1.    How we collect your personal data

Required personal data

We will require the personal data identified below to provide you with the products and services that you request. If you do not provide us with the required personal data, we may be unable to provide our products and services to you in full.

Required personal data includes:

• Basic personal data: name, date of birth, gender, phone number, email address, shipping address and billing address.
• Payment, purchase and transaction records: bank account and payment information (credit card or third-party payment platform details), purchase history, invoice data and VAT or other tax codes.
• Marketing and communications data: your preferences (including your wish list and marketing and cookie preferences) and history of your communications with us, our service providers and/or other third parties relating to the products and services that we provide to you.
• Membership administration data: member ID, password, membership tier, membership tier achievement date, membership points, membership vouchers assigned to you and membership rewards history.

We may collect, use and/or disclose your personal data based on one or more of the following legal bases that may apply to you in your jurisdiction:

• with your consent
• where necessary to perform our contract with you
• where necessary to perform our legal duties and obligations
• where it is in our legitimate interests to
• other circumstances as allowed in your jurisdiction (and which may differ between jurisdictions).

As well as the data you directly provide to us, your data may be passed to us through third-party platforms when you purchase our products on these platforms.

If you access or use our products and/or services through a third-party account (such as a social media account belonging to you), and that third-party account provider shares your personal data with us (e.g., to confirm your identity when you access the Platform or one of our services through that third party account), we will be permitted to use that personal data in accordance with the terms of this Privacy Policy.

To enable you to access and use the Platform, we will need to use all the required personal data identified above. If you do not want us to process any of these categories of personal data, we may be unable to provide some or all of our products and services to you.

Voluntary personal data

You may also choose to provide us with additional data for the improvement and development of our new products and services.

Voluntary personal data includes:

• Device data: IP addresses, date and time of visit, browser type, device type, operating system cookies, website beacons and pixel tags, etc.
• Location data: location of your device using technologies such as GPS, Wi-Fi, etc.
• Behavioural and profile data: your browsing behaviour and preferences.
• Usage data: your searches conducted on our Platform, browsing history, advertisements and content that you interact with on the Platform, including products and services that you have viewed, purchased or used on the Platform and photographs, audio or video recordings that you have viewed on the Platform, whether or not provided by the ANTA group.

2.    How we need to use your personal data

We will use your personal data for the following purposes:

•  For providing our products and/or services, including:
• To fulfil orders, process purchase orders, handle payments, manage returns and refunds, manage events and provide in-store Wi-Fi, etc.
• To generate and provide you with invoices and receipts, inform you of changes to our terms, services or policies, or to send other communications that are not for the purpose of marketing the services or products of us, our affiliates, subsidiaries or commercial partners.
• To manage your account with us, including registering your account (whether conducted online or in physical stores), creating and updating your account, verifying your contact information (including email address and telephone numbers and other contact information that you provide to us) and managing your loyalty programme status, etc.
• To register and maintain your membership programmes with us, including managing your membership status, ensuring that your membership details are kept up-to-date, providing you with benefits and rewards in accordance with your membership status and maintaining a record of your purchase history and purchase order details.

• To communicate data about our products, services, events and other promotional purposes (see section 3 below), including:
• To market various services, products and events to you, including the services, products or events of our affiliates, subsidiaries and commercial partners.
• To personalise and improve marketing communications (including advertisements and other forms of direct marketing) that we send through electronic messages (e.g. SMS or on instant messaging platforms) and/or emails.

• To operate, improve and maintain our business and services, including:
• To provide customer support, including to investigate and address your concerns and to monitor and improve our customer support responses and processes.
• To perform necessary operations to maintain our services, including to troubleshoot software bugs and operational problems, to conduct data analysis, testing and research, and to monitor and analyse usage and activity trends.
• To test, research and analyse mobile application product development to improve mobile application usage experience.
• In connection with any potential or actual corporate transactions, including a merger, sale of company assets, consolidation or restructuring, financing or acquisition of all or a portion of our business or of any entity by or into another company, including discussions with a third party preparatory to any of those events.

• To protect the rights, property and safety of individuals (including yourself) and of the ANTA group and our affiliates, subsidiaries and commercial partners, including:
• To identify, prevent, detect and combat fraud and other improper conduct.
• To investigate or address claims or disputes relating to the use of our services or products or the Platform, to satisfy requirements under the law in your jurisdiction, regulations, or operating licences or agreements with any third party, in connection with any actual or potential legal process or governmental request, including from law enforcement authorities, or where the disclosure is otherwise appropriate due to safety or similar concerns, when required or requested to do so, or where required or permitted to do so by law, regulation or court order (or any other form of legal compulsion).

