At AVA we respect your privacy and take it extremely seriously. We will always endeavour to make clear at the point we collect personal data from you why we need it and how it will be used.
This privacy policy outlines how we use and treat personal data and has been prepared in line with the EU’s General Data Protection Regulation.
If you would like to get in touch about anything in this policy or about your Personal Information then please contact us directly.
Email: [email protected]
Information we collect
What personal data do we collect?
During the course of our operation we may collect the following personal data:
- Your name
- Your email address
- Your payment details
- Other information you actively send to us for example if you contact our customer support via email
- Contact details of event attendees for example in the course of delivering a group booking
When and how do we collect this data:
We only collect the data we need to deliver the best AVA experience we can to you. This includes:
–> When you set up an AVA membership
–> When you sign-up to receive our communications (such as our newsletter and membership matters)
–> When you win an AVA auction and purchase an experience through AVA
–> When you interact with a third party hosted auction site hosted or provided by us
–> When you enquire about or make a group booking
–> In the process of fulfilling a group booking for example when you provide us with personal details of staff or clients so that they can be sent video conferencing details
–> When we engage in conversation with you (for example via email or on the phone) to answer queries or respond to comments and feedback
What information do we collect when you visit our website and why?
We collect some personal data automatically when you visit our website or an auction site hosted by us. This includes:
- IP address
- device type
- browser
- location
We use this information to provide us with feedback and analysis of how you use our site so that we can improve it.
We do not serve cookies for marketing purposes, only in order to monitor and improve our service.
What legal basis do we rely on to process your data?
We process your data either on the basis of our legitimate interest in operating our platform and providing auction services to our partners, or if you are a member, on the basis of our agreement with you as a member as set out in our terms of use or if you make a group booking with us, on the basis of our agreement with you as a group booking customer as set out in our group booking terms.
Why do we share Personal Information with third parties and who are they?
We never sell, rent or otherwise give away your data to anyone.
We do share personal data with a select group of third parties in order to deliver the AVA experience to you.
In some cases we will need to transfer data to an Experience Provider if it is required to redeem the Experience for example to allow the Experience Provider. to deliver goods that form part of the Experience.
If we are operating a hosted auction then additional information may be provided to the Experience Provider.
We share Personal Information with the following third parties
Organisation | Purpose | Is data shared outside of the EEA? | Organisation’s privacy policy |
MailChimp / Mandrill | To send and deliver emails to our AVA members and businesses | Yes, Mailchimp is based in the US as are its servers. MailChimp is covered by standard contractual clauses | https://mailchimp.com/legal/privacy/ |
To provide us with web analytics so we can monitor and improve our website’s performance | Yes, Google is based in the US as are its servers. Google is covered by standard contractual clauses |
https://policies.google.com/privacy | |
Stripe | To process payments for us | Yes, Stripe is based in the US as are its servers. Stripe is covered by standard contractual clauses | https://stripe.com/gb/privacy |
Hotjar | To provide us with analysis of how people use our site | No. | https://www.hotjar.com/legal/policies/privacy |
Digital Ocean | To provide us with hosting services | No. | https://www.digitalocean.com/legal/privacy-policy/ |
There are certain situations in which we may share access to your personal data outside of the situations outlined above. For example, we may be required by law, to protect someone’s life, or to comply with any valid legal process, government request, rule or regulation.
Why do we share data outside of the EU?
We may transfer personal data to a country outside of the European Economic Area (‘EEA’), for example if a third party we share information with has servers outside of the EEA. If this is the case we will ensure to have gained your consent or made sure that the transfer is legal and your data is secure by following the EU’s guidelines.
If you use our services while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with our services.
You can see above where we send information outside of the EEA and on what basis we do so.
What we don’t do with your Personal Information
We do not sell, rent or otherwise give away your personal data to anyone.
How do we keep your Personal Information secure?
We work very hard to keep your data secure. We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage.
Our website is SSL certified and personal data is encrypted in transit and at rest. All of the third parties we work with are also assessed to ensure they follow the highest security standards.
We also follow industry standards on information security management. This means we don’t just secure your data technologically but we make sure that everyone who works for us and the processes they follow are continually monitored to ensure there are no vulnerabilities.
In the unlikely event of a breach of our security we will inform the relevant regulatory body as soon as we can and at a minimum, within 72 hours and, if your personal data was involved in the breach and the breach could impact you we would also inform you.
Changes to our privacy policy and control
We may change this privacy policy from time to time. But when we do, we’ll let you know either by changing the date or when significant changes happen by directly notifying you. By continuing to access or use our Services after those changes become effective, you agree to be bound by the revised Privacy Policy.
Retention
Our current data retention policy is to delete or destroy (to the extent we are able to) personal data after the following periods:
- Records relating to a contract with us – 7 years from either the end of the contract or the date you last used our services or placed an order with us, being the length of time following a breach of contract in which a contract party is entitled to make a legal claim.
- Marketing records – 3 years from the last date on which you have interacted with us.
- Event attendee records from a group booking – 1 month from the delivery of the group experience – please note this only relates to personal data that does not relate to any contract with us (for example the email addresses of event attendees)
For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data. The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
Your rights
With respect to your personal data, you have the right to:
- request that your personal data will not be processed;
- ask for a copy of any personal data that we have about you;
- request a correction of any errors in or update of the personal data that we have about you;
- request that your personal data will not be used to contact you for direct marketing purposes;
- request that your personal data will not be used for profiling purposes;
- request that your personal data will not be used to contact you at all;
- request that your personal data be transferred or exported to another organisation, or deleted from our records; or
- at any time, withdraw any permission you have given us to process your personal data.
You can edit any of your personal data through your account.
You can also make any other requests of your data directly by emailing us at [email protected]. This includes asking to be forgotten, querying our use of your data or revoking your consent
All requests or notifications in respect of your above rights may be sent to us in writing at the contact details listed below. We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and/or our data protection manager.
If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
We are open and transparent about our use of data so if you are unclear about how we use data or think we could improve how we deal with Personal Information, let us know!
AVA Experience Limited
Email: [email protected]
47 Marylebone Lane, London, England, W1U 2NT
Complaints
If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the Information Commissioner’s Office by visiting http://www.ico.org.uk/ for further assistance.