This policy sets out:
• what is considered personal information;
• what personal information we collect and hold;
• how we collect, hold, use or disclose personal information;
• the purposes for which we collect personal information;
• what happens if we are not able to collect personal information;
• how to seek access to and correct your personal information;
• whether we disclose personal information outside Australia; and
• how to contact us.
Mr Yum respects the rights and privacy of all individuals and is committed to complying with the Privacy Act 1988 (Cth) (the Act) and the Australian Privacy Principles and protecting the personal information we hold.
We may, from time to time, review and update this policy, including taking account of new or amended laws, new technology and/or changes to our operations. All personal information held by us will be governed by the most recently updated policy and we will give you notice of our revised policy by posting to our Website.
When used in this policy, the term “personal information” has the meaning given to it in the Act. In general terms, it is any information that can be used to personally identify you. This may include (but is not limited to) your name, age, gender, postcode and contact details (including phone numbers and email addresses) and possibly financial information, including your credit card or direct debit account information. If the information we collect personally identifies you, or you are reasonably identifiable from it, the information will be considered personal information.
If you do not wish to provide us with your personal information, then you are not required to do so. However, by deciding not to provide us with your personal information we may not be able to provide you with access to the Website, either to the same standard as if you had provided the required personal information, or at all.
We collect the type of personal information required to assist with providing you with access to the Website and its associated functionality.
This may include personal information such as:
• Personal or Company name;
• mailing or street address;
• email address;
• telephone number;
• age or birth date;
• details of what you have looked at or purchased from a venue;
• credit/debit card details stored as a secured customer token via our Payment Processor(s) (not as card number, security number and expiry date);
• social media account details (including social media profiles and URL details);
• information on your dietary requirements and preferences; and
• any additional information relating to you that you provide to us directly through our website, by phone, email, surveys, or in person, or information you have provided indirectly through use of our Website or online presence through our representatives or otherwise;
We collect your personal information directly from you unless it is unreasonable or impractical to do so.
We do this in ways including:
• when you validate your phone number, you are registering as a user of the Website;
• via your access and use of our Website;
• via someone else who has provided us with your information; and
• during conversations between you and us via phone or email (if any).
In some situations, we may also collect your personal information from a third party such as an integration partner of Mr Yum. By providing your personal information to a third party, you will be deemed to have authorised that third party to provide your personal information to us.
We strictly do not share your personal information with other Mr Yum customers in our network unless the Venue is part of a larger related party group (Group), in which case we may share your personal information may with that Group only.
Mr Yum does not share your credit/debit card information with the Venue. This information is stored as a secure customer token on the Mr Yum database and this token can only be charged by the Mr Yum website. The only allowance the Venue has to instigate a transaction with your payment method is for the purpose of proving you with a refund for your transaction with the Venue.
We may also provide your information to other third parties engaged by Mr Yum to perform functions on its behalf, such as processing credit card information, as well as third parties authorised by you to receive information held by Mr Yum.
We may collect and disclose personal information to the Venue and other third parties for the purposes described in this policy.
These purposes include but are not limited to:
• efficient communications between you, Mr Yum and the Venue.
• secure storage and management of your files to allow Mr Yum to provide you proper access to the Website.
• where you have consented to the use or disclosure;
• where we reasonably believe that use or disclosure is necessary to lessen or prevent a serious, immediate threat to someone's health or safety or the public's health or safety;
• where we reasonably suspect that unlawful activity has been, is being or may be engaged in and the use or disclosure is a necessary part of our investigation or in reporting the matter to the relevant authorities;
• where such use or disclosure is required under or authorised by law (for example,COVID19 regulations or to comply with a warrant or court order;
• where we reasonably believe that use or disclosure is necessary for the prevention, investigation, prosecution and punishment of crimes or wrongdoings or the preparation for, or conduct of, proceedings before any court or tribunal (or the implementation of orders of a court or tribunal or on behalf of an enforcement body);
• to develop and improve our (and our related entities’) business, products and services;
• to facilitate your participation in loyalty programs;
• for research and analysis in relation to our (and our related entities’) business, products and services;
• for our internal accounting and administration; and
• to facilitate any authorised payments through the payment gateway Stripe.
The primary purpose for which we collect information about you is to enable us to perform our business activities and functions and to provide the best customer experience.
We generally collect personal information as part of providing you with access to the Website, for the Venue to contact you about your meal, informing you about them, complying with our contractual and other legal obligations.
We use your information to involve you in running promotions and other marketing activities and providing you with information about Mr Yum’s activities that may be of interest to you only where you have consented to us doing so. You can opt out of receiving any targeted electronic marketing or promotional communications by following the unsubscribe prompt provided in the communication.
We may disclose your personal information to:
• our employees, contractors, licensees or external service providers for the operation of our website or our business, fulfilling requests by you, including without limitation IT systems administrators or payment processors;
• specific third parties authorised by you to receive information held by us (e.g. a venue that you have opted in to receive marketing information from);
• the police, any relevant authority or enforcement body, or your Internet Service Provider or network administrator, for example, if we have reason to suspect that you have committed a breach of any of our terms and conditions, or have otherwise been engaged in any unlawful activity, and we reasonably believe that disclosure is necessary;
• as required or permitted by any law (including the Privacy Act).
Where practical, such as when just viewing the menu without making a purchase, you may choose not to identify yourself.
In some instances, if you do not provide us with required personal information described in this policy, we may not be able to provide you with access to the Website, either to the same standard as if you had provided the required personal information, or at all.
