It also describes your data protection rights, including a right to object to some of the processing which we carry out.
More information about your rights, and how to exercise them, is set out in the section “What rights do I have?”.
2. What information do we collect?
We collect and process personal data about you when you:
3. How do we use this information, and what is the legal basis for this use?
We process personal data for the following purposes:
3.1 To conduct our business and pursue legitimate interests — in particular, to:
(a) Provide our services to you, including: responding to any questions you may have of us; providing you with recommendations on products in our stores or on our Site; maintaining your shopping cart on our Site; assessing your applications with us for any of our services or loyalty programmes; providing our Privilege Card to you; fulfilling any orders you may make with us (including verification and security checks of your details, performing appropriate anti-fraud checks such as credit / identity checks, processing of your payments, shipping to you the products that you have ordered from us, and processing your returns or exchanges of our products); providing free Wi-Fi services to you at our physical stores; providing mobile application services to you; personalising our services to you and enhancing your experience in using our services;
(b) Monitor the use of our Site and our services (both online and offline), and use your information to help us monitor, improve and protect our products, content, services (both online and offline) and our Site;
(c) Analyse trends, usage, browsing and shopping behaviour with us (whether on an individualised or anonymised and aggregated basis), which helps us better understand how you and our collective customer base access and use our Site, stores and services, for the purposes of:
3.2 When you give us consent (if required):
(a) To allow you to register for and participate in our events and promotions, including verifying your identity at those events and promotions; and
(b) To provide you with direct marketing communications in relation to products, services, events, offers or promotions under the categories stated below, provided by: (i) us or our related companies (including our affiliate and subsidiary companies), (ii) business partners, and/or (iii) other third-party providers.
These marketing communications may:
3.3 For purposes that are required by law, such as in response to lawful requests by government or law enforcement authorities conducting an investigation.
4. Withdrawing consent or otherwise objecting to direct marketing
Whenever we are required to obtain your consent to the processing of your personal data under applicable law, you will always be able to withdraw any consent you provide to us. We will then stop using your personal data for the purpose in respect of which you have withdrawn your consent, but we may still use, process, store and transfer your personal data for other purposes if applicable law allows us to do so.
You can withdraw your consent by:
(a) amending your preferences in the logged-in area of our Site; and/or
(b) contacting our Data Privacy Officer at firstname.lastname@example.org sending your withdrawal request by post to our Data Privacy Officer at JOYCE Group, 30F, One Island South, 2 Heung Yip Road Wong Chuk Hang, Hong Kong; and/or
(c) in the case of direct marketing emails, by clicking the unsubscribe link at the bottom of such emails.
5. Who will we share this data with, where and when?
We may share your personal data with the related companies of Joyce Boutique Group Limited, LCJG Limited and their respective subsidiaries located within or outside Hong Kong for the purposes set out in the section “How do we use this information, and what is the legal basis for this use?” above.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in the section “How do we use this information and what is the legal basis for this use?” above, when mandated by law and in compliance with Hong Kong’s Personal Data (Privacy) Ordinance (the “Ordinance”) or other applicable laws.
(a) Courier and other goods delivery services;
(b) Email, SMS and other digital notification services;
(c) Telecom companies (e.g. for providing in-store Wi-Fi services);
(e) Google, Facebook and other advertising networks (for the matching of your personal data with their database in order to send you our direct marketing materials through, e.g., your Google and/or Facebook account(s));
(g) credit reference and fraud-prevention agencies (e.g. for performing appropriate anti-fraud checks, such as credit / identity checks); and
(h) Data analytics and hackathon service providers and agencies (for the purposes stated in the section “How do we use this information, and what is the legal basis for this use?” above), to whom we will only send anonymised data and then only for the purposes in the section “How do we use this information, and what is the legal basis for this use” above.
We may also sell your personal data to third parties for their own purposes where permitted by applicable laws.
If our business or any part of it is put up for sale, sold or integrated with another business, personal data may be disclosed to our advisers and any prospective purchaser and their advisers and will be passed to the ultimate new owners of the business.
