Wevat

Privacy Policy

1.              INTRODUCTION

 Welcome to Wevat. Vatcat Limited (we, us, or our) is the owner and operator of the Wevat VAT refund service and software application (together, the App), the website located at www.wevat.com and related social media pages and is committed to protecting and respecting your privacy.

This Privacy Policy explains:

  • why and how we may use the personal information that we obtain about you in connection with our App, website and social media pages (together, our Services) and how we handle that information;

  • with whom we share your personal information; and

  • the rights you may have in connection with the personal information we use.

Please read the following carefully.

For the purposes of data protection laws, Vatcat Limited is the ‘controller’ of your personal information. A controller decides why and how your personal information is processed and is responsible to you for that processing.  Please see the section at the end of this Privacy Policy for our contact and legal information.

Please note: a number of third parties, including UK Border Force and its airport-located agents are involved in the VAT refund process. These third parties are all separate and independent controllers of the personal information of yours that they receive from you, us or a third party and will have a separate responsibility to you under data protection laws in relation to their processing of that information.  Please consult their privacy policy to understand how they handle your personal information.

This Privacy Policy may change from time to time so please check this Privacy Policy occasionally to ensure that you are happy with any changes. For more information on changes to our Privacy Policy, please see paragraph 10 (Changes to this Privacy Policy).

 

2.              PERSONAL INFORMATION WE COLLECT ABOUT YOU

We collect personal information from you in the following ways:

Personal information you give to us:

This is personal information you give to us when you:

  • register to use the App, including your name, email address, social media display name and webchat display name;

  • use the identity verification service (see further below as well as the privacy information from our current provider, Onfido Limited);

  • submit receipts to the App to obtain a VAT refund and make payments to you, including your trip information (arrival/departure airports and trip dates) and transaction information contained in your receipts;

  • generate and complete your refund form, including your home address;

  • visit and use our website or interact with us on social media; or

  • contact us or correspond with us (including when exercising your data protection rights) whether using the App, our website, by email, or in another way.

This personal information is provided by you entirely voluntarily and includes personal information you submit through the App, in correspondence or when visiting our website or social media pages. We may also ask you for information when you report a problem with the App or your VAT refund claim. 

If we do not receive this information, you may be unable to use the App, make a VAT refund claim with the help of the App or interact or communicate with us effectively.  

Personal information we collect about you:

We automatically collect the following technical information from you:

  • when you use the App, your email address or Apple ID generated randomised unique email address or Facebook handle or WeChat ID number (depending on your sign-in option) and the following data about your device: the internet protocol address used to connect your device to the internet, the carrier and operating system information, location (region and country) and language. We also collect GPS location information from your device when you launch or open the App.  We do not continuously track your location. 

  • when you use the website, your time zone setting, browser plug-in types and versions, operating system information, the internet protocol address used to connect your device to the internet.

 We may anonymise some of the technical information we receive about you or receive the information from a third-party analytics service provider in a form that is already anonymised.

We also create and store a history of the VAT refunds we have paid to you which you can access through your account.

Information we collect about you from other sources:

We may obtain the following personal information about you from the following sources, which we use in the ways described in the section below:

Third Party

Personal Information Collected

Our identity verification provider, Onfido Limited

  • Images of your identity documents and information they contain, including unique identification numbers.

  • Reports with the status and result of your identity verification check including biometric (facial identity) checks.

  • The photo of yourself that you submit for identity verification purposes.

UK Border Force and/or their agents

For further details see the Border Force Personal Information Charter

  • The approval status of your VAT refund form.

 

3.              HOW AND WHY WE USE YOUR PERSONAL INFORMATION

Data protection law requires us to have a valid reason to process your personal information for each of the different purposes for which we use that information. The law refers to each reason as a ‘lawful basis’. The purposes for which we use your personal information and the lawful basis on which we rely to process it for each purpose is as follows:

Where necessary for us to carry out PRE-CONTRACT STEPS you have requested or for the performance of our CONTRACT with you

We will use your personal information where this is necessary for us to perform our contract with you or to carry out any pre-contract steps you’ve asked us to so that you can enter into that contract, for the following purposes:

  • register your account on the App;

  • process your VAT refund form and transfer payments due to you; and

  • to run our competitions and promotions that you enter from time to time and to distribute prizes.

You may withdraw your consent for us to use your information in any of these ways at any time. Please see paragraph 9 (Your Rights) for further details.

Where you have provided CONSENT

We may use and process your personal information where you have consented for us to do so for the following purposes:

  • contact you via email with marketing information about us, our events and products and services and about our third party partners;

  • to refresh your marketing preferences when you respond to a request from us to do so;

  • You may withdraw your consent for us to use your information in any of these ways at any time. Please see paragraph 9 (Your Rights) for further details.

