Privacy Notice

Antavo Limited (company registration number: 08046168, registered seat: 9th, Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN) (hereinafter referred to as “Antavo”, “Us”, “Our”) takes privacy seriously. We design and operate our services with the protection of your privacy in mind. Please read the following to learn more about our Privacy Notice.

Introduction

Welcome and thank you for visiting the Antavo website (“Website”).

Antavo offers a hosted software as a service platform to Clients (Loyalty platform) that have contracted with Antavo Limited for User (users of Loyalty platform) data orchestration and engagement (“Clients”). Clients include our partners or resellers that offer our Services in connection or combination with services they provide to their customers, most often through their websites, webshops or social media pages. Antavo helps Clients understand their Consumers (“Consumers”) and provide their Consumers with personalized offers, campaigns, and loyalty programs. Our platform includes tools for creating reward clubs, contests, quizzes, season campaigns and audience “segments” based on information about Consumers. These tools enable Clients to send relevant communications and promotions to certain customers. Using the Loyalty Management Platform or the Contest Tools (defined below), Clients can configure and manage contests and loyalty programs on their websites, as well as offer and manage promotions and rewards.

In this Privacy Notice, we refer to the Antavo Loyalty platform and applications as our “Services”.

This Privacy Notice provides information to Clients and business partners, and other third parties concerning the processing of their data.

The applicable regulations are the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and the UK GDPR which means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1. Data Controller

Name and contact details of the controller:

Antavo Limited
company registration number: 08046168
registered seat: 9th, Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN
email: [email protected]

Data Protection Officer (DPO)
dr Annamária Nádai, [email protected]

2. Data Processing

Below, you can find the information on

2.1. Using cookies

Purpose Data processed Legal basis Persons/entities having access to the data Period
Making the Website more customizable to better accommodate the visitor's interests and needs by making it easier to use. Cookies are also designed to facilitate the user’s future activities and to improve the user experience. Cookies can also be used to create anonymous, aggregated statistics that help us understand how people use our Website, which allows us to optimize our Website content and structure. No natural person can be identified from this information.
Necessary cookies are essential for the proper functioning of the Website
Other cookies collect information about site usage (statistics) to make the Website more convenient and useful.
Please see the details in our Cookie Policy. In case of necessary cookies, the legal basis is Antavo’ s legitimate interest.
In the case of other cookies, the legal basis is consent.
Please see the details in our Cookie Policy. Please see the details in our Cookie Policy.

2.2. Contacting us

Purpose Data processed Legal basis Persons/entities having access to the data Period
Handling, responding the messages, questions received via the contact form (https://antavo.com/contact/)
Handling, responding to messages, questions received via emails.
First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (e.g requesting an offer) (optional) Consent Antavo’s employees dealing with inquiries 6 months after responding the inquiry/request

2.3. Newsletter

Purpose Data processed Legal basis Persons/entities having access to the data Period
Sending newsletter to subscribers.
Based on your consent, Antavo will process your personal data in order to provide you with the relevant materials.
You may unsubscribe from receiving newsletters by simply clicking the unsubscribe link provided in all communications you receive.
Email statistics
First name, last name, company email
Without systematically doing so, we analyze and track the following rates:
Open rate
Click rate
Reply rate
Clicked links
Time spent viewing email
Engagement over time
Opens by email client
Consent Antavo’s employees dealing with newsletter
Please see more details in Section below
Until unsubscription

2.4. Booking a demo

Purpose Data processed Legal basis Persons/entities having access to the data Period
Based on your consent, Antavo will process your personal data in order to provide you with the demo. First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (optional) Consent Antavo’s employees dealing with newsletter
Please see more details in Section below
1 year after providing the demo

2.5. Include Antavo in your RFP process

Purpose Data processed Legal basis Persons/entities having access to the data Period
Based on your consent, Antavo will process your personal data to provide you with information required by an RFP considering Antavo in your vendor selection process. First name, last name, company email, phone nr (optional), an open field where you can provide us with more details on your goals (optional) Consent Antavo’s employees dealing with RFPs
Please see more details in Section below
1 year after providing the information for RFP.
In case of contract, the retention period defined by the respective contract applies.

