CandyBird (“CandyBird”) acknowledges and supports consumer rights and the right to privacy. Accordingly, our customers’ privacy and trust are extremely important to us! We will ensure that personal information (“information”) is collected and handled in a transparent and lawful manner in alignment with the Protection of Personal Information Act, 2013 (“POPIA”).
It is important that you read this Statement carefully before submitting any information to CandyBird:
We respect privacy, we promise:
CandyBird offer a wide range of products and services, including but not limited to in-store services, digital offerings, a loyalty programme, and value-added services. This Statement explains how we use the information we collect from you when you use our products and/or services and by using our products and/or services and/or by providing information to us you agree to the information being processed as set out in this Statement. This Statement also:
Some parts of our business may need to collect and use personal information to provide you with their products and services. In most cases they will refer to this Statement, but you must also read their specific terms and conditions. CandyBird websites or mobile apps may contain links to websites operated by other organisations that have their own privacy policies. Please make sure you read their terms and conditions and privacy policies carefully before providing any personal information on other websites as we do not accept any responsibility or liability for other organisations. We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for third party sites, their content, or any goods or services available through these sites.
In this Statement, “CandyBird”, “us”, “our” or “we” refers to one or more of the companies in the CandyBird Group that operate in South Africa. Whilst our franchisees generally use our systems and we have written agreements in place with them to comply with law, this Statement does not necessarily reflect the individual practices of our franchisees as they are their own legal entities.
This Statement is subject to the laws of the Republic of South Africa in particular POPIA and the Consumer Protection Act, 2008 (“CPA”) as well as other relevant data protection legislation. Any dispute arising will, to the extent permitted by law, first attempted to be settled internally and if this is not possible be referred to arbitration at a venue to be determined by us applying the Uniform Rules of the High Court of South Africa.
To register or make use of CandyBird programs and services such as our Website, Services, Modules, etc you are required to provide us with your personal information including but not limited to your South African ID number or passport number (for non-South African citizens), name, surname, contact information and other personal details.
You may provide personal information to us either directly or indirectly (through a person acting on your behalf), by completing an application form for our products and services or requesting further information about our products and services, whether in writing, through our website, over the telephone or any other means.
We only collect information that is reasonably necessary for our business functions and activities and related purposes. The type of information we collect and hold, will depend on the purpose for which it is collected and used. Where possible, we will inform you what information you are required to provide to us and what information is optional. The information we process is typically to provide you with the goods and services you want to buy and help you with any services and refunds you may ask for, to manage and improve our day-to-day operations, to manage and improve our loyalty program, websites and mobile platforms with the aim of improving your customer experience.
We may also collect your personal information from a person acting on your behalf, any regulator, or other third party that may hold such information.
You agree to give accurate and current information about yourself to CandyBird and to maintain and update such information when necessary. To improve the accuracy of our data and get to know our customers better, we may enrich it from other third parties, including credit bureaus.
CandyBird have various partnerships and we also provide various goods and services. To deliver these goods and services, varying levels of information are required to be processed, including obtained from or shared with relevant external business partners (local and/or abroad) to verify against, or facilitate the goods or services offered by the business partner. When you agree to the CandyBird and/or business partner’s terms and conditions, it allows us to share the relevant information to facilitate the product or service being rendered to you.
Note that for some of our products may require you to provide additional information directly to a business partner of ours. In such instance, CandyBird process this information on the business partner’s behalf and as such the relevant business partner remains responsible for protecting this information, not CandyBird. When signing up with one of our business partners, it is important for you to recognise that you are establishing a direct, binding relationship with such a partner under their terms & conditions and related privacy policies and that they would be the responsible party under POPIA.
CandyBird will not knowingly collect any information of persons (minors) under the age of 18 years. Our website and mobile apps, products and services are all directed to people who are at least 18 years old or older.
If you are under the age of 18 years, you must not provide any information to CandyBird without the consent of your parent or guardian. If you become aware that a “child” has provided their personal information without parental consent, please contact us immediately. If we become aware that a child has provided us with personal information without parental consent, we will take steps to remove the data and cancel the child's account.