3.    Our

If you do not wish to receive marketing messages from us, you may:

• follow the instructions in the relevant marketing communications that you receive from us to unsubscribe from these communications
• change the settings of your member account
• configure the privacy settings on your social media account or browser
• submit a request to our customer service team by email (see contact details at the bottom of this privacy policy)
• delete your account and/or membership/ loyalty program entirely.

Some of our (mobile) applications may also send messages to you, including push messages. You may disable such messages by changing your mobile phone or application settings or by choosing to delete the application to stop receiving messages.

4.    How we use cookies and similar technologies

Cookies

To ensure the proper functioning of our websites, we store small data files called cookies on your computer or mobile device (e.g. to store your site preferences or products in your shopping basket). Cookies usually contain unique identifiers and site names.

We will not use cookies for any purposes other than those stated in this Privacy Policy. You may clear all cookies saved on your computer, and most web browsers have a feature to block cookies. If you do so, you will need to change your user settings manually each time you visit our website.

Website Beacons and Pixel Tags

In addition to cookies, we use other similar technologies on our websites, such as website beacons and pixel tags. For example, an email we send you may contain a click-through URL that links to content on our website. If you click the link, we track that click to help us understand your product and service preferences and improve our customer service.

Website beacons are usually transparent images that are embedded in a website or email.

With the help of pixel tags in an email, we can know whether the email has been opened. If you do not want your activities tracked in this way, you can unsubscribe from our mailing list at any time.

Do Not Track request

If your browser has a “Do Not Track” function enabled, our websites will respect your preferences.

5.    To whom we will need to share/ transfer your personal data

The personal data that we collect from you will be stored in Singapore on our secured cloud server hosted in Singapore.

We may share your personal data within the ANTA group if this sharing is necessary for us to perform our obligations in the course of or in connection with our provision of our products and services to you. We may also share your personal data with third-party service providers, agents and other organisations that we have engaged to assist us in relation to any of the activities stated in item 2 above.

At present, we share your personal data in the following circumstances:

• We may share/ transfer your personal data to any other third-party if you have provided your consent for us to do so, or if we are required or allowed to do so under the law in your jurisdiction.
• In connection with any potential or actual corporate transactions, including a merger, sale of company assets, consolidation or restructuring, financing or acquisition of all or a portion of our business or of us (in whole or in part) by or into another company, including discussions with a third party preparatory to any of those events. We may engage external vendors to provide certain services (e.g. customer support). We enter into strict confidentiality agreements with companies, organisations and individuals who we entrust to handle personal data.

We may transfer your personal data to jurisdictions outside of the countries or regions from which you access the Platform for any of the purposes set out in item 2 of this Privacy Policy (with your consent or on any other legal basis recognised by the law in your jurisdiction). Other jurisdictions may have different or more limited data protection laws. In such circumstances, we will seek to ensure that your personal data is accorded equivalent and adequate protection as if it were still within the territory of your jurisdiction. For example, we will enter into data transfer agreements with an overseas data recipient, or ensure that that data recipient has the necessary privacy certifications required under the law in your jurisdiction. Alternatively, we will request your consent for the cross-border transfer of your personal data.

We require any party receiving personal data from us to process personal data in accordance with our instructions, this Privacy Policy, any or all applicable confidentiality and security measures undertaken by the receiving party.

6.    To whom we may need to disclose your personal data

We will only publicly disclose your personal data in the following circumstances:

• Upon obtaining your consent for us to do so, or if we are required or allowed to do so under the law in your jurisdiction.
• In connection with any actual or potential legal process or governmental request, including from law enforcement authorities, or where the disclosure is otherwise appropriate due to safety or similar concerns, when required or requested to do so, or where required or permitted to do so by law, regulation or court order (or any other form of legal compulsion). 

7.    How your personal data is protected

We have put in place industry-standard security safeguards to protect your personal data against unauthorised access, public disclosure, use, modification, damage or loss of data. These safeguards include:

• SSL encryption for credit card data
• secure browsing on our website
• data encryption technology
• trusted protection mechanisms to prevent malicious attacks on data
• access control mechanisms limiting access to personal data to authorised personnel only.

We also provide security and privacy training to raise our employees’ awareness of the importance of protecting personal data.

We have enhanced the security of our entire system by means of system design, process management, personnel management and technical support.