Where necessary to comply with our LEGAL OBLIGATIONS

We will use your personal information to comply with our legal obligations:

  • to keep a record relating to the exercise of any of your rights relating to our processing of your personal information;

  • to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);

  •  to anonymise or delete your personal information when it is no longer required for the purposes described in this Privacy Policy;

  • to comply with court orders or other notices where failure to do so would result in us breaking the law;

  • to handle and resolve any complaints we receive relating to our processing of your personal information as described in this Privacy Policy; and

  • to notify you of changes to this Privacy Policy and our Terms and Conditions.

Where there is a LEGITIMATE INTEREST

We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:

Processing necessary for us to promote our business and measure the reach and effectiveness of our campaigns

  • to contact you with marketing information by post (if you are not registered with the Telephone Preference Service);

  • for analysis and insight conducted to inform our marketing and business strategies, and to enhance your user experience;

  • to supply your details to social media and other online platforms operated by other companies, or to use information about you that they already hold, for them to contact you with our targeted advertising online, unless you object.  You may receive advertising based on information about you that we have provided to the platform or because, at our request, the platform has identified you as having similar attributes to the individuals whose details it has received from us. To find out more, please refer to the information provided in the help pages of the platforms on which you receive advertising from us;

Processing necessary for us to respond to changing market conditions and the needs of our users

  • to analyse, evaluate and improve our Services so that your use of them are more useful and enjoyable (we will generally use data amalgamated from many people so that it does not identify you personally);

  • to undertake market analysis and research (including contacting you with surveys) so that we can better understand your use of our Services or your opinion of us or our business;

Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively

  • to administer our Services and for internal operations, including troubleshooting, testing, statistical purposes; 

  • to verify your identity and location and take other measures for the prevention of fraud and other criminal activities (and to share your personal information with our identity verification services provider for these reasons); 

  • for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;

  • for the purposes of corporate restructure or reorganisation or sale of our business or assets;

  • for efficiency, accuracy or other improvements of our databases and systems, for example, by combining systems or consolidating records we hold about you;

  • to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings; and

  •  for other general administration including managing any reports you make, your queries, complaints, or claims, and to send service messages to you.

 

4.              DISCLOSURE OF YOUR PERSONAL INFORMATION BY US

We may disclose your information to our third party service providers, agents and subcontractors (Suppliers) for the purposes set out above. Our Suppliers can be categorised as follows:

Recipient / relationship to us

Industry sector (& sub-sector)

Advertising, PR, digital and creative agencies 

Media (Advertising & PR)

Banks, payment providers and other financial services providers

Financial (Banking & Payment)

Cloud software system providers, including database, email distribution and document management providers

IT (Cloud Services)

Customer service/help desk platform providers

IT (Customer Services)

Facilities and technology service providers including scanning and data destruction providers, receipt verification and document processing service providers and other back office administration service providers

IT (Data Services)

Identity verification service providers

IT (Identity Verification)

Insurers and insurance brokers

Insurance (Underwriting & Broking)

Legal, security and other professional advisers and consultants

Professional Services (Legal & Accounting)

Market and customer research providers

Media (Market Research)

Social media platforms

Media (Social Media)

Website and data analytics platform providers

IT (Data Analytics)

Website and app developers

IT (Software Development)

Website hosting services providers                                                                                                  Website hosting services providers

IT (Hosting)

When sending your information to Suppliers, we only disclose to them any personal information that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure.

When we share your personal information with any Suppliers or other third parties that are controllers of that information, they may disclose or transfer it to other organisations in accordance with their data protection policies. This does not affect any of your data subject rights, as detailed below.

We may disclose your personal information to other third parties as follows:

  • any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event; and

  • if we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including by the police, tribunals, regulators, the government or related agencies.

 

5.              WHERE WE STORE YOUR PERSONAL INFORMATION

 All information you provide to us may be transferred to countries outside the United Kingdom (UK) and European Economic Area (EEA). By way of example, this may happen where any of our servers or those of our third party service providers are from time to time located in a country outside of the UK and EEA. These countries may not have similar data protection laws to the UK and so may not protect the use of your personal information to the same standard.

If we transfer your information outside of the UK and EEA, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected appropriately. These steps include:

  • ensuring the non-UK/EEA countries to which transfers are made have been deemed adequately protective of your personal information for the purposes of data protection law by the relevant bodies;

  • imposing contractual obligations on the recipient of your personal information using provisions formally issued by relevant bodies for this purpose. We use these provisions to ensure that your information is protected when transferred to our Suppliers outside the UK and EEA; or

  • ensuring that the recipients are subscribed to ‘international frameworks’, where applicable, that aim to ensure adequate protection.

Please contact us using the details at the end of this Privacy Policy for more information about the protections that we put in place and to obtain a copy of the relevant documents.

If you use our Services whilst you are outside the UK and EEA, your information may be transferred outside those territories in order to receive those services.

6.              THE PERIOD FOR WHICH WE KEEP YOUR PERSONAL INFORMATION

If we collect your personal information, the length of time for which we retain it is determined by several factors including the purpose(s) for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.