2.6. Registering for Antavo events

Purpose Data processed Legal basis Persons/entities having access to the data Period
Handling registration requests for Antavo’s events (e.g. Product releases, webinars, podcasts, etc.) First name, last name, company email, phone nr (optional) Consent Antavo’s employees dealing with registration 6 months after the event

2.7. Participation in Antavo’s surveys

Purpose Data processed Legal basis Persons/entities having access to the data Period
Carrying out loyalty industry surveys with voluntary participation First name, last name, title/position, company email, phone nr, image, your responses, comments to the open-ended questions, quotes, testimonials Consent Antavo’s employees dealing with the surveys
In addition, the results of the Survey can be published on Antavo’s LinkedIn profile.
For details of how your personal data are processed, please refer to the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy
We use Google services. For further details please refer to the Google privacy policy:
https://policies.google.com/privacy
3 years

2.8. Participation in Antavo Academy

Purpose Data processed Legal basis Persons/entities having access to the data Period
We are designing Antavo Academy as an educational programme (“Educational Programme”) to share loyalty knowledge and to develop the next generation of loyalty professionals and business leaders. Topics we will be looking to cover as part of the study programme will include best practices, case studies, theories, planning and trends in the loyalty industry. First name, last name, image (photo), company email, company you work at, your position, your result of the Educational Programme exams, your certificates Consent Antavo’s employees dealing with Antavo Academy
Participation and certifications will be published on LinkedIn.
For details of how your personal data are processed, please refer to the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy.
We use Google services. For further details please refer to the Google privacy policy: https://policies.google.com/privacy.
3 years

2.9. Providing Services to Clients

Purpose Data processed Legal basis Persons/entities having access to the data Period
Providing Antavo’s hosted software as a service platform to Clients that have contracted with Antavo Limited for User data orchestration and engagement,including to allow Clients to offer their Users specialized offers, campaigns, or loyalty rewards or to allow Users to receive rewards and other promotions and to participate in contests, promotions or surveys. Our use of information on behalf of our Clients is governed by our contract with that Client, our General Data Processing Terms and Conditions and the Client’s own privacy policies. First name, last name, company email, company phone nr
Antavo’s Services are not intended to be directed to children under 16 years of age, and we do not knowingly collect or receive personal data from them. Our Clients are responsible for complying with applicable laws regarding the collection of information from children who may be under the age of 16.
Performance of contract concluded with customers Antavo’s employees dealing with the contracts The retention period defined by the respective contract applies

Providing our Services to Clients, we receive personal data of Clients' Users which is necessary for operating our loyalty platform.

These personal data can be the following:

Mandatory: Customer ID, Opt-in Date, Loyalty membership status, Event ID, Action name, Date of registration (event date).

Other possible data: External ID, Last name, First name, Email address, Gender, Birthdate, Age, Handler, Image, Facebook ID, Language used, Mobile phone nr, Address, IP address, Labels, number of purchases, purchase totals, last purchase date - broken down into different time periods i.e. last 12 months, last 24 months, etc, Transaction ID, Date and time of transaction, Products, services purchased, Campaign bonus, Coupons (assigned, redeemed, expired, etc.), Point history (rewarded, added, spent, redeemed, burnt, unburnt, expired, transferred, refunded, referral bonus, etc.), Tiers (current, change).

Using our Services, Clients are the data controller in relation to processing of the Client’s Users personal data, and Antavo is the data processor.

2.10. Recruitment

Purpose Data processed Legal basis Persons/entities having access to the data Period
Receiving and assessing CV, including unsolicited CVs and cover letter for recruitment Personal data contained by the CV and cover letter, such as first name, last name, email, phone nr, address, nationality, visa-related data, job-related data, salary expectation, website, blog or Linkedin link Consent Antavo’s employees dealing with CVs and cover letters In case of unsuccessful applications, we retain the CVs and cover letters for 1 year.
For successful candidates, the retention period is defined by the respective internal policy of Antavo.

2.11. Required by law

Antavo may process personal data to meet applicable law, regulation, legal process or lawful government requests of any country of which Antavo will inform you immediately, unless it is required otherwise by the law.

3. Technical and organizational measure

Within the framework of its services, Antavo attributes the very highest importance to the security and integrity of its customers’ personal data.