When signing up for certain CandyBird services, you are required to create a user account. You agree that you will provide accurate information to us and keep it updated, and that you will not create a false identity or an account for anyone other than yourself. It is your responsibility to safeguard your profile’s username and password. This includes that you make use of a strong password and that you do not intentionally or unintentionally divulge it to anybody else. In the event of someone else using your username and password to make changes to your profile or transact on your behalf, you will be held responsible for the changes and the outcome thereof.
If you suspect its misuse or compromise, you must report this to our Inbox consumer@candybird.co.za or via web form as soon as possible.
A cookie is a piece of information that is deposited in your computer’s hard drive by your web browser when you use our computer server. Most web browsers accept cookies automatically, but you can alter your settings to prevent automatic acceptance. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web experience. If you choose not to accept cookies, this may disable some features of our website. Our website also uses push notifications. For further information, please see our Cookies Policy.
An embedded script is a programming code that is designed to collect information about your interactions with the CandyBird website. The code is temporarily downloaded onto your device from our web server or a third-party service provider, is active only while you are connected to our website and is deactivated or deleted thereafter.
Certain mobile service providers uniquely identify mobile devices. CandyBird or our third-party service providers may receive such device information if you access our website or mobile applications through your mobile device when allowing cookies or push notifications. For further information, please see our Mobile Application Policy and Cookies Policy
Closed-Circuit Television (CCTV) images are processed, monitored and recorded for the purposes of crime prevention and detection as well as public safety in our stores and regional support offices. For further information, please see our CCTV Policy.
CandyBird may need to transfer a data subject's information to service providers in countries outside South Africa, these countries may not have data-protection laws which are similar to those of South Africa. Where this is done, CandyBird do so in accordance with applicable laws.
CandyBird use your information for the purposes for which it was collected or agreed with you to facilitate the provision of our products and services to you, and for purposes which are within reasonable expectations and where permitted by law.
Examples of information collected from you or other sources and processed by CandyBird are detailed below (which is not an exhaustive list) and linked to the purpose thereof.
We may also use your information for the following reasons:
If you are an existing customer, we may communicate with you based on the preferences as selected by you in relation to products or services you have signed up for. This may include making contact via telephone, email, sms, social media and other channels about products and or services which may be if interest to you. If you are not considered to be a customer, we will obtain your consent to opt-in to direct marketing.
You may opt-out (free of charge) from receiving future promotional information or direct marketing from CandyBird by either unsubscribing to the specific communications you receive by replying to the email or via sms, accessing the online preferences portal or contacting support at consumer@candybird.co.za.
Information that CandyBird collects is kept in a form which permits your identification for no longer than is necessary to honour your choices, to fulfil the purposes for which it was collected and processed in each specific case, and in any case not longer than as specified by the relevant applicable laws unless we have your consent to process it indefinitely.
CandyBird will retain your information after you have closed your account where reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, enforce our agreement, or fulfil your request to “unsubscribe” from further messages from us.
We may retain de-identified, anonymised or pseudonymised information after your account has been closed using techniques that do not permit your re-identification. If none of the afore-mentioned scenarios are required, CandyBird will permanently delete (electronic) and shred (paper) after the purpose of collection the information has expired.
CandyBird will take reasonable steps to protect the information we collect, hold and process from misuse, loss and from unauthorised access, modification or disclosure. We hold information both at our own premises and with the assistance of our service providers.
