GDPR, Privacy policy & data protection


As part of the new General Data Protection Regulation (GDPR) Kipos has taken steps to ensure we are inline with the new regulations. The new regulations are to help give control to citizens over their private information. The new regulations come into effect on 25th of May 2018.

To find out more information, it will be worth reading the following https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr. You’ll note this document follows the chapters within this document, so you can switch between the two.

A takeaway or restaurant which uses Kipos is called the “Data Controller”. Kipos as a platform is the “Data Processor”, i.e. we process data on behalf of you.

Contracts

An updated contract is now online. Please ensure you have read the amendments to the data protection section.

Right to be informed

We have helped you via updating our default privacy policy on your site and app.

The new policy makes it clear to the customers why you are collecting the data, for how long and who the data will be shared with. Additional links has been created from the registration page and the my account section to this document to give customers the chance to read it.  At the bottom of this document you’ll find our example privacy policy, see [1].

The above may not apply to you if you have a custom privacy policy, although we suggest you check to see if it needs updating in line with the new regulations.

Part of right to be informed, is to ensure data is only kept as long as possible. Overnight orders are deleted based on a setting which dictates how long to keep order data for. Since this contains customer data which under GDPR is personal identifiable, it is your responsibility to ensure this setting is only as long as you require it. Please check within “Settings” under “Security” for this.

Consent and marketing

A new marketing checkbox has been added to registration forms across our clients sites and apps. This gives your customers the ability to opt-out from marketing you may give via the Kipos platform or via other means. When exporting data and using it for marketing, you’ll need to ensure you use follow the customers chosen preference. Since marketing preferences could be changed at any time within the account section of the app or site, if you run external campaigns based on data from Kipos, you’ll need to grab a new copy each time to ensure you have the correct marketing flag.

You can use Kipos to send emails and SMS to your customers, please note it’s your responsibility to ensure you are following any regulations. For more information, we suggest you visit https://ico.org.uk/for-organisations/marketing/

Right to erasure (the right to be forgotten)

To comply with this area, we have made it possible for the customer to do this themselves. If they login on to your site, within the my account section there is a button which will anonymise their data for which they will become an anonymised customer. The name will be shown as “GDPR Removed”, telephone to “0999999999” the marketing field set to ‘no marketing’ and all other fields set to empty. The email will be a hash of the previous email ending in “@gdprRemoved.kipos.uk” Any previous orders made by the customer will still be left unchanged for accounting purposes.

If you use Mailchimp, we will send an update of the customer record with the anonymised customer data to Mailchimp.

Right of access

To comply with this area, we have created a downloadable data record of your customers record. To make this as easy as possible, you should direct your customer to login via your website and to click “My account” where they will be able to download the record.

Security, Data Protection

As part of our ongoing commitment, we’ve ensured our systems are resilient and that Kipos is following best practises surrounding security and any new development follows the guidelines called “Privacy by design”.

From your side, it’ll be worth checking the user list within Kipos to ensure only accounts which are used are only there. It may be worth resetting passwords to bring the passwords into line with our updated password policies.

[1] Example Client Facing Privacy Policy

The below can be found on your site at '/privacy-policy'.

Summary

This summary provides an overview of how we obtain, store and use your personal information.

Our details

The data controller in respect of our website is *Name Of Client* of *Address of Client*. You can contact the data controller by writing to the address mentioned or by sending an email to *Email of client*.

The data processor in respect of the platform our website uses is Kipos Systems Ltd. You may contact the data processor by sending an email to help@kipos.uk and we will help if at first the data controller does not respond.

Credit & Debit Card Details

Please note that we do not collect or process your credit or debit card details.These are however collected and processed by our payment processing service provider Stripe Payments Europe Ltd. The collection and processing by these providers of your credit or debit card details and other personal data are governed by their respective terms and conditions. See https://stripe.com/gb/privacy for more information. Stripe may from time to time provide us with information regarding the credits and debits made to your card in order to enable us to reconcile our accounts. There is the opportunity to save card details, if this is chosen a unique id referencing the card (with Stripe keeping the card data required) is stored. Within the account section, the stored card can be removed at any time.

Cookies

We use cookies to: