TWENTY7 WHOLESALE CANADA LTD.
JANUARY 1, 2017
1. Twenty7’s Commitment to Privacy
• why we collect personal information;
• what we do with that information;
• what steps we take to ensure that the information is secure;
• who you should contact if you have questions or concerns about our policies or practices.
2. What is personal information?
In general terms, personal information means any information about an identifiable individual. For example, this includes your name, postal and email address, telephone number, credit card number, the photograph included on your Twenty7 membership card, demographic information and purchasing history.
Personal information does not include aggregate information, such as data about a group or category of products, services or customers, from which individual customer identities have been removed. For example, information about how you use a service may be collected and combined with information about how others use the same service, but no personal information will be included in the resulting data. Likewise, information about the products you purchase may be collected and combined with information about the products purchased by others.
We may also gather aggregate information about how Twenty7 customers use our Sites. Aggregate information about product purchases helps us understand trends and customer needs, and assists us in product selection, product ordering and sizing, and the introduction of new products and services. It can also assist us in determining where it would be appropriate to build new warehouses by looking at the geographic location of members or to build new Site functions by looking at anonymized browsing activities.
3. When we collect personal information
We only collect such personal information as is strictly necessary for the purposes outlined in Section 5. We collect personal information when you:
• apply for membership (including information about your credit history that may be collected, used, or disclosed if you choose to pay by cheque);
• renew your membership;
• contact us with questions, inquiries, comments, complaints or requests;
• sign up for certain products and services (such as the Twenty7 Services program and other business and consumer services, collectively known as the “Twenty7 Services”);
• use our Sites;
• participate in any of our programs;
• place orders, make purchases, return or exchange items, or seek further information about our products and services;
• place orders or make purchases, return or exchange items, or seek further information through our affiliated companies, including Twenty7 Ltd (Twenty7 and its affiliates are referred to collectively as the “Twenty7 Affiliates”);
• enter into a contest or sweepstakes or respond to one of our surveys; and
• ask us to place you on a “Do Not Email” list so that we can ensure that your wishes are respected.
Please note that Twenty7 Services may be provided by third-party suppliers. We collect from such third-party suppliers a list of our customers who have signed up for Twenty7 Services and information about the use our customers make of such Twenty7 Services (for example, frequency of use and customer feedback).
We may also take video footage on our properties to protect the rights, property or safety of Twenty7, its customers, employees, or the public.
4. How we use personal information
As part of our business operations, we hold and use certain personal information pertaining to you inorder to process your requests, provide you with Twenty7 Services, and to understand your needs so that we can serve you better.
Specifically, we may use personal information for the following purposes:
• Notifying you of recalls or safety issues;
• Approving you as a member when you apply for membership;
• Managing the provision of goods, services and privileges to you, including monitoring your membership, processing exchanges or returns, to conduct a credit check if you choose to pay by cheque, to determine your credit status and for fraud detection and identification purposes;
• Managing invoicing, accounting and information security services related to our transactions with you;
• Monitoring your satisfaction with our programs, including the Executive Membership program, the services offered by our suppliers of Twenty7 Services and contacting you regarding the status of such programs and services (for example, to inform you of changes to or the termination of particular Twenty7 Services);
• Protecting against harm to the rights, property or safety of Twenty7, its customers, employees, or the public;
• Internal management purposes, including planning, resource allocation, policy development, quality improvement, monitoring, audit, evaluation and reporting;
• As described in our “Online privacy practices” in Section 12 below;
• Managing our “Do Not Email” lists; and
• Using personal information to create aggregate information as described above in Section 2.
If you ask us to, we will also tell you about news, promotions, special offers and other information from Twenty7, regarding Twenty7, Twenty7 Affiliates and selected partners, such as our promotional programs. You may unsubscribe from these kinds of messages at any time by visiting Twenty7.ca and setting your Communication Preferences.