This is based on the information security principles of Confidentiality, Integrity, Availability and Privacy (CIAP) as governed by our Information Security Policy. This sets out CandyBird’s objectives and general approach to information security, which aims to protect CandyBird’s business information and safeguard any personally identifiable information within our custody. We seek to achieve the following 5 key objectives as it relates to Information Security:CULTURE
Improve the security culture through continuous education and awareness
RISK-BASED PROTECTION
A focused, risk-based approach to protect assets and information
COMPLIANCE
Comply to the legal and regulatory requirements (local and international)
DETECT AND RESPOND
Balance the need for protection with effective detection and response
CULTURE
Integrate security into business decisions through ownership and leadership
Because no data transmission over the internet is completely secure, and no IT system of physical or electronic security is impenetrable, we cannot guarantee the security of the information you send to us or the security of our servers or databases. Having noted that, we do take every reasonable step within our control, to protect your information and preserve the accuracy thereof. Quality of information means that the information we use must be appropriate, complete and reliable. The higher data quality we maintain, the better service we can render.
Notwithstanding anything to the contrary in this Statement, CandyBird reserve the right to disclose any information about you if we are required to do so by law, and if we believe that such action is necessary to: (a) fulfil a government request; (b) conform with the requirements of the law or legal process; (c) protect or defend our legal rights or property, our website, or other users; or (d) in an emergency to protect the health and safety of our website’s users or the general public.
Authorised CandyBird employees or agents will have access to some or all your information. We may also disclose your information within our group of companies. Such data sharing is governed by our CIAP information security principles and associated practices.
We do use service providers to provide our services and maintain our systems, including but not limited to maintenance, security, analysis, audit, payments, customer service, marketing and system development. These parties will have access to your information as reasonably necessary to perform these tasks on our behalf (namely role-based access). Where we contract with service providers, and wherever possible, we impose contractual obligations on them to ensure that your information is handled and secured in accordance with law and industry good practise.
Some of our service providers may be located in other countries that may not have the same levels of protection of information as South Africa. Wherever possible, we try to only use service providers that are located in countries with similar or more stringent levels of protection of information as South Africa. Alternatively, we require that service providers in less stringently regulated countries undertake to protect the information of our customers to the same level that we do.
Unless you have explicitly consented to this, we will never sell your personal information.
Depending on which product or service you (as the Data Subject) have signed up for, you can update some of your information via our digital channels. Alternatively, your information can be updated via our Customer Care Line.
You have the right:
Before we provide you with access to your information, we may require proof of identity. We may require up to 21 (twenty-one) days to respond to any requests for information. We may refuse to disclose some information in accordance with PAIA.
If you require CandyBird to delete all your information that we have about you, please also contact our Customer Care Line. Note that you will probably have to terminate all agreements you have with us, as we cannot maintain our relationship with you without at least having some of your information. We may also refuse to delete some of your information if we are required by law to retain it or if we need it to protect our rights.
A security compromise or information breach can be described as a threat to the Confidentiality, Integrity, Availability or Privacy of IT systems and/or information. Such incidents are governed by the CandyBird Security Incident Response process which allows us to deal with the compromise/breach and/or loss in an efficient and effective manner. One of the key pillars of this process is keeping all impacted stakeholders informed and updated.
When there are reasonable grounds to believe that your information has been accessed, altered, deleted or acquired by any unauthorised person, we will notify the Information Regulator and yourself in cases where your identity can be established. This notification will be done in accordance with the provisions of POPIA and as soon as reasonably possible after the discovery of the compromise, considering the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of our systems.
We may amend this Statement from time to time for any of the following reasons:
Any such amendment will come into effect and become part of any agreement you have with CandyBird when Statement is given to you of the change by publication on our website. It is your responsibility to check the website often.
If you have questions about this Privacy Statement or wish to exercise your rights in terms of access to, correction, or deletion of your information, please contact us via email at consumer@candybird.co.za who will attempt to resolve your query.
If unable to, and depending on your situation, our Customer Care Line will explain the process to follow and potentially refer your query to internal subject matter experts.
Our Information Officer contact details are:
Email: informationOfficer@candybird.co.za
Should you believe that CandyBird has utilised information contrary to applicable law, you undertake to first attempt to resolve any concerns with CandyBird. If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator of South Africa.
The Information Regulator’s contact details are:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O Box 31533, Braamfontein, Johannesburg, 2017
Email: inforeg@justice.gov.za
Website: https://www.justice.gov.za/inforeg/