorized access, as well as to guarantee accuracy and the proper use of the data, Antavo has put the appropriate electronic, physical and managerial procedures in place with a view of safeguarding and preserving the data gathered through its services.
One of the key objectives of the European General Data Protection Regulation (GDPR) was to ensure the privacy and protection of the personal data of data subjects.
To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for anything other than the legitimate purpose for which it was originally provided.
The right to information allows data subjects to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom their data will be shared.
Antavo is obligated to provide information about:
Data subjects have a right to submit subject access requests and obtain information from Antavo Group about whether your personal information is being processed. Antavo Group is then obligated to provide a copy of personal data it has about you and additional information, including:
The right to rectification allows data subjects to ask Antavo Group to update any inaccurate or incomplete data it has on them.
The right to be forgotten is also known as the right to erasure. This right allows data subjects to ask for their ur personal data to be deleted if:
Although there are situations where Antavo Group can decline the request. For instance, for reasons in the public interest or compliance with legal obligations.
If data subjects exercise their right to erasure, Antavo Group has to notify any third parties with whom the data was shared and request the erasure of data.
Antavo Group has to comply unless it can prove that the request would require a disproportionate effort or if it is impossible to comply.
Data subjects can request that Antavo Group limits the way it uses their personal data. Antavo Group is not automatically obligated to delete the data. However, it has to refrain from processing it in certain situations:
Once the data is restricted, Antavo Group is not allowed to process it unless it has the data subject’s consent, it needs it for legal claims or to protect the rights of other individuals.
Data portability allows data subjects to obtain personal data they have previously provided to Antavo Group in a structured, commonly used, and machine-readable format.
Data subjects can also request for their data to be transferred directly to another organization. However, it can only be applied to the data if processing is carried out by automated means, no papers.
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the following legal grounds:
Antavo Group shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defense of legal claims.
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
If you wish to exercise any of these rights, please contact us at [email protected].
Information will be provided at the earliest convenience, but at a maximum of 30 days from the date the request was received.
Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and you will be kept informed in wiring throughout the retrieval process of any delays or reasons for delay.
If for any reason, Antavo is unable to act in response to a request a written explanation to you will always be provided and you will be informed of your right to complain to the Supervisory Authority and to a judicial remedy.
Information provided, and any communication and any actions taken under shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Antavo may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
Where Antavo has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.
If Antavo does not comply with a request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.
The list of the European supervisory authorities can be found here.
Right to an effective judicial remedy against a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged to it.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Right to an effective judicial remedy against a controller or processor
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you have the right to an effective judicial remedy where you consider that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
You have the right to complain to an organization if you think it has not handled personal information in compliance with the UK GDPR.
You should give the organization you’re unhappy with a chance to sort things out before bringing your complaint to the supervisory authority.
Give the organization one month to respond to your complaint or request. Ask the organization involved for clarification if you don’t understand or you’re unhappy with their response. Organizations have an obligation to clearly explain why they are using your information in the way they are doing or why they have refused a request.
If you have followed these steps or the organization is refusing to respond to you, you can complain to the supervisory authority.
The name and contact details of the supervisory authority:
Information Commissioner's Office (ICO)
seat: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
telephone: 0303 123 1113
fax: 01625 524510
website: www.ico.org.uk
You have the right to an effective judicial remedy against a legally binding decision of the ICO. You can apply to the High Court, or the Court of Session in Scotland, for a judicial review where the complaints process has been exhausted. You may also proceed to take the controller or processor to court for the matter, and the court may take a differing view from any ICO decision.
You have the right to an effective judicial remedy if the ICO does not handle the complaint or provide you with a progress update within three months.
You may apply to the First Tier Tribunal to make an order against the Commissioner.
