GOLDILOCKS BAKESHOP, INC.
GENERAL DATA PRIVACY POLICY
(As of February 2021)
I. Overview
We, Goldilocks Bakeshop, Inc. (‘Goldilocks,’ ‘we,’ or ‘us’) and our subsidiaries and affiliates, provide a full range of food-related services. In providing such services, we rely on personal information, whether it be the information of our clients, our employees, or any other individual with whom we have a contractual relationship.
Given the importance of privacy to all concerned parties, we are committed to the highest standards of privacy and data protection compliance and expect everyone in our Company to adhere to these standards. We demand the highest standards of ethics and compliance with applicable laws and rules from our management, employees, and third party suppliers and service providers.
This Privacy Policy will help you understand: (i) what Personal Information we collect; (ii) how we collect, hold, use and disclose that information; and (iii) the purposes of such collection, holding, use and disclosure.
II. To what does this Privacy Policy apply?
This Policy applies to all of our facilities, as well as all the services that we offer.
This Policy does not apply to any website, product or service of any third-party organization even if the website links to (or from) our Website. Please always review the privacy practices of any third-party organization before deciding whether to provide any information.
By using our services, you accept the practices described in this Policy. If you do not agree with this Policy, you should immediately refrain from using our services or browsing our website. Continued use of our services or website will signify your acceptance of this Policy.
III. What information do we collect?
When you use our services, we collect your Personal Information.
The term “Personal Information”, as used in this Policy, refers to any data (whether by itself or when linked with other information) in the possession of, or likely to come into the possession of Goldilocks, that can be used to identify a specific living person.
If you have provided us Personal Information of another individual, in case for instance, you have ordered a Goldilocks product to be delivered to someone other than yourself, then you agree to indemnify and hold Goldilocks Bakeshop, Inc., its subsidiaries and related companies, officers, employees and agents (collectively, We), free and harmless from and against any and all claims, actions, damages and costs that We may incur by reason or in respect of our having processed any of the said information.
Personal Information does not include information that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person.
Through various means described in Part V below, we collect from you the following Personal Information:
1. Personal Information
a. Full Name
b. Billing Address
c. Contact Information (Email Address, Landline Number and Mobile)
d. IP Address
2. Sensitive Personal Information
a. Age
b. Birthday
c. Gender
d. Civil Status
e. Nationality
IV. Why do we collect your information?
Generally, we collect your Personal Information in order to enable us to provide our services.
We collect your Personal Information for the following purposes:
1. To process registrations in GBI’s programs;
2. To facilitate the marketing efforts of the organization;
3. To process online orders;
4. To establish, exercise, or defend legal claims; and
5. To fulfill any other purposes directly related to the above-stated purposes.
Subject to the Data Privacy Act and with your consent, we may share, preserve, transfer, and disclose your Personal Information to the following:
a. Third party suppliers and service providers that help us provide our services, to the extent needed to perform their duties and their functions; and
b. Government authorities and such entities that may have a legitimate and legal interest in the information, in response to a legal request such as a search warrant, court order or subpoena, if we believe in good faith that we are required to do so under the law.
V. How do we collect your information?
Broadly speaking, we collect information in three ways: (1) when you provide it directly to us, (2) when we obtain verification information about you or your company through trusted third parties, and (3) passively through technology such as “cookies”.
Specifically, we collect Personal Information from you through the registration forms, both electronic and physical, that are used and maintained by Goldilocks.
VI. What are your rights as a data subject and how do you exercise them?
As a data subject whose Personal Information will be collected and processed by us, you are entitled to the following rights, pursuant to Section 16 of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, and Section 34 of its Implementing Rules and Regulations:
1. Right to be Informed
You havearighttobeinformedwhether Personal Informationpertainingtoyoushallbe,arebeing, or havebeenprocessed,includingtheexistenceof automateddecision-makingand profiling.
2. RighttoObject
Youshallhavetherighttoobject totheprocessingofyourPersonal Information,including processingfordirectmarketing,automatedprocessingor profiling.Youshallalsobenotifiedand begivenan opportunitytowithholdconsenttotheprocessingincaseof changesoranyamendmenttotheinformationsuppliedor declaredto the datasubject.