If any personal data security incident occurs, we will promptly inform you of the following in accordance with the requirements of relevant laws and regulations:

• basic data and possible impacts of the security incident
• measures we have taken or will take in response to the incident
• suggestions for you to prevent and reduce any risks and remedial measures available to you.

We will promptly inform you of the incident by mail, letter, telephone, push notification or through other means. Where it is difficult to inform you individually, a substitute announcement will be published in a reasonable and effective way.

8.    What your rights are in relation to your personal data

Accessing or correcting your personal data

Subject to the exceptions specified by law, you have the right to access or correct your personal data by logging on to your account on the Platform and by viewing or amending your personal account information directly, or by contacting us by email (see contact details at the bottom of this privacy policy).

Deleting your personal data

You may delete your membership account with us at any time. When you delete your account, we will cease to use and either delete or anonymise your personal data.

In general, we will cease to retain your personal data as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer served by retaining that personal data, and that retention is no longer necessary for legal or business purposes. Once we have made this determination, we will delete or anonymise your personal data as soon as practicable.

You may also send a request to us to delete your personal data stored by us before the end of the usual retention period. If we respond to your request, we will also notify the entities who have obtained your personal data from us and require them to promptly delete the data they have obtained, unless otherwise provided by law or regulation or unless such entities have obtained separate consent from you.

Your request for us to delete your personal data should reference one of the following grounds:

• if our processing of the personal data violates any law or regulation
• if our processing of the personal data violates any agreement with you
• if you no longer access the Platform and you have logged out of your account
• if we no longer provide products and services to you.

If we delete your data from our services, we may not immediately delete the corresponding data from our backup system, but we will delete such data at the time that the backup system is updated.

Limit automated decision-making

In certain situations, we may make decisions solely based on automated decision-making mechanisms, involving the use of data systems, algorithms, etc. If these decisions significantly affect your legitimate rights or interests, you have the right to seek an explanation from us.

We will be happy to provide this explanation to you, unless we are prevented from doing so by law.

Verification of identity

For security reasons, when we respond to your request, we may require you to verify your identity prior to our processing of your request. You may be required to provide us with a written request or other means of identification.

We will aim to respond within 15 business days, and if we are unable to do so, we will inform you within the same time period and provide you with an estimated reply date. If you are not satisfied with our response, you may lodge a complaint through our customer service portals. In general, we will not charge any fees for any reasonable data access requests. However, we may charge a certain fee for repeated requests or requests that exceed reasonable limits, depending on the circumstances.

We may refuse requests that are gratuitously repetitive, technically demanding (for example, requiring the development of a new system or a fundamental change in our existing practices), pose risks to the legitimate rights and interests of others, are malicious or an abuse of rights or are highly impractical (for example, requests relating to data stored on backup platforms), or which we are not permitted to comply with according to law.

9.    How we deal with children’s personal data

Our intention is not to collect any personal data related to children.

If you are under the legal age limit of the jurisdiction where we believe you are currently located, or where you have requested that an order be delivered to, you may access the Platform only with the involvement of your parent or guardian.[1]

10. How we update this Privacy Policy

This Privacy Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

We may introduce new or optimised features from time to time that require the collection and use of new personal data or which change or add to the original purposes of use of your personal data. If that happens, we will update this Privacy Policy via a pop-up window, page prompt or similar notification, and allow you to separately consent to such collection and use. With your separate consent, we will be able to collect and use such data for the new purposes explained to you in that notification.

We will post any changes we make to this Privacy Policy on this page.

We may also publish more prominent notices of material changes to this Privacy Policy (for example, for some services, we will notify you via email of specific changes to our personal data protection Privacy Policy).

Material changes referred to in this Privacy Policy include:

• material changes to our service model, for example, the purposes of handling personal data, the type of personal data handled and the use of personal data
• material changes to our ownership structure and organisational structure, for example, changes in ownership resulting from business adjustments, bankruptcy, mergers and acquisitions, etc.
• changes to the purposes of personal data disclosure
• significant changes to your rights to participate in the processing of personal data and the method of exercising such rights
• changes in our department responsible for personal data security, our contact data or channels for lodging complaints
• high risk changes as indicated in the personal data security impact assessment report.

11. Jurisdiction-specific matters

Singapore

• Sending direct marketing messages to you requires your express consent.
• The Singapore Personal Data Protection Act has established a National Do Not Call (DNC Registry), which allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
• If you have registered your telephone number with the DNC Registry, we will not send you any promotional or marketing messages via phone calls, text messages and faxes. However, if you have previously given us consent to contact you for promotional or marketing purposes, we will continue to do so until you withdraw your consent.