Privacy Policy

I Heart Studios Group Limited understands that your privacy is important to you and that you care about how your personal data is used. We are committed to ensuring that your privacy is protected.

This privacy notice sets out how we look after your personal data and tells you about your privacy rights and how the law protects you. Personal data is any information about you from which you can be identified. It does not include data where your identity has been removed. This privacy notice applies when you have provided your personal data to us yourself or someone else has provided your personal data to us.

Please read this privacy notice in full, so that you understand how your personal data is used by us.

We may also provide you with other privacy notices on specific occasions when we are collecting or processing personal data about you, to make sure that you are fully aware of how and why we are using your personal data. This privacy notice is in addition to those other notices and is not intended to override them.

1. Information about us

I Heart Studios Group Limited

Registered Number 7657037
Registered Address 6th Floor Charlotte Building, 17 Gresse Street, London, W1T1QL, UK
Trading Address J409 The Biscuit Factory, 100 Clements Road, London, SE16 4DG, UK
VAT/BTW Number GB126963590

I Heart Studios Netherlands BV

Registered Number 66899094
Registered Address Joop Geesinkweg 222, 1114AB Amsterdam, The Netherlands
Trading Address Joop Geesinkweg 222, 1114AB Amsterdam, The Netherlands
VAT/BTW Number NL856737112B01

I Heart Studios Hong Kong Limited

Business Registration Number 2667001
Registered Address Unit 305-7, 3/F Laford Centre, 838 Lai Chi Kok Road, Cheung Sha Wan, Kowloon, Hong Kong
Trading Address Unit 06, 2/F, 1 Hung To Road, Kwun Tong, Hong Kong

2. What personal data we collect?

We may collect some or all of the following personal data about you which we have grouped together as follows (this may vary according to your relationship with us):

• Identity Data may include first name, last name;
• Contact Data may include business name, postal address, email address and telephone numbers;
• Correspondence Data: this refers to any personal information contained in or related to any communication you send to us or we send to you;
• Financial Data may include bank account and invoice details;
• Transaction Data may include details about payments to and from you and other details of products and services you have provided to us or we have provided to you;
• Usage Data: This refers to data about your use of our website. This data may include IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use;
• Marketing and Communications Data may include your preferences in receiving marketing from us and our third parties and your communication preferences.

3. How do we collect your data?

We use different methods to collect personal data from and about you, as follows:

Direct interactions. You may give us your Identity, Contact, Correspondence, Marketing and Communications Data, Financial and Transaction Data by filling in forms or by corresponding with us by post, phone, email, in person, via social media, via our website or otherwise. This includes personal data you provide when you:

• enquire about our services;
• purchase our services;
• provide us with a service or product;
• request marketing or other information to be sent to you;
• vist us
• communicate with us (including by telephone); or
• give us some feedback.

Automated technologies or interactions. As you interact with our website or use our services, we may automatically collect Usage Data about your equipment, browsing actions and patterns. We collect this data by using cookies and other similar technologies. Please see Cookies in Part 4 below for more details.

Third parties or publicly available sources. We may receive personal data about you from various third parties (which may include public sources) as set out below:

• Usage Data from providers such as Google Analytics and Mailchimp;
• Identity and Contact Data from data brokers or aggregators;
• Identity and Contact Data from publicly available sources such as Companies House or company websites;
• Identity and Contact data from your employer, where your employer is supplying products or services to us, or we are providing services to your employer.

4. How do we use your personal data?

In accordance with data protection laws, we will only process your personal data where we have a lawful basis for doing so. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

Sometimes we may ask you to consent to our collection and use of certain of your personal data. You have the right to withdraw your consent at any time.

Your personal data may be used for the following purposes. Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your personal data:

• Supplying our services to you or your employer. Our lawful basis for processing is performance of a contract with you, or our legitimate interests (performance of our contracts, enforcing our legal and contractual rights (including recovering money due to us), the proper administration of our business).
• Personalising and tailoring our services for you or your employer. Our lawful basis is our legitimate interests (developing and improving our business and services).
• To manage our relationship with you or your employer (including responding to queries and requests). Our lawful basis for processing is performance of a contract with you or our legitimate interests (the proper administration of our business, keeping our records updated and developing and enhancing our business and services).
• Conducting business with you or your employer, including receiving services or products from you or your employer. Our lawful basis for processing is performance of a contract with you, or our legitimate interests (performance of our contracts, enforcing our legal and contractual rights, the proper administration of our business).
• Supplying you with information about our business and services. Our lawful basis for processing is consent or our legitimate interests (direct marketing, providing information you have requested, developing and promoting our business and services).
• Improving our website and services, including using data analytics to improve our website, products/services, marketing, customer relationships and experiences. Our lawful basis for processing is our legitimate interests (analysing the use of our website and services, monitoring and improving our website and services, informing our marketing strategy and the way we provide our services).
• Administering and protecting our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). Our lawful basis for processing is our legitimate interests (proper administration of our business, protection and security of our business and IT systems against risks, provision of administration and IT services in our business).
• Determining, or making suggestions and recommendations to you about services or offers which may be of interest to you. Our lawful basis is consent or our legitimate interests (developing our services and growing our business).