3. RighttoAccess
You have a right to be given access to specific kinds of information identified in the Data Privacy Act, upon reasonable demand.
4. RighttoRectification
Thedatasubjecthastherighttodispute inaccuraciesorerrorsin hisPersonal Informationandhave us correctitimmediatelyand accordingly,unlesstherequestisvexatiousorotherwise unreasonable.
5. RighttoErasureorBlocking
Youshallhavethe righttosuspend,withdraworordertheblocking,removalor destructionofyourPersonal Informationfromourfiling system.
6. RighttoDamages
Upon presentation of a valid decision, we recognize your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of your rights and freedoms as data subject.
Please note that this is not an exhaustive discussion of your rights as a data subject. If you wish to know more, please see our Data Subject Rights Policy.
VII. What principles do we follow when we collect your information?
In compliance with applicable laws and regulations, we pledge to observe the following principles:
1. Principle of Transparency
We are committed to ensuring that you know why we collect Personal Information, as well as how much of it we collect. As we seek to ensure the security of your Personal Information, we make sure that you know what risks are involved when we collect and use your Personal Information, as well as the measures we have established to ensure that those risks are lessened or eliminated.
2. Principle of Legitimate Purpose
We are committed to ensuring that your Personal Information will only be used for specified, legitimate purposes. No Personal Information shall be used for a purpose other than that which has been told to you and which you have consented to.
No Personal Information shall be collected without your consent. If you wish to withdraw consent to the collection of your Personal Information, kindly give us reasonable notice so we may have time to cease any and all processing.
3. Principle of Proportionality
We are committed to ensuring that we do not collect Personal Information more than what is necessary from you. Personal Information shall be collected only to the extent that is needed for the purposes specified in this Policy.
4. Principle of Lawful Processing
We pledge that we shall uphold your rights as a Data Subject. You shall have the right to refuse, withdraw, consent, or object to the use and collection of your Personal Information.
In the event that you refuse to give consent, your Personal Information shall no longer be processed, unless:
a. The Personal Information is needed pursuant to a subpoena;
b. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the customer is a party; or
c. The information is being collected and processed as a result of a legal obligation.
Any information to be provided by you shall always be in clear and plain language, to ensure that the information is easy to understand and access.
5. Data Retention
Whatever Personal Information given to us by you or pertaining to you, shall only be retained for as long as necessary:
a. For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
b. For the establishment, exercise, or defense of legal claims; or
c. For legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate government agency.
Personal Information provided to us by you shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party, or prejudice the interests of our customers.
VIII. Why do we retain your personal information?
We will retain Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by the Data Privacy Act of 2012. Please note that we have a variety of obligations to retain the Data that you provide to us, i.e. to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering and other laws and rules that apply to us and to our financial service providers. There may also be residual Data that will remain within our databases and other records, which will not be removed.
IX. How do we protect your personal information?
We use reasonable organizational, technical and administrative measures to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact our Data Protection Officer immediately. His contact details are provided in Part XI below.
X. What about changes to this policy?
We may change this Privacy Policy. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services.
We may provide you with disclosures and alerts regarding the Privacy Policy or Personal Information collected by posting them on our website. By using our Services, you agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures. Disclosures and notices in relation to this Privacy Policy or Personal Information shall be considered to be received by you within twenty-four (24) hours of the time they are posted to our website.
XI. How can you reach us?
Our customers can update their Personal Information by sending an email to privacy@goldilocks.com.
If you have any questions or suggestions about this Privacy Policy or would like to access or seek correction of your Personal Information, or if you have any complaints regarding our privacy practices, please contact our Data Protection Officer. His contact information is as follows:
Data Protection Officer
Goldilocks Bakeshop, Inc.
16th Floor, Greenfield Tower
Mayflower corner William Streets
Greenfield District, Mandaluyong City
Metro Manila
Email: privacy@goldilocks.com
Please note that you, as the requesting party, would have to pay the reasonable costs and expenses incurred by Goldilocks for producing the requested information.
Because email communications are not always secure, you are asked to not include credit card or other sensitive Data (such as racial or ethnic origin, political opinions, religion, health, or the like) in emails sent to us.