illy is a leading brand in the premium gourmet coffee sector and is sold in multiple distribution channels including cafes, hotels, retailers, restaurants, airlines, cruise ships, offices, and online including illycaffè shops in key cities throughout North America. illy’s corporate culture is built on a shared passion for quality, teamwork, empowerment, and innovation with excellence and ethics as foundational values. illy takes your privacy seriously and offers the following details to describe how we collect, use, and protect the personal data you agree to share with us either when you use our App or visit our US eCommerce Site (may be used interchangeably through this policy). illycaffè North America (also referred to as “we,” “our,” “us”) serves as illy’s US headquarters, and is located in Rye Brook, New York.
General Privacy Notice
1. What Information Do We Collect?
We collect your personal data whenever you interact with us and when you use the App or visit our Site. Generally, we will collect and process the following information:
- Account registration information: When you create an account with us, you provide us with your full name, email and your telephone number. You may also voluntarily provide us with additional personal data that will enhance your user experience. This may include a profile picture (if you have not signed-in via Facebook), your month of birth, and precise geolocation.
- Transaction information: We collect information relating to the orders that you make including valid payment method details. Payments are made through a payment processor, and we do not store your credit card information in our own systems. We will also collect information about your purchase history made available through the App. We may also review data relating to your completed transactions on successfully completed orders.
- Customer feedback and support: We will process the information that you give us whenever you contact us. We may make a copy of any correspondence with you for our training and quality purposes.
- Marketing opt ins and opt outs: We will process information about you when you have agreed to receive marketing and promotional material from us.
- Device information: We collect your device ID; IP address; device type; operating system and version; general geographic location (from your IP address); browser type; screen resolution; device manufacturer and model; language; interaction with QR codes; and use of loyalty cards. You may control some of this information through your device settings.
We also automatically collect certain information when you access, use, or interact with our App or visit the Site. We generally collect the following information when you use the App or visit the Site:
- Device information: We collect your device ID; IP address; device type; operating system and version; general geographic location (from your IP address); browser type; screen resolution; device manufacturer and model; language; and redemption of loyalty rewards. You may control some of this information through your device settings.
- Usage information: We collect information about your interaction with the App including the number, type and frequency of products that you order, the sections you have visited within the App, the time and date you have visited the App, the redemption of loyalty rewards made available through the App, the content you view and features you access, the basket value per order, and the time spent browsing the App.
2. What Do We Do With the Information We Collect?
We will ask you for personal data in certain fields on this App or on the Site that we need for you to use the services. The personal data we collect is used only for the purpose we state at the time of collection or for purposes listed below. For example, our uses may include, but are not limited to, the following:
- To process transactions
- To process payments
- To manage internal business practices
- To provide support or other services
- To provide information based on your needs and respond to your requests
- To administer products and services
- To select content, improve quality, and facilitate the use of our Site
- To deliver personalized advertising to you
- To assist in our market research
- To assess usage of products and services
- To communicate with you about events
- To update you on relevant products, services, offers, and opportunities
- To engage with third parties
- To protect our content and services from illegal or harmful activities
- To get feedback and input from you
- To protect our information assets as well as your personal data
- To assist in business sales or mergers
- To comply with Laws
To the extent that we collect certain demographic information about you, we may use this information in our market research, but we will do so only after we “anonymize” or “pseudonymize” the data, i.e., remove information that would confirm your identity. We will not use your personal data, however, to send commercial or marketing messages to you unless we have your continued consent for which you will have the ability to opt out by sending an email to email@example.com.
3. Who Can Use the Information We Collect and How?
We may provide your personal data to third parties, or third parties may collect personal data from you on our behalf if we have contracted with that third party to provide some part of the information or service that you have requested. Other than those who act on our behalf, and except as explained in this Policy, personal data you provide at this Site or in the App will not be transferred to unrelated third parties, unless we have a legal basis to do so. However, please note that the personal data you transmit to this Site may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders.
4. What Are Your Rights Regarding Your Personal Data?
We respect your right to access and control your personal data, and you have choices about the data we collect from you. If we request personal data from you that is not necessary for the purposes of providing you with our products and services, then you may decline to provide that personal data. However, if you choose not to provide personal data that is necessary to provide a particular service, you may not have access to certain features of that service.
Regardless of where you live, you can always opt-out of marketing communications, correct or update your information, and implement technical measures to opt-out of targeted or behavioral advertising as outlines below:
Opt-Out of Email Marketing Preferences.
The e-mail communications we send you will generally provide an unsubscribe link, allowing you to opt-out of receiving future email or to change your contact preferences. E-mail communications may also include a link to directly update and manage your marketing preferences, if you have an online account with us. You can also change your contact preferences through your account on the Site or through the App. You can also request an opt-out by emailing firstname.lastname@example.org. Please remember that even if you opt out of receiving marketing emails, we may still send you important information related to your account and any orders that you have placed.
Opt-Out of Targeted Advertising.
You may opt-out of third party targeted advertising or data analytics in two ways: (i) by directly notifying a Network Advertising service provider via its opt-out tools (see above), or (ii) by using your browser’s Do Not Track (DNT) settings to indicate that you do not wish to receive targeted advertising based on your overall internet usage. For more information about DNT and how it works, please visit the Future of Privacy Forum’s website: http://www.allaboutdnt.com/.
We will make every reasonable effort to honor your DNT browser settings for opting out of receiving targeted third-party advertising based on your overall Internet usage. Please note that various browsers frequently update their technology and / or change their settings and business practices without advance notice, thus we may not have the latest information on how to honor your preferences. If you exercise either opt-out option—the cookie opt-out or the browser opt-out—you will continue to receive advertising, but such advertising may not relate to your specific interests, previous purchases, or search history.
Keep in mind, however, that you cannot opt-out of our contextual data analytics and advertising, which is based on your usage of only our Services. We will continue to serve you contextual advertising. We will also continue to monitor your usage and search or transaction history to provide us with analytics on how well our Services, features, and activities are functioning and used. We will also share this information within our company in an aggregated or anonymized form (meaning that no one individual person can be identified).
How Do You Correct and Update Your Personal Data?
Our goal is to keep all personal data that we hold accurate, complete, and up-to-date. Please let us know if you change your contact details. If you believe that any of your information is incorrect, incomplete, or out-of-date, you can update your personal details through your account on the Site, in the App, or by contacting email@example.com.
5. How Do We Protect the Personal Data We Collect?
We are committed to protecting the security of your personal data. Depending on the circumstances, we may hold your information in hard copy and / or electronic form. In either situation, we use technologies and procedures to protect your personal data. We review our strategies and methods update them as necessary to meet our business needs, changes in technology, and regulatory requirements. We take our security obligations seriously and so should you. While we are responsible for maintaining the security of this App, you must also access and use this App in a manner that is responsible and secure. In addition, we have implemented a series of policies, procedures, and training to address data protection, confidentiality, and security, and we update and review the appropriateness of these measures on a regular basis.
6. How Long Do We Retain the Data?
We retain personal data for as long as necessary to provide our Services and fulfill the transactions you have requested, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations). If your personal data is no longer necessary for the legal or business purposes for which it is processed, then we will generally destroy or anonymize that information.
7. What is Our Policy if You Are an Underage Child?
We understand the importance of protecting the privacy of all individuals, especially the very young. Our services are intended for United States audiences over the age of 18. Our Site and its Services are not directed to children, and you may not use our Services if you are under the age of 13. You must also be old enough to consent to the processing of your personal data in the country or state where you live (in some countries, parents or guardians may consent on your behalf). Subscribing to our Services is restricted to adults who are either 18 years of age or older or as otherwise legally defined by the country or state where you live.
8. What Happens When You Link to a Third-Party Web Site?
10. What If You Have Questions?
Your California Privacy Rights
This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (“CCPA”) as a supplement to other privacy policies or notices that we may issue. In the event of a conflict between any of our other policies, statements, or notices and this Notice, this Notice will prevail with regard to California Consumers and their rights under the CCPA.
Consistent with the CCPA, job applicants, current and former employees and contractors, and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered Consumers for purposes of this Notice or the rights described herein.
1. Information We Collect and How We Use It
We collect personal data that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal data”).
The following is a description of our data collection practices, including the personal data we collect, the source of that information, the purposes for which we collect information, and whether we disclose that information to external parties. We may use any and all of the information for any purposes described in this Privacy Notice.
- We collect your name, and email address when you create an account or contact us via our App or Site. We use this information to provide our Services, respond to your requests, identify and confirm sweepstakes entrants and notify sweepstakes winners, and send information and advertisements to you.
- We collect your social media handle and basic account information when you interact with our Services through social media such as Facebook, Instagram, or Twitter. We use this information to improve our Services, respond to your requests or complaints, and send information and advertisements to you.
- We collect a unique numerical identifier, assigned to you by a first-party cookie, automatically when you use our Services in order to identify you, provide our services, prevent fraud, and provide you with targeted information and offers.
- We collect your IP address automatically when you use our Services. We use this information to identify you, gauge online activity on our mobile application, measure the effectiveness of online services, applications, and tools, and serve targeted advertisements based on your online activities.
- We collect your Device ID automatically when you use our Services. We use this information to monitor your use and the effectiveness of our Services, to identify you, and to provide you with targeted information and offers.
Personal DATA protected against security breaches (Cal. Civ. Code § 1798.80(e))
- We collect your name and phone number when you create an account or contact us via our App or Site. We use this information to provide our Services, respond to your requests, identify and confirm sweepstakes entrants and notify sweepstakes winners, and send information and advertisements to you.
- A service provider working on our behalf collects your payment information when you provide it to us, or to a service provider working on our behalf, when you complete a transaction. This information includes your credit card number or bank account number. This information is processed and stored securely. We use this information to facilitate payments and transactions.
PROTECTED CLASSIFIED INFORMATION
- We collect information about your age and birth month when you create an account with us. We use this information to confirm your eligibility for our Services and to provide you rewards on your birthday.
- When you engage in transactions with us, we create records of goods or Services purchased or considered, as well as purchasing or consuming histories or tendencies. We use this information to measure the effectiveness of our Services and to provide you with targeted information, advertisements, and offers.
- We collect information regarding your coffee machine, including model, serial number, place of purchase and proof of purchase when you register your machine on our Site. We use this information to confirm warranty status, provide product service, and notify you of safety recalls. We also use this information to provide you with targeted information, advertisements, and offers.
- We collect information about your purchases and tastes through interactive surveys on our Site and through consumer surveys. We use this information as part of our own metrics and to provide you with targeted information, advertisements, and offers.
- We collect information relating to marketing an ad campaign interaction with you when you click on an ad or open a marketing email. We use this information for marketing research purposes and to design, develop, market, sell, and/or improve products, services, and initiatives, including loyalty programs.
INTERNET OR OTHER SIMILAR NETWORK ACTIVITY
- We collect information about your browsing history, search history, and information regarding your interaction with our Sites, applications, or advertisements automatically when you utilize our Services or log into caffè Wi-Fi. We use this information to design, develop, market, sell, and/or improve products, Services, and initiatives, including loyalty programs and to better understand customers and prospective customers and enhance relationship by associating you with different devices and browsers that you may use.
- As described above, we collect your IP address automatically when you use your App or Site. We can determine your general location based on the IP address. We do collect your precise geolocation where you allow us to do so.
- If you contact us via phone, we may record the call. We will notify you if a call is being recorded at the beginning of the call. We do not collect your image or any thermal, olfactory, or similar information.
- If you visit our caffès we utilize CCTV to keep you, other customers, our staff, and business systems safe and secure.