Antavo undertakes to take all pertinent precautions in order to preserve the security of the data and, in particular, to protect them against any accidental or unlawful destruction, accidental loss, corruption, unauthorized circulation or access, as well as against any other form of unlawful processing or disclosure to unauthorized persons. To this end, Antavo implements industry-standard security measures to protect personal data from unauthorized disclosure.

In order to avoid in particular all unauthorized access, as well as to guarantee accuracy and the proper use of the data, Antavo has put the appropriate electronic, physical and managerial procedures in place with a view of safeguarding and preserving the data gathered through its services.

4. Data Subject Rights

One of the key objectives of the European General Data Protection Regulation (GDPR) was to ensure the privacy and protection of the personal data of data subjects.

To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for anything other than the legitimate purpose for which it was originally provided.

4.1. Right to information

The right to information allows data subjects to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom their data will be shared.

Antavo is obligated to provide information about:

4.2. Right of access

Data subjects have a right to submit subject access requests and obtain information from Antavo Group about whether your personal information is being processed. Antavo Group is then obligated to provide a copy of personal data it has about you and additional information, including:

4.3. Right to rectification

The right to rectification allows data subjects to ask Antavo Group to update any inaccurate or incomplete data it has on them.

4.4. Right to be forgotten

The right to be forgotten is also known as the right to erasure. This right allows data subjects to ask for their ur personal data to be deleted if:

Although there are situations where Antavo Group can decline the request. For instance, for reasons in the public interest or compliance with legal obligations.

If data subjects exercise their right to erasure, Antavo Group has to notify any third parties with whom the data was shared and request the erasure of data.

Antavo Group has to comply unless it can prove that the request would require a disproportionate effort or if it is impossible to comply.

4.5. Right to restrict processing

Data subjects can request that Antavo Group limits the way it uses their personal data. Antavo Group is not automatically obligated to delete the data. However, it has to refrain from processing it in certain situations:

Once the data is restricted, Antavo Group is not allowed to process it unless it has the data subject’s consent, it needs it for legal claims or to protect the rights of other individuals.

4.6. Right to data portability

Data portability allows data subjects to obtain personal data they have previously provided to Antavo Group in a structured, commonly used, and machine-readable format.

Data subjects can also request for their data to be transferred directly to another organization. However, it can only be applied to the data if processing is carried out by automated means, no papers.

4.7. Right to withdraw consent

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.8. Right to object to processing

Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the following legal grounds:

Antavo Group shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defense of legal claims.

4.9. Right to object to automated processing

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

4.10. Exercising the rights

If you wish to exercise any of these rights, please contact us at [email protected].

Information will be provided at the earliest convenience, but at a maximum of 30 days from the date the request was received.

Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and you will be kept informed in wiring throughout the retrieval process of any delays or reasons for delay.

If for any reason, Antavo is unable to act in response to a request a written explanation to you will always be provided and you will be informed of your right to complain to the Supervisory Authority and to a judicial remedy.

Information provided, and any communication and any actions taken under shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Antavo may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

Where Antavo has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

If Antavo does not comply with a request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

4.11. For EEA countries

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

The list of the European supervisory authorities can be found here.

Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged to it.

Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

Right to an effective judicial remedy against a controller or processor

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you have the right to an effective judicial remedy where you consider that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR.

Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.

4.12. For UK

You have the right to complain to an organization if you think it has not handled personal information in compliance with the UK GDPR.

You should give the organization you’re unhappy with a chance to sort things out before bringing your complaint to the supervisory authority.

Give the organization one month to respond to your complaint or request. Ask the organization involved for clarification if you don’t understand or you’re unhappy with their response. Organizations have an obligation to clearly explain why they are using your information in the way they are doing or why they have refused a request.

If you have followed these steps or the organization is refusing to respond to you, you can complain to the supervisory authority.

The name and contact details of the supervisory authority:

Information Commissioner's Office (ICO)
seat: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
telephone: 0303 123 1113
fax: 01625 524510
website: www.ico.org.uk

You have the right to an effective judicial remedy against a legally binding decision of the ICO. You can apply to the High Court, or the Court of Session in Scotland, for a judicial review where the complaints process has been exhausted. You may also proceed to take the controller or processor to court for the matter, and the court may take a differing view from any ICO decision.