We may process any of your personal data identified in this policy where necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice, and for the establishment, exercise or defence of legal claims. Our lawful basis is our legitimate interests (proper protection of our business against risks, protection and assertion of legal rights).

Marketing

What we can do?

We may send marketing communications to you:

• by post, if you have not opted-out of receiving that marketing; and
• by email if you have given your specific consent.

Third-party marketing

We will not share your personal data with any company outside our group of companies for marketing purposes without your express opt-in consent.

Opting out

You have the right to ask us to stop sending you marketing communications at any time.
You can do this by:

• following the opt-out links on any marketing communication sent to you; or
• contacting us.

If you opt out of receiving some or all of our marketing, we will retain your Marketing and Communications Data for our records in order to ensure that we know that you have opted out.

If you change your mind after opting out, you can update your choices at any time by contacting us.

Cookies

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use using cookies that may be stored on your device when you visit our website. This information is used to create reports about the use of our website. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of anyone visiting our website.

For more information on Google Analytics please visit: https://support.google.com/analytics/answer/6004245

To opt out of being tracked by Google Analytics across all websites, please visit: https://tools.google.com/dlpage/gaoptout

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5. How long will do we keep your personal data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected, including for the purposes of satisfying any legal, accounting, or reporting requirements and obligations. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us.

In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

6. Where do we store or transfer your personal data?

We may share your data within the group of companies of which we are a part. This may involve transferring your data outside the European Economic Area (EEA) depending on the subsidiary.

Some of our external third parties are based outside the European Economic Area (EEA) so their processing and storage of your personal data will involve a transfer of data outside the EEA

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. Further details are available from the European Commission
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. Further details are available from the European Commission
• Where we use providers based in the US, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. Further details are available from the European Commission

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. Do we share your personal data?

We may have to share your personal data with the parties set out below for the purposes set out in Part 4 above.

Internal Third Parties

Other companies in the I Heart Studios Group Limited. Currently we operate in the UK, the Netherlands and Hong Kong.

External Third Parties

• Service providers acting as processors who provide:
  • IT and system support and administration;
  • cloud computing (currently Google/GSuite);
  • o data analytics (currently Google Analytics);
  • o marketing companies who help manage our marketing communications (currently Mailchimp);
  • o data storage (currently Salesforce, for storing contact and communication details).
• professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;
• HM Revenue & Customs, Belastingdienst, regulators and other authorities based in the United Kingdom and The Netherlands;
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

Requirements for our third party service providers

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Other disclosures we may make

We may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

Other Websites

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements or notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

8. How do we keep your personal data secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. What are your rights?

You have the right to request:

1. access to the personal data we hold about you (commonly known as a data subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
2. correction of your personal data if any of your personal data held by us is inaccurate, out of date or incomplete. Please contact us should your personal information change at any point during our relationship
3. deletion or removal of any of your personal data that we have, in certain circumstances.
4. that we restrict the processing of your personal data, in certain circumstances.
5. that we stop using your personal data for a particular purpose or purposes, in certain circumstances.
6. the transfer of your personal data to you or to a third party, in certain circumstances.

You have the right to withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw consent. Please note that if you withdraw consent, we may not be able to provide certain products or services to you. We must comply with this request by law.

You also have the right to stop the use of your personal data for direct marketing through all or any channels, at any time. We must always comply with your request by law.

Further information about your rights can also be obtained from the Information Commissioner’s Office (https://ico.org.uk) or Dutch Data Protection Authority (https:/autoriteitpersoonsgegevens.nl).

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk) or Dutch Data Protection Authority (https:/autoriteitpersoonsgegevens.nl). We would, however, appreciate the chance to deal with your concerns before you approach the ICO or DDPA so please contact us in the first instance.

10. How do you exercice your rights?

If you want to exercise your legal rights in relation to your personal data, please contact us using the contact details in Part 11.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Please note that we are not always required to comply with your request. For example, there may be specific legal reasons which will be notified to you, if applicable, at the time of your request and, in some cases, we may have compelling legitimate grounds to process your information which override your rights and freedoms.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We will respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

11. How do you contact us?

If you have any questions about this privacy notice including any requests to exercise your legal rights, please contact our Data Privacy Manager as follows:

• Email address: gdpr@iheartstudios.com
• Dutch Postal Address: Joop Geesinkweg 222, 1114AB Amsterdam, The Netherlands
• Hong Kong Postal Address: Unit 06, 2/F, 1 Hung To Road, Kwun Tong, Hong Kong

12. Changes to this privacy policy

We may change this Privacy Notice from time to time by publishing a new version on our website. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. We recommend that you check this page occasionally for any policy changes or updates.