6. What rights do I have?
Where permitted by law, you have the right to ask us for a copy of your personal data; to correct, delete or stop any active processing of your personal data, to obtain from us, in a structured, machine-readable format, the personal data you’ve previously provided to us, and to ask us to share this data with another data controller.
In some circumstances, your rights to object to our processing of your personal data may be limited — for example, where fulfilling your objection request would reveal personal data about another person, where it would infringe our rights or the rights of a third party or if you ask us to delete information which we either are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions in these respects are provided under applicable laws. We will inform you of any exemptions we rely upon when responding to any objection request you make.
To exercise any of these rights, or to obtain other information (such as a copy of a legitimate interests assessment), you can get in touch with us – or our Data Privacy Officer – using the contact details set out in the section “How do I get in touch with you” below.
7. Who is the data controller?
The data controllers are Joyce Boutique Group Limited, LCJG Limited and their respective subsidiaries; contact details for them can be found in the section “How do I get in touch with you” below.
8. How long will my data be kept?
(a) Personal data collected during your registration on our Site: we process this personal data for as long as (i) you are an active user of our Site and (ii) it is required for our business and/or legitimate interests or by law or regulation.
(b) Personal data processed for marketing purposes or with your consent:, we process the personal data for this purpose until you ask us to stop and for a short period after this to allow us to implement your request. We also keep a record of the fact that you have asked us not to send you direct marketing or not to process your data, so that we can respect your request in the future.
(c) Personal data collected by analytics cameras: we will not keep any images captured by our analytics cameras for longer than is necessary to achieve the purposes for which they are collected, and such images will be anonymised and aggregated before any use of them for the purposes stated in the section “How do we use this information, and what is the legal basis for this use?” above.
9. Our In-Store Photography policy
We may place conspicuous notices in our stores to advise that we do not allow customers to take unauthorised photographs or make unauthorised sound and/or video recordings in our stores, whether for commercial use, private gain, use in press or media or promotional purposes. We reserve the right to remove offenders in this regard from our premises.
We permit photography, sound and/or video recording where the images/recordings are solely for personal use and are not published or reproduced in any form for commercial use, private gain, use in press or media or promotional purposes.
However, permitted photography, sound and/or video recording are all subject to the following conditions:
(1) no photographs or video and/or sound footage are taken of staff members or other customers without the express permission of the staff member or customer;
(2) flash lighting and tripods are not used unless we have given our prior written permission;
(3) customers do not take photographs or record sound and/or video footage where:
Customers who breach any of these conditions must promptly and peacefully leave our premises. We reserve the right to remove them. If any in-store customer has questions about this photography policy, the customer may contact the relevant Store Manager.
10. Our CCTV policy
The purpose of our CCTV policy is to give notice and guidance to customers and other visitors to our premises, including to our stores, of our use of CCTV in those premises. Our use of CCTV in those premises complies with the requirements of the Ordinance and other applicable laws.
We use in-premises CCTV primarily to procure reasonable security in and safety of the monitored area.
In accordance with the Ordinance, the relevant guidelines issued by the Office of the Privacy Commissioner for Personal Data in Hong Kong (the “PCPD”) and other applicable laws:
Our CCTV notices reflect the use of CCTV in our stores. They remind you to contact us if you have any further enquiries about our processing of your personal data via CCTV:
Our CCTV procedures
A. Proper Storage and Handling of CCTV Footage
Our CCTV system and any personal data collected by it (“Footage”) is subject to security measures to protect it and to prevent unauthorised access to or handling of it, including the following measures:
(a) Storage: All Footage is encrypted and stored in secured physical and digital locations. Access to the physical storage locations is secured and restricted to authorised users only. Digital storage of the Footage can be accessed only by authorised users and then only by way of a traceable log-in and password. Records are kept of the authorised users who access the Footage.
(b) Use: Authorised users are only permitted to access and view the Footage when an incident is reported to us that reasonably requires the Footage to be viewed (“Incident”), such as an offence being committed on the premises or for the purposes of a police investigation. If such an Incident occurs, the Footage is stored as set out above until the Incident is investigated and closed.
If the Footage is to be moved in digital format through email or any other electronic transmission method, it will only be moved in encrypted form to an authorised user, and then only as necessary in accordance with this policy. We have safeguards in place to protect our electronic transmission systems from interception. All movement of the Footage is documented.
(c) Deletion: If no Incident is reported to us within a reasonable period of time from the date on which the Footage was first recorded, or when an Incident is closed, the relevant Footage will be securely and permanently destroyed. If the Footage is in hard copy form, it will be destroyed by shredding and then secure disposal; if it is in electronic form, the Footage will be permanently erased from our systems.
(d) Compliance: We carry out compliance checks and audits annually to review the effectiveness of the safeguards and procedures of the CCTV system.
B. Transfer of CCTV records to third parties
(a) We will only disclose Footage to a third party in accordance with the section “Who will we share this data with, where and when”.
(b) If we are requested to provide Footage to a law enforcement agency, e.g. to the Police for criminal investigation purposes, we will only do so in compliance with a written request provided by the relevant law enforcement agency and if we reasonably believe that an exemption under the Ordinance or other applicable laws applies.
C. Customer enquiries about our use of CCTV
You may report any suspected misuse of our CCTV system using the contact details set out in the in the section “How do I get in touch with you” below.
Please note that we are unable to accept requests from customers to view Footage, because the Footage may contain personal data of other third parties that we may not be allowed to share under applicable laws.
11. Our Data Analytics policy
The purpose of this data analytics policy is to explain the use of data analytics cameras in our stores. Data analytics cameras are used in our stores for statistical research purposes, such as demographics analysis and traffic flow analysis within our stores.
(b) Security and destruction of data: We have security measures in place to prevent unauthorised access to our data analytics system. The facial biometric templates collected using the analytics camera are securely and permanently deleted within 24 hours of being collected, and only the aggregated and anonymised data is retained.
(c) Notice: We notify customers and other visitors to our stores when data analytics cameras are in use by the conspicuous posting of notices stating “analytics cameras in operation” at both the entrance to any monitored area of the store and inside the area itself. Notices are also posted to alert customers if the analytics cameras themselves are very discreetly located. No analytics cameras are installed in places where people have a reasonable expectation of privacy, such as in changing rooms.
The facial biometric templates collected using the analytics camera are disclosed only to our third-party service providers who operate the analytics cameras for the research purposes stated above.
13. How do I get in touch with you?
GDPR: Notice for Residents in the European Economic Area
Last updated: 2023
Relying on our legitimate interests
Withdrawing consent or otherwise objecting to direct marketing
Applicable laws permit us to send you direct marketing without your consent where we rely on our business or legitimate interests. However, regardless of the type of legal basis on which we rely to send you direct marketing, you have an absolute right to opt out at any time from direct marketing by us or from any profiling we carry out for that direct marketing.
Who will we share this data with, where and when?
If we transfer your personal data outside the EEA to a business partner or third-party service provider in a country that is not subject to an adequacy decision by the EU Commission, the personal data will be adequately protected by EU Commission-approved standard contractual clauses, an appropriate Privacy Shield certification or the third party or business partner’s Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request to the contact mentioned in the section “How do I get in touch with you” above.
Your personal data may be transferred to the Hong Kong Special Administrative Region, the Macao Special Administrative Region, Mainland China, the Taiwan Region, Indonesia, Singapore, Australia, United States and/or Japan.
What rights do I have in relation to the processing of my personal data?
You can object to our processing of your personal data where we do not need to process the data for business interests, other legitimate interests, purposes for which consent has been given (including direct marketing) or other legal requirements.
You have the right to complain about any unresolved data privacy concerns to an EU data protection authority where you live, work or where you believe a breach may have occurred.
How long will my data be kept?
Where we process personal data for our Site’s security purposes, we retain it for seven years after any business and legitimate interests no longer exist. Where we process personal data in connection with performing a contract or for a competition, event or promotion, we keep the data for seven years from your last interaction with us.