You have the right to an effective judicial remedy if the ICO does not handle the complaint or provide you with a progress update within three months.

You may apply to the First Tier Tribunal to make an order against the Commissioner.

You have a right to seek a judicial remedy against a controller or processor. The DPA 2018 empowers courts to make an order for compliance, requiring controllers to take or refrain from taking specific steps where a data subject’s rights, under data protection legislation, have been infringed.

5. List of sub-processors

Third party Data processed Purpose Country Privacy policy
Acxiom Users’ personal data Integration partner UK https://axicom.com/privacy-policy/
Adobe Users’ personal data Ecommerce Platform USA https://www.adobe.com/privacy.html
Amazon Simple Email Service (SES) https://aws.amazon.com/privacy/?nc1=f_pr Email provider USA https://aws.amazon.com/privacy/?nc1=f_pr
Amazon S3 https://aws.amazon.com/privacy/?nc1=f_p Blob storage Europe (Ireland) eu-west-1
US West (Oregon) us-west-2
Asia Pacific (Sydney) ap-southeast-2
https://aws.amazon.com/privacy/?nc1=f_pr
Antavo Kft. Customers’ and users’ personal data Employees involved into providing Antavo Loyalty Program should have access to personal data Google Cloud Platform Antavo Group Privacy Policy
Apple Users’ personal data Apple Wallet - Mobile Wallet Technology Provider USA https://www.apple.com/legal/privacy/
Atlassian Service Management Registration required
Email address, password, additional data provided for bug reports, information requests and improvements
Loyalty Software Support
- Support ticketing system (https://antavo.atlassian.net/servicedesk/customer/user/login)
Australia, USA https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers
Atlassian Jira software, Confluence, Opsgenie Tickets, documents for project management, alerting tool Internal project management Australia, USA https://www.atlassian.com/legal/privacy-policy
Bamboo First name, last name
Email
Phone
Address
City, State, ZIP
Country
Resume
Date Available (not required)
Desired Pay (not required)
Website, Blog, or Portfolio (not required)
LinkedIn Profile URL (not required)
Recruitment USA https://www.bamboohr.com/legal/
Bloomreach Users’ personal data Marketing Automation Platform & CDP USA https://www.bloomreach.com/en/legal/privacy
Braze Users’ personal data Marketing Automation Platform USA https://www.braze.com/company/legal/privacy
Cloudflare https://www.cloudflare.com/privacypolicy/ Firewall solutions, static content cache -WAF, DDoS protection, security analysis USA https://www.cloudflare.com/privacypolicy/
Culture Amp First name, last name, email address, performance assessment, feedback Performance assessment and goal setting tool EU, UK https://www.cultureamp.com/privacy-policy
CustomerOS First name, last name, email address, email communication, service desk request communication Streamlining processes and scaling operations, customer health analysis, revenue management, and customer segmentation UK https://www.customeros.ai/legal/privacy-policy
Dotdigital Users’ personal data Email and SMS Marketing Automation UK https://dotdigital.com/terms/privacy-policy/
Emarsys (SAP) Users’ personal data Marketing Automation Platform USA https://emarsys.com/privacy-policy/
Google Anonymous behavioral data Google Analytics Platform USA https://policies.google.com/privacy?hl=en-HU&fg=1
Google Users’ personal data Mobile Wallet Technology Provider USA https://policies.google.com/privacy?hl=en-HU&fg=1
Google Cloud Platform (GCP) Users’ personal data
Customers’ personal data
Provide the Antavo platform eu-west4 - Netherlands
asia-east2 - Hong Kong
australia-southeast1 - Sydney
us-west1 - Oregon
https://policies.google.com/privacy?hl=en-HU&fg=
Google Cloud SQL Users’ personal data Database storage eu-west4 - Netherlands
asia-east2 - Hong Kong
australia-southeast1 - Sydney
us-west1 - Oregon
https://policies.google.com/privacy?hl=en-HU&fg
Google workspace First name, last name, email, email communication, project documentations, email messages Communication with the Customers, Office tools (project documentation, documentation management, storage, email messaging) USA https://policies.google.com/privacy