5. When we share personal information
From time to time we engage unaffiliated third parties and their affiliates, agents and subcontractors (“Service Providers”) to perform certain technological or administrative services. For example, a Service Provider may be asked to perform credit card processing services, administer a contest or be asked to run a computer program that identifies which of our members purchased a particular product so we can notify those members of special programs regarding the same or similar products. We also may use a Service Provider to host and administer one or more of our Sites, process and store data, and fulfill similar technology-related functions on our behalf. In these circumstances, the personal information that the Service Provider receives is limited to only the personal information held by us that they need in order to render their service to us. The companies that are provided with the personal information are first required to sign an agreement that obligates them to keep the information confidential and secure and prohibits them from using it for unauthorized purposes.
We have engaged Service Providers to provide us with cloud computing services. Cloud computing is the provision of network-based services, located on remote computers, that allow individuals and businesses to use software and hardware operated by third parties. Examples of these services include online file storage, webmail and online business applications. Service Providers have policies and processes in place to ensure that the confidentiality of information in their care is properly safeguarded at all times. As of the date of this policy, our cloud computing Service Provider processes and stores information in the United States and Canada. This may change from time to time.
You acknowledge that if Service Providers provide services from other countries (such as the ones named above), your personal information may be processed and stored in these countries and the governments, courts or law enforcement or regulatory agencies of these jurisdictions may be able to obtain disclosure of your personal information through a lawful order.
As outlined above, Twenty7 Services (such as the Executive Membership program, and other business and consumer services) may be provided by Service Providers. When you sign up for Twenty7 Services, we will share your name, membership status, membership number and type and such other personal information as is necessary with the Service Provider so they can confirm your eligibility for the Twenty7 Service you requested. Service Providers who are suppliers of Twenty7 Services can only use the personal information that we share with them to provide the Twenty7 Services or, if you have consented, to notify you of their offerings and to evaluate new and existing products, offerings or services. We are not responsible for any additional information you provide directly to these Service Providers, and we encourage you to become familiar with their privacy and security practices and policies before disclosing information to them.
We may disclose personal information without your knowledge or consent if a law, regulation, search warrant, subpoena or court order legally authorizes us or requires us to do so. We may also disclose personal information to protect the rights, property or personal safety of Twenty7, its customers, employees or other members of the public.
Except as set out above, we do not sell, rent, share or disclose the personal information or personal health information we hold or make our membership list available to others for a fee without your consent.
6. How long do we hold personal information?
Personal information is retained only for so long as is necessary for the purposes set out above. When no longer required, we will destroy, erase or de-personalize the personal information and personal health information. Legal requirements may necessitate our retaining some or all of the personal information we hold for a period of time that is longer than we might otherwise hold it. However, Twenty7 will restrict access to such information to prevent it from being used except for the fulfillment of these legal requirements.
To ensure that the personal information you provided is accurate, complete and up-to- date, we urge you to provide us with updates regarding such information and to inform us of any errors affecting the personal information we hold. You may update, review or correct your Twenty7.ca online account information at any time by accessing your password-protected registration page via the “My Account” area of the Sites. To update any other information, please visit the Membership Counter in our club with your membership card to confirm your identity.
8. Security measures
We will continue to keep in place security measures in an effort to protect personal information held by us from unauthorized use, access, disclosure, distribution, loss or alteration. We employ physical, administrative, contractual and technological safeguards to protect personal information, and insist that our Service Providers do the same. We will continue to keep in place security measures in an effort to protect personal information and personal health information held by us from unauthorized use, access, disclosure, distribution, loss or alteration. We employ physical, administrative, contractual and technological safeguards to protect personal information, and insist that our Service Providers do the same. Please be aware though that, despite these efforts, no security measures are perfect and no systems are impenetrable. Your privacy can be enhanced by taking care to use suitably strong passwords that others cannot guess, that are kept safe by you, and that are not re-used on other sites.
Taking steps like avoiding dictionary words or proper names, and adding extra character and punctuation marks can also help protect you. If you believe your password has been compromised, you should change it immediately.
Access to personal information will be restricted to authorized personnel who require the information in order to perform their duties properly. In addition, access will be limited to only that information that is strictly necessary for the performance of those duties. Please also see our “Online privacy practices” in Section 12 below.
We periodically update our policies regarding information security measures in an effort to protect the personal information and personal health information held by us in the most effective manner possible.
9. Accessing personal information
Our customers are entitled to access the personal information held by us concerning them. In recognition of the importance we attach to each customer’s personal information, you can only access personal information we hold about you, but not personal information about your spouse or others who may have been issued a membership card on your account. Under limited circumstances, we may give you access to personal information that we hold about others, but only if required or permitted by law (for example, a parent or guardian may, in certain instances, be given access to the personal information of a child or a person who requires a substitute decision maker).
You can access your personal information by showing your membership card at the Membership Counter to confirm your identity and completing a written request for such information on a form we provide. We will generally respond to your request for information within thirty (30) days, unless, for reasons beyond our control, a longer response time is necessary, in which case you will be advised accordingly. While our response will generally be provided at no cost, you will be informed in advance of any charges that apply in connection with the information request. Charges may relate to the transcription, reproduction or transmission of personal information held by us.
In very limited circumstances, we may not be able to supply personal information for reasons of a legal nature, including privileged communications between professional and client or a pending judicial proceeding. In each case, we will provide written reasons outlining why your request for access has not been granted.
10. Online privacy practices
Collection: We may collect personal information online when you visit our Sites as described in Sections 4 and 7.
Cookies help us to customize our home page for you and to better display pages according to your browser type. While cookies are optional for browsing Twenty7.ca, they are required for registering, logging on, purchasing or adding items to your cart. If you wish to purchase items or set up an account on Twenty7.ca, you will need to accept a Twenty7.ca cookie. (In order to control the ability of website providers to place cookies on your computer, you should consult your browser’s “Options” and “Help” pages to learn how to adjust your settings to suit your privacy preferences.)
Use: We use personal information and personal health information collected online as described in Sections 5 and 7 above. In addition, we use personal information and personal health information:
• to facilitate and monitor certain features of the Sites that you choose to interact with, such as online forums, feeds and chatrooms;
• to respond to your questions and concerns and to understand your needs and preferences;
• to conduct surveys and other research;
• to provide you with customized Site content and advertising;
• to fulfill your online orders for products and services and to facilitate product deliveries, pickups and returns;
• to detect, prevent, or otherwise address fraud, security or technical issues; or
• to protect against harm to the rights, property or safety of Twenty7, its users or the public as required or permitted by law.
Sharing: We share personal information collected online as described in Sections 6 and 7 above. In addition, we may provide Service Providers with certain information that is necessary to fulfill an order you have placed with us. For example, if you request shipment for a purchase, we may provide your address to the shipping carrier and customs Service Provider, and if you pay by credit or debit card, your card number and sales transaction information are passed to the card processor and/or issuer (including their service providers such as fraud verification services). We also may use Service Providers to host and administer the Sites, process and store data, and fulfill other technology related functions on our behalf. However, we only give or permit access to vendors, suppliers and other Service Providers involved in Site administration and the commerce distribution chain the limited information needed to perform their duties and provide you with the products and services you order. We are not responsible for any additional information you provide directly to these parties.
Protection: Personal information we collect on our Sites is stored electronically, and may be combined with other off-line information. Personal information entered on our Sites is encrypted using a security protocol called SSL (Secure Sockets Layer). SSL encrypts information entered on our site before it is sent over the Internet. SSL also allows you to view securely your online account and registration information. Account information is accessible online only through the use of a password. To protect the confidentiality of personal information, you must keep your password confidential and not disclose it to any other person. You are responsible for all uses of our Sites by any person using your password. You are advised that, unlike communication within our Sites, we have no control over the privacy of your email communications with us while in transit. We recommend that you do not include confidential, proprietary, personal or personal health information in emails, including credit card numbers, passwords, prescriptions and other similar information. Also, if other people have access to your email account, they may be able to access your password and obtain personal information about you (such as your credit card information), or change information about your user profile. You should not use an email account operated by your employer because many employers have the legal right to access such email accounts. Please advise us immediately by email or phone if you believe your password has been misused.
11. Complaint process
If you previously consented to the sharing of the personal information you provided or are a Business Member and you do not want us to disclose information about your purchases, you can change your mind by sending us an email.
If you wish to unsubscribe from electronic messages providing news, promotions, special offers and other information from Twenty7, regarding Twenty7, Twenty7 Affiliates and selected partners, such as our promotional programs, you may do so at any time by visiting Twenty7.ca and setting your Communication Preferences.