If you use our Website to make purchases or other financial transactions (such as payment of invoices through the Website for products or services you purchase from a third party user or Venue), we may collect information about the purchase or transaction. This includes payment information, such as your credit card or debit card number (stored as a secure token), billing details and other account and contact information (Financial Information).
We will only collect Financial Information from you with your prior knowledge. You can access and browse our Website without disclosing Financial Information.
We use your Financial Information solely to process payments for products or services you request or purchase through the use of our Website. We only use and retain your Financial Information to complete payments you initiate, any Financial Information that is collected is solely for the purpose of transaction approval and the transfer of funds.
We provide data encryption throughout the payment process and only share your Financial Information with your credit card provider, third party payment processor or financial institution to process payments. The Financial Information we collect from you is strictly confidential and held on secured servers in controlled facilities.
We store your Financial Information against your verified phone number after the transaction is complete for your convenience, so you don’t have to type in your credit card each time you use Mr Yum. You can contact us if you wish to remove your user account and/or card details from your database and we will do this immediately.
We may use third party agents to manage online payment processing. These agents are not permitted to store, retain, or use your Financial Information or other personally identifiable information, except for the sole purpose of payment processing on our behalf. Any third party agent used by us is not authorized to use your Financial Information in anyway other than to process payments and is required to keep any Financial Information it uses or collects confidential.
We may send you direct marketing communications and information about services that we consider may be of interest to you. These communications may be sent in various forms, including mail, SMS or email, in accordance with applicable marketing laws, such as the Spam Act 2004 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so.
In addition, at any time, you may opt-out of receiving marketing communications from us by contacting us (details below) or by using the opt-out facilities provided (e.g. an unsubscribe link). We will then ensure that your name is removed from our mailing list.
We do not share your personal information to other organisations (other than the Venue) for the purposes of direct marketing unless expressly authorised by you.
Even if you do opt out of receiving marketing communications from us, you agree that we may still send you information relevant to the supply of any services arranged by us or goods or services purchased by you through our Website.
If you receive communications from us that you believe have been sent to you other than in accordance with this policy, or in breach of any law, please contact us using the details provided below.
Our Website is hosted by third party service providers.
In order for Mr Yum to allow you access to the Website, we at times may allow access to personal information to third party providers.
We make no representations or warranties in relation to the privacy practices of any third party service providers and we are not responsible for the privacy policies or the content of any third party service provider.
We will not disclose your personal information to any person or entity outside of the region you are in. For example, Australian and New Zealand data is stored in Australia. If this needs to change, we will inform you prior to any overseas disclosure and will provide the relevant details.
If we are required to disclose personal information to other overseas persons or entities, we will take reasonable steps to ensure that the overseas recipients of your personal information do not breach the privacy obligations relating to your personal information.
You may request access to any personal information we hold about you at any time by contacting us at email@example.com.
Where we hold information that you are entitled to access, we will try to provide you with suitable means of accessing it (for example, by mailing or emailing it to you). We will not charge for simply making a request and will not charge for making any corrections to your personal information. If you make an access request, we will ask you to verify your identity. There may be instances where we cannot grant you access to the personal information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others, or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.
We request that you keep your information as current as possible so that we may continue to improve our service to you.
We will take all reasonable steps to protect the personal information that we hold from misuse, loss, or unauthorised access, including by means of firewalls, password access, secure servers and encryption of credit card transactions.
If you suspect any misuse or loss of, or unauthorised access to, your personal information, please let us know immediately.
If we suspect any misuse or loss of, or unauthorised access to, your personal information we may inform you of that suspicion and take immediate steps to limit any further access to, or distribution of, your personal information. If we determine that the breach is likely to result in serious harm to you and we are unable to prevent the likely risk of serious harm with remedial action, we will take action in accordance with the Privacy Act 1988 (Cth).
When you use our Website, Mr Yum or our service providers may obtain information using technologies such as cookies, tags, web beacons, and navigational data collection (log files, server logs, and clickstream data) to better understand your user experience. For example, Mr Yum or our service providers may collect information like the date, time and duration of visits and which webpages are accessed.
When you access our Website, we may send a “cookie” (which is a small summary file containing a unique ID number) to your computer or mobile device. This enables us to recognise your computer or device and greet you each time you visit our Website, without bothering you with a request to register or log-in. It also helps us keep track of products or services you view, so that we can send you news about those products or services.
We may also log IP addresses (the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track user movements, and gather broad demographic information.
This information is generally not linked to your identity, except where it is accessed via links in Mr Yum emails or where you have identified yourself. We may also collect anonymous data (which is not personal information) relating to your activity on our website (including IP addresses) via cookies. We generally use this information to report statistics, analyse trends, administer our services, diagnose problems and target and improve the quality of our services. To the extent this information does not constitute personal information because it does not identify you or anyone else, the Australian Privacy Principles do not apply and we may use this information for any purpose and by any means whatsoever.
Mr Yum stores guest register data for contact tracing purposes for 56 days which is the maximum requirements in Australia and New Zealand. This is stores in a separate database table to transactional user data. After 56 days, the data is deleted from the database.
Mr Yum shares this guest register data securely with the Venue via the Mr Yum admin panel so the Venue can check that each table has registered.
Mr Yum may also provide this information to the State Government via manual file transferor by API integration to support broader contact tracing initiatives.
If you are not satisfied with the outcome of our investigation, then you may request that an independent person (usually the Commonwealth Privacy Officer) investigate your complaint.
To contact Mr Yum about your personal information, concerns or complaints, email at firstname.lastname@example.org or alternatively, write to Mr Yum, PO Box 1653, Sun Valley, 7985, Cape Town, South Africa