GoTo First name
Last name
Email address
(Company name)
Webinar platformí
- Handling webinar registrations
- Broadcasting the webinars
USA https://www.goto.com/company/legal/privacy
HubSpot First name, last name, email
Phone number (not required)
And an open field where you can provide us with more details on your goals (not required)
CRM:
Tracking leads
Sending emails, newsletters
Creating reports
Creating forms, landing pages for the website
USA https://legal.hubspot.com/privacy-policy?hubs_content=www.hubspot.com/&hubs_content-cta=Privacy%20Policy
Jira First name, last name, email, service desk communication Service desk for Customers Australia https://www.atlassian.com/legal/privacy-policy
Klaviyo Users’ personal data Marketing Automation Platform USA https://www.klaviyo.com/legal/privacy/privacy-notice
Linkedin https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy Social media appearance USA https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
Listrak Users’ personal data Marketing Automation Platform USA https://www.listrak.com/privacy-and-terms/privacy-policy
Mailchimp (Intuit) Users’ personal data Marketing Automation Platform USA https://www.intuit.com/privacy/statement/
Meta https://www.facebook.com/privacy/policy/?entry_point=about_fb Social Media Platform USA https://www.facebook.com/privacy/policy/?entry_point=about_fb
Mito Users’ personal data Integration partner Hungary https://mito.hu/cookie-policy/
Mobikats They do not store user data of any kind for the Mobikats website or Mobikats apps. Integration partner UK https://www.mobikats.com/privacy.html
MongoDB Atlas Data through API and backoffice Database storage eu-west4 - Netherlands
asia-east2 - Hong Kong
australia-southeast1 - Sydney
us-west1 - Oregon
https://www.mongodb.com/legal/privacy-policy
mParticle Users’ personal data CDP USA https://www.mparticle.com/privacypolicy/
Ometria Users’ personal data Marketing Automation Platform UK https://ometria.com/privacy-policy
Oracle Users’ personal data Responsys - Marketing Automation Platform USA https://www.oracle.com/legal/privacy/
Posera Users’ personal data POS USA https://payfacto.com/privacy-policy/
Prime Holding Users’ personal data Integration partner Bulgaria https://www.primeholding.com/privacy-policy
Sailthru Sailthru (Marigold Engage by Sailthru) Marketing Automation Platform USA https://www.sailthru.com/legal/privacy-statement/
Salesforce Users’ personal data Marketing Automation Platform USA https://www.salesforce.com/company/privacy/full_privacy/
Salesforce Users’ personal data CRM USA https://www.salesforce.com/company/privacy/full_privacy/
Salesforce Users’ personal data Ecommerce Platform USA https://www.salesforce.com/company/privacy/full_privacy/
Shopify Users’ personal data Shopify, Shopify Plus - Ecommerce Platform Canada https://www.shopify.com/legal/privacy
SimpleSat First name, last name, email address, survey response Customer surveys Hong Kong, China https://www.simplesat.io/privacy/
Slack Instant messages during project implementation, supporting Instant messaging too USA https://slack.com/trust/privacy/privacy-policy
Strava Users’ personal data Activity Tracking Software USA https://www.strava.com/legal/privacy
Teradata Users’ personal data Data Warehouse USA https://www.teradata.com/Privacy
Twitter First name, last name, position, employer, quotes, survey responses Social Media Platform USA https://twitter.com/en/privacy
Vertical-Life Users’ personal data Vertical-Life Climbing - Activity Tracking Software Italy https://www.vertical-life.info/legal/privacy-policy
Yotpo Yotpo Platform Review and Social Engagement Platform USA https://yotpo.com/privacy-policy/
Wiro Users’ personal data Integration partner UK https://www.wiro.agency/privacy-policy
Wordpress
(Automattic Inc.)
First name, last name, email, position, employer Sending requested marketing materials (case study, ebook) USA https://wordpress.org/about/privacy/

Entry into force

This Privacy Notice may be changed unilaterally by the data controller at any time.
Changes to this Privacy Notice will be published on this page.
This Privacy Notice enters into force on December 01, 2024.

You can download this document by clicking here.