We may need your personal information to establish, bring or defend legal claims.  For this purpose, we will always retain your personal information for 7 years after the date it is no longer needed by us for any of the purposes listed under paragraph 3. In respect of your VAT refund forms and receipts, we retain these for 7 years from the date we make payment to you for your VAT refund (How and why we use your personal information) above. The only exceptions to this are where:

  • we reject the receipts you submit or do not make payment to you for any other reason, in which case will retain your receipts (and, if applicable, VAT refund form) in an identifiable form for up to 10 years for fraud prevention purposes;

  • the law requires us to hold your personal information for a longer period, or delete it sooner;

  • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see paragraph 9 (Your Rights) below); and

  • you exercise your right to require us to retain your personal information for a period longer than our stated retention period (see paragraph 9 (Your Rights) below).

7.              SECURITY AND LINKS TO OTHER SITES

We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction and damage. When we have provided (or you have chosen) a password allowing you access the App, you are responsible for safeguarding it and keeping it confidential and you promise not to allow it to be used by third parties.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do everything possible to protect your personal information, we cannot guarantee the security of any personal information during its transmission to us online. You accept the inherent security implications of using the internet and will not hold us responsible for any breach of security unless we are at fault.

We recommend that you take the following security measures to enhance your online safety: We recommend you frequently change your password. Keep your passwords private. Remember, anyone who knows your password may access your account. Avoid using the same password for multiple online accounts. We will never ask you to confirm any account or credit card details via email. If you receive an email claiming to be from us asking you to do so, please ignore it and do not respond. 

Our Services may contain links to other websites run by other organisations which we do not control. This Privacy Policy does not apply to those other websites‚ so we encourage you to read their privacy policies. We are not responsible for the privacy policies and practices of other websites (even if you access them using links that we provide) and we provide links to those websites solely for your information and convenience.  We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

In addition, if you visited our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.

8.              AUTOMATED DECISION MAKING

We do not envisage that any decisions that have a legal or significant effect on you will be taken about you using purely automated means by us, however we will update this Privacy Policy and inform you if this position changes.

Our identity verification services provider uses a mixture of machine learning and human powered methods to perform identity checks.  Please see the privacy information from our current provider, Onfido Limited, for further information about these processes.

 

9.              YOUR RIGHTS

You may have a number of rights in relation to your personal information under data protection law.  In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 1 calendar month from either:

  • the date that we have confirmed your identity; or

  • where we do not need to do this because we already have this information, from the date we received your request.

You have the following rights, some of which may only apply in certain circumstances:

Your Rights

Further Information

To have your information corrected if it is inaccurate and to have incomplete personal information completed

If you change your name or contact information, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the details described at the end of this Privacy Policy.

To object to processing of your personal information

Where we rely on our legitimate interests as the lawful basis for processing your personal information for particular purposes, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this Privacy Policy.  Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your personal information.

To withdraw your consent to processing your personal information

Where we rely on your consent as the lawful basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Policy. If you would like to withdraw your consent to receiving any direct marketing or cookies to which you previously opted-in, you can also do so using our unsubscribe tool. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

To restrict processing of your personal information

You may ask us to restrict the processing of your personal information in the following situations:

  • where you believe it is unlawful for us to do so;

  • you have objected to its use and our investigation is pending; or

  • you require us to keep it in connection with legal proceedings.

In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

To have your personal information erased

In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this Privacy Policy. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

To request access to your personal information and how we process it

You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this Privacy Policy. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

To electronically move, copy or destroy your personal information in a standard, machine-readable form

Where we rely on your consent as the lawful basis for processing your personal information or need to process it in connection with a contract in place with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.

You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

Rights relating to automated decision making, including profiling

You may also contest a decision made about you based purely on automated processing by contacting us using the information at the end of this Privacy Policy.

To complain to a data protection regulator

You have the right to complain to a data protection regulation (which in the UK is the Information Commissioner’s Office (ICO)) if you are concerned about the way we have processed your personal information. Please visit the ICO website for further details.

 

10.           CHANGES TO THIS PRIVACY POLICY

We may review this Privacy Policy from time to time and any changes will be notified to you by posting an updated version on our website and/or by contacting you by email. Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on our website, whichever is the earlier. We recommend you regularly check for changes and review this Privacy Policy whenever you visit or use our Services. If you do not agree with any aspect of the updated Privacy Policy you should immediately notify us and cease using our Services.

11.           CONTACT US

Please direct any queries about this Privacy Policy or about the way we process your personal information to our Privacy Manager using our contact details below.

If you wish to write to us, please write to Vatcat Limited, White Collar Factory, 1 Old Street Yard, London, England, EC1Y 8AF.

Our email address for data protection queries is help@wevat.com. Alternatively, you can contact us via the App chat function or website.

Please see our Term and Conditions for legal information relating to Vatcat Limited.

Latest update: July 2020