CALIFORNIA CONSUMER PRIVACY ACT: Notice for California Residents
Last updated: 2023
Information we collect
We are required to disclose to you the categories and sources of personal data we have collected from you within the last 12 months. Please refer to the sections “What information do we Collect?” and “How do we use this information, and what is the legal basis for this use?,” above, for details on the personal data we collect.
Sharing personal data/Do not sell my personal data
We may disclose your personal data to third parties for certain business purposes. Please refer to the “Who will we share this data with, where and when?” section above for details.
We do not sell your personal data to third parties for their own marketing, advertising or other business purposes, unless permitted by the CCPA.
Your Other California Privacy Rights
Right to Know
You have the right to request us to disclose to you certain information about our collection of your personal data over the past 12 months (“Personal Information”). Upon receipt and confirmation of your verifiable request, we will disclose to you the following information in respect of that period:
Right to Request Deletion
You have the right to request us to delete Personal Information we have collected from you. Upon receipt and confirmation of your verifiable request, we will delete such Personal Information from our records, unless it is necessary to be retained in order for us or our service providers to:
Right to access Personal Data
You may submit requests to exercise your rights in relation to your Personal Information to the email address set out in the “How do I get in touch with you?” section above . We will seek to disclose and deliver to you the required information in accordance with the CCPA.
Right not to be discriminated against
We will not discriminate against you because you exercise your California privacy rights, and we will not deny you goods or services, charge you a different price or rates for goods or services or provide a lower quality of goods or services to you due to your exercise of any of those rights.
PERSONAL INFORMATION PROTECTION LAW: Notice for Residents of Mainland China
Last updated: 2023
Your Data Controller
The data controller for the purposes of this Notice is Joyce Boutique (China) Ltd, whose registered address is at Room 319, 3rd Floor, No. 1266 Nanjing Xi Lu, Jing’an District, Shanghai, and its affiliates in the PRC. For questions or concerns related to your personal data, please contact us at email@example.com.
We will obtain your consent (and, where applicable, your separate consent) to process your personal data if and to the extent required by applicable laws.
Sensitive Personal Data
“Sensitive personal data” means personal data that, if leaked or illegally used, could easily harm the dignity of a person or the safety of that personal or their property. It includes: (i) biometric data; (ii) religious belief; (iii) specific social status; (iv) medical health information; (v) financial accounts; (vi) tracking/location information; and (vii) personal data of minors aged under 14.
Disclosure of Personal Data to Third Party Data Controllers
Overseas Transfer of Personal Data
With your separate consent, we may transfer, access or store your personal data outside Mainland China, provided that either we are satisfied that adequate levels of protection are in place to protect the integrity and security of your personal data or we have adopted adequate security measures in compliance with applicable laws, such as appropriate contractual arrangements.
Where required by applicable laws, we will put in place appropriate measures to ensure that all processing of your personal data outside of Mainland China is safeguarded by the equivalent level of data protection as in Mainland China. You may contact us via firstname.lastname@example.org if you would like to further details about these overseas transfers.
We have implemented reasonable and appropriate technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access and other unlawful or unauthorised forms of processing, in accordance with applicable laws.
Children’s Personal Data
We will not knowingly collect or process the personal data of any child under the age of 14 (“Child”), unless with the consent of the Child’s parent or guardian. If we become aware that we hold personal data of a Child, we will take steps to delete the personal data of the Child as soon as possible. Parents or guardians can also contact us to request such deletion.
Changes to the Mainland China Notice
We may change this Mainland China Notice in order to comply with the evolving regulatory environment or, provided that this Mainland China Notice continue to comply with applicable law, the needs of our business. Subject to any applicable legal requirements to provide additional notice, any changes to this Mainland China Notice will be communicated through our Site and our mobile applications. We will obtain your consent to such changes where required to do so by applicable laws.
If you have any concerns about how we process your data, please contact us at email@example.com.