R&C KENYA PRIVACY POLICY

KENYA RESERVE & COLLECT

Privacy Policy

1. Introduction

The website under the domain http://www.shopdutyfree.com (hereinafter the "Website" or "Reserve & Collect") is operated in Tukey by Dufry Kenya Ltd., a Dufry group company (hereinafter "Dufry", "we", "our", and "us"), with registered address at ICEA Building, 4th Floor, Kenyatta Avenue, Land Reference Number 209/8287, PO Box 30333, Nairobi, 00100, Kenya, with contact email address: legal@dufry.com, and is the data controller for the personal information processed in accordance with this privacy policy (the “Privacy Policy”).

This Privacy Policy governs the way we treat all the personal information you provide or that we have obtained from you, including through the Website. This data will be processed in accordance with the privacy, data protection and e-commerce laws applicable at the relevant time.

When giving consent during any aspect of the registration process by selecting the confirmation box, a user expressly consents to their data being processed by Dufry for the purposes of pre-booking items, sending sales information (including the electronic newsletter) on products sold by Dufry, and on the activities and services provided by Dufry, other companies in the Dufry group and third party companies with which Dufry has trade agreements (and which offer their products and services through the Website), by post, email, SMS, or any other equivalent means of electronic communication, and so that their data are processed in order to create categories and/or set up profiles for similar promotional or advertising purposes, although adapted to your profile as a user of the Dufry group’s services.

2. The Information We collect About You

We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

Identity Data which includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.

Contact Data which includes billing address, delivery address, email address and telephone numbers.

Financial Data which includes bank account and payment card details.

Transaction Data which includes details about payments to and from you and other details of services accessed from us through our website.

Technical Data which includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Profile Data which includes your username and password, your interests, preferences, feedback and survey responses.

Usage Data which includes information about how you use our website and services.

Marketing and Communications Data which includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal information but is not considered personal information in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any special categories of Personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) nor do we collect any information about criminal convictions and offences.

Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel the service you have with us but we shall notify you if this is the case at the time.

3. Collection of Personal information

We use different methods to collect data from and about you including through:-

Direct interactions - You may give us your Identity, Contact and Financial Data by signing up for our service and completing online forms or by corresponding with us by post, phone, and email address or otherwise. This includes personal information you provide when you create an account on our website;

Automated technologies or interactions - As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details; and

Third parties or publicly available sources - We will receive personal information about you from various third parties and public sources.

4. Using your personal information

When you choose to use the Website, we may ask you to provide some personal information, for example, when you register on the Website, when you subscribe to one of the services offered on the Website or when you place a pre-order.

Your personal information allows us to give you access to all parts of the Website and to provide all the services that you have requested. This also allows us to contact you should it be necessary after you have used the Website. We will also use and analyze the information that we receive so that we can administer, support, enhance and further our services and/or our Website.

We may also use your personal information to send you newsletters, to inform you of special offers or promotions or to ask you to participate in customer polls or to provide information regarding our services and/or our website, unless you have expressly forbidden the use of your personal information. We strive to customize all marketing materials that we send to you, however, if you do not wish to receive this information, please let us know by sending an email to privacy@dufry.com or follow the instructions provided in each Communication (for example by clicking on the unsubscribe link).

5. Disclosure of personal information

Your personal information may be disclosed, shared or transferred within the Dufry group of companies. We will not transfer or disclose any of your personal information outside of the Dufry group of companies, unless it is part of a joint venture or a proposed or actual sale of all or part of the company's assets. Unless otherwise required by law, we will not share, transfer or disseminate any personal information provided by you, unless we have your consent.

6. Where do we store your personal information?

Your personal information you have provided to Dufry will be located in a Dufry cloud based customer management database software tool located within data centres maintained in the territories of the European Economic Area (“EEA”), the purpose of which is to manage the business relationship with you, in accordance with the provisions of the local data protection laws. However, the customer relationship can be accessed or communicated to group or affiliated companies of Dufry AG.

Dufry will manage the customer relationship with you and any marketing materials can be provided, in accordance with your preferences, by Dufry as Controller.

You will be responsible for providing accurate information to ensure the authenticity of the data entered when completing a form.

By using the Website, you consent to the processing of data about you, including transfer of your data out of Kenya, in the manner and for the purposes set out in this Privacy Policy.

7. Security and safekeeping of personal information

We make use of the appropriate technical and organizational measures to protect the information you provide to us, to prevent access by unauthorized persons and illegal processing, accidental loss, destruction or damage. Such security measures may include, as the case may be, the use of firewalls and other anti-virus protection measures, encrypting, training of DUFRY staff and using access rights management systems. If we provide a password, or when you choose a password to gain access to some of the benefits offered by the website, the safekeeping and confidentiality of the password is your responsibility, and you agree not to allow any third parties to use it. Where the website allows online transactions, we make use of adequate security measures such as “Security Sockets Layers” (SSL) to guarantee the safety of these online transactions.

Unfortunately, transferring information over the Internet is not completely secure. Even though we do everything we possibly can to protect your personal information, we cannot guarantee the security of personal information that you disclose online. You acknowledge and accept the inherent safety implications related to the use of the Internet and cannot hold us liable for any security breaches unless we were negligent and only within the limitations set under the terms and conditions of this website.

8. Rights to your personal information

You may exercise your right of access, rectification, cancellation and opposition as well as withdraw your consent for processing of your personal information. We cannot, however, delete any personal information that we are required to retain under current legislation. You also have the right to withdraw your consent or to prohibit the use and processing of your personal information.

If you wish to exercise the above-mentioned rights or any other right granted to you under the relevant data protection laws, you can write to the Global Data Protection Co-Ordinator, enclosing a photocopy of your identity card or official document proving your identity, or alternatively send an email stating your name, telephone number and attaching a scan of your identity card or official document proving your identity.

Lastly, please note that DUFRY will keep your personal information strictly confidential at all times and will comply with the compulsory obligation of privacy, and to this end implements the necessary technical and organizational measures ensuring the security of your personal information, preventing its alteration, loss or unauthorized access or processing, taking into account the state of the art of technology, the nature of the information being stored and the risks to which it is exposed.

9. Retention of Personal Information

We shall only retain your personal information for as long as reasonably necessary to fulfil the purposes for which we collected it, including satisfying any legal, regulatory, tax, accounting or reporting requirements. As soon as we no longer need to retain your personal information, it will be deleted or permanently anonymized. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe that there is any prospect of litigation in respect of our relationship with you.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

10. Change of Purpose

We shall only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal information for an unrelated purpose, we shall notify you and explain the legal basis which allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

11. Who is responsible for your personal information?

DUFRY is responsible for the processing of your personal information and this responsibility is in accordance with the relevant data protection legislation. You may contact Global Data Protection Co-Ordinator, Dufry AG, Brunngässlein 12, PO Box, Basel, Basel-Stadt, CH-4010, (Switzerland), per email at privacy@dufry.com.

We will review and respond to questions, requests and complaints within a reasonable time.

12. Amendments to our privacy policy

Any future changes which we might make to our privacy policy will be published on this website. Please read the privacy policy whenever you log into our website.

13. Links to third party websites and/or websites

This privacy policy only applies to this Website and does not apply to other third party websites and/or websites that may be accessed via this Website.

Our Website may contain links to and from websites and/or the websites of our network of partners, advertisers and affiliates. These are only provided for information purposes. If you follow a link to any of these websites, please remember that they have their own privacy policies and that we do not accept any responsibility arising under their policies.

You should therefore carefully read the privacy policies of each of these third parties.

Dufry Kenya Ltd. 2018

.