You have a right to seek a judicial remedy against a controller or processor. The DPA 2018 empowers courts to make an order for compliance, requiring controllers to take or refrain from taking specific steps where a data subject’s rights, under data protection legislation, have been infringed.
| Third party | Data processed | Purpose | Country | Privacy policy |
| Acxiom | Users’ personal data | Integration partner | UK | https://axicom.com/privacy-policy/ |
| Adobe | Users’ personal data | Ecommerce Platform | USA | https://www.adobe.com/privacy.html |
| Amazon Simple Email Service (SES) | https://aws.amazon.com/privacy/?nc1=f_pr | Email provider | USA | https://aws.amazon.com/privacy/?nc1=f_pr |
| Amazon S3 | https://aws.amazon.com/privacy/?nc1=f_p | Blob storage | Europe (Ireland) eu-west-1 US West (Oregon) us-west-2 Asia Pacific (Sydney) ap-southeast-2 | https://aws.amazon.com/privacy/?nc1=f_pr |
| Antavo Kft. | Customers’ and users’ personal data | Employees involved into providing Antavo Loyalty Program should have access to personal data | Google Cloud Platform | Antavo Group Privacy Policy |
| Apple | Users’ personal data | Apple Wallet - Mobile Wallet Technology Provider | USA | https://www.apple.com/legal/privacy/ |
| Atlassian Service Management | Registration required Email address, password, additional data provided for bug reports, information requests and improvements | Loyalty Software Support - Support ticketing system (https://antavo.atlassian.net/servicedesk/customer/user/login) | Australia, USA | https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers |
| Atlassian Jira software, Confluence, Opsgenie | Tickets, documents for project management, alerting tool | Internal project management | Australia, USA | https://www.atlassian.com/legal/privacy-policy |
| Bamboo | First name, last name Phone Address City, State, ZIP Country Resume Date Available (not required) Desired Pay (not required) Website, Blog, or Portfolio (not required) LinkedIn Profile URL (not required) | Recruitment | USA | https://www.bamboohr.com/legal/ |
| Bloomreach | Users’ personal data | Marketing Automation Platform & CDP | USA | https://www.bloomreach.com/en/legal/privacy |
| Braze | Users’ personal data | Marketing Automation Platform | USA | https://www.braze.com/company/legal/privacy |
| Cloudflare | https://www.cloudflare.com/privacypolicy/ | Firewall solutions, static content cache -WAF, DDoS protection, security analysis | USA | https://www.cloudflare.com/privacypolicy/ |
| CustomerOS | First name, last name, email address, email communication, service desk request communication | Streamlining processes and scaling operations, customer health analysis, revenue management, and customer segmentation | UK | https://www.customeros.ai/legal/privacy-policy |
| Dotdigital | Users’ personal data | Email and SMS Marketing Automation | UK | https://dotdigital.com/terms/privacy-policy/ |
| Emarsys (SAP) | Users’ personal data | Marketing Automation Platform | USA | https://emarsys.com/privacy-policy/ |
| Anonymous behavioral data | Google Analytics Platform | USA | https://policies.google.com/privacy?hl=en-HU&fg=1 | |
| Users’ personal data | Mobile Wallet Technology Provider | USA | https://policies.google.com/privacy?hl=en-HU&fg=1 | |
| Google Cloud Platform (GCP) | Users’ personal data Customers’ personal data | Provide the Antavo platform | eu-west4 - Netherlands asia-east2 - Hong Kong australia-southeast1 - Sydney us-west1 - Oregon | https://policies.google.com/privacy?hl=en-HU&fg= |
| Google Cloud SQL | Users’ personal data | Database storage | eu-west4 - Netherlands asia-east2 - Hong Kong australia-southeast1 - Sydney us-west1 - Oregon | https://policies.google.com/privacy?hl=en-HU&fg |
| Google workspace | First name, last name, email, email communication, project documentations, email messages | Communication with the Customers, Office tools (project documentation, documentation management, storage, email messaging) | USA | https://policies.google.com/privacy |
| GoTo | First name Last name Email address (Company name) | Webinar platformí - Handling webinar registrations - Broadcasting the webinars | USA | https://www.goto.com/company/legal/privacy |
| HubSpot | First name, last name, email Phone number (not required) And an open field where you can provide us with more details on your goals (not required) | CRM: Tracking leads Sending emails, newsletters Creating reports Creating forms, landing pages for the website | USA | https://legal.hubspot.com/privacy-policy?hubs_content=www.hubspot.com/&hubs_content-cta=Privacy%20Policy |
| Jira | First name, last name, email, service desk communication | Service desk for Customers | Australia | https://www.atlassian.com/legal/privacy-policy |
| Klaviyo | Users’ personal data | Marketing Automation Platform | USA | https://www.klaviyo.com/legal/privacy/privacy-notice |
| https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy | Social media appearance | USA | https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy | |
| Listrak | Users’ personal data | Marketing Automation Platform | USA | https://www.listrak.com/privacy-and-terms/privacy-policy |
| Mailchimp (Intuit) | Users’ personal data | Marketing Automation Platform | USA | https://www.intuit.com/privacy/statement/ |
| Meta | https://www.facebook.com/privacy/policy/?entry_point=about_fb | Social Media Platform | USA | https://www.facebook.com/privacy/policy/?entry_point=about_fb |
| Mito | Users’ personal data | Integration partner | Hungary | https://mito.hu/cookie-policy/ |
| Mobikats | They do not store user data of any kind for the Mobikats website or Mobikats apps. | Integration partner | UK | https://www.mobikats.com/privacy.html |
| MongoDB Atlas | Data through API and backoffice | Database storage | eu-west4 - Netherlands asia-east2 - Hong Kong australia-southeast1 - Sydney us-west1 - Oregon | https://www.mongodb.com/legal/privacy-policy |
| mParticle | Users’ personal data | CDP | USA | https://www.mparticle.com/privacypolicy/ |
| Ometria | Users’ personal data | Marketing Automation Platform | UK | https://ometria.com/privacy-policy |
| Oracle | Users’ personal data | Responsys - Marketing Automation Platform | USA | https://www.oracle.com/legal/privacy/ |
| Posera | Users’ personal data | POS | USA | https://payfacto.com/privacy-policy/ |
| Prime Holding | Users’ personal data | Integration partner | Bulgaria | https://www.primeholding.com/privacy-policy |
| Sailthru | Sailthru (Marigold Engage by Sailthru) | Marketing Automation Platform | USA | https://www.sailthru.com/legal/privacy-statement/ |
| Salesforce | Users’ personal data | Marketing Automation Platform | USA | https://www.salesforce.com/company/privacy/full_privacy/ |
| Salesforce | Users’ personal data | CRM | USA | https://www.salesforce.com/company/privacy/full_privacy/ |
| Salesforce | Users’ personal data | Ecommerce Platform | USA | https://www.salesforce.com/company/privacy/full_privacy/ |
| Shopify | Users’ personal data | Shopify, Shopify Plus - Ecommerce Platform | Canada | https://www.shopify.com/legal/privacy |
| SimpleSat | First name, last name, email address, survey response | Customer surveys | Hong Kong, China | https://www.simplesat.io/privacy/ |
| Slack | Instant messages during project implementation, supporting | Instant messaging too | USA | https://slack.com/trust/privacy/privacy-policy |
| Strava | Users’ personal data | Activity Tracking Software | USA | https://www.strava.com/legal/privacy |
| Teradata | Users’ personal data | Data Warehouse | USA | https://www.teradata.com/Privacy |
| First name, last name, position, employer, quotes, survey responses | Social Media Platform | USA | https://twitter.com/en/privacy | |
| Vertical-Life | Users’ personal data | Vertical-Life Climbing - Activity Tracking Software | Italy | https://www.vertical-life.info/legal/privacy-policy |
| Yotpo | Yotpo Platform | Review and Social Engagement Platform | USA | https://yotpo.com/privacy-policy/ |
| Wiro | Users’ personal data | Integration partner | UK | https://www.wiro.agency/privacy-policy |
| Wordpress (Automattic Inc.) | First name, last name, email, position, employer | Sending requested marketing materials (case study, ebook) | USA | https://wordpress.org/about/privacy/ |
This Privacy Notice may be changed unilaterally by the data controller at any time.
Changes to this Privacy Notice will be published on this page.
This Privacy Notice enters into force on February 07, 2024.
You can download this document by clicking here.