- We may use photographs shared with us on social media for relationship building purposes.
PROFESSIONAL OR EMPLOYMENT RELATED INFORMATION
- We collect business information, including your name, company, and job title, and business contact details from you when send us a request through our Site. We use this information to reach out to you.
- We do not collect any information about the institutions you have attended. We may ask you for information regarding the level of education you have attained as part of marketing surveys. or the level of education you have attained.
- We do not collect information about your physiological, biological, or behavioral characteristics.
INFERENCES DRAWN FROM OTHER PERSONAL DATA
- We analyze your actual or likely preferences through a series of computer processes uses data that you have provided or that we have collected from our business partners and add our observations to your internal profile. We use this information to gauge and develop our marketing activities, measure the appeal and effectiveness of our services, applications, and tools, and to provide you with targeted information, advertisements, and offers.
When we disclose personal data for a business purpose, we enter into an agreement that describes the purpose of the agreement and requires the recipient of the personal data both to keep it confidential and to not use it for any purpose except to perform the contract. The CCPA prohibits third parties who purchase the personal data we hold for you from reselling it unless you have received explicit notice and an opportunity to opt-out of further sales.
Either we or our Service Providers also may use your information for the following Business Purposes (as defined in the CCPA) on a day-to-day basis:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided that the personal data is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
2. Do We “Sell” Your Personal Data?
We do not sell your name, address, phone number, or email address. However, on certain occasions, we also sell information to third parties. An external party may be considered a third party either because the purpose of sharing the personal data is not an enumerated business purpose under California law, or because our contract does not restrict them from using personal data for other purposes. To “sell” personal data means to disclose it to an external party for monetary or some other type of benefit doesn’t always mean that money is exchanged to be considered a “sale.” We may “sell” the following information:
- Personal Identifiers: We provide your IP address and device ID to our online advertising partners.
- Internet or Other Electronic Network Activity Information: We provide information about your Internet or other electronic network activity information to our online advertising partners.
- Inferences about You: Inferences drawn to create a profile about you and your consumer preferences or characteristics. We provide these observations to our advertising partners.
3. How to Exercise Your Rights Under the CCPA
Under the CCPA you have the right to find out about the personal data that we have collected and how that information has been used or disclosed. You also have the right to request that we delete your personal data. If you wish to exercise any of the rights listed below, or if you would like additional information, please contact us at firstname.lastname@example.org.
The Right to Access and Know About Personal Data Collected, Disclosed, or Sold
You have the right to request that we disclose to you certain information about our collection and use of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal data we collected about you.
- The categories of sources for the personal data we collected about you.
- Our business or commercial purpose for collecting or selling that personal data.
- The categories of third parties with whom we share that personal data.
- The specific pieces of personal data we collected about you (also called a data portability request).
- If we disclosed your personal data for a business purpose, identifying the personal data categories that each category of recipient obtained.
For data portability requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
The Right to Request Deletion of Your Personal Data
Subject to certain exceptions, you have the right to request that we delete any or all of the personal data that we collected from you and retained over the past 12 months. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records, unless an exception applies. You may request that only a portion of your personal data be deleted.
We may deny all or part of your deletion request if retaining your personal data is necessary for us or our Service Providers to:
- Complete the transaction for which we collected the personal data, provide a service that you requested, take actions reasonably anticipated based on our ongoing business relationship with you, or otherwise perform our agreement with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech or ensure the right of another consumer to exercise their right of free speech or other right provided for by law;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- Comply with law or a legal obligation; or
- Otherwise use your personal data internally, in a lawful manner that is compatible with the context in which you provide the information.
The Right to Opt-Out of the Sale of Your Personal Data
The CCPA provides you with the right to opt out and stop businesses from selling your personal data. This right applies to all California consumers ages 16 or older and may be exercised at any time.
If you are 16 years of age or older, you have the right to direct us to not sell your personal data at any time (the "right to opt-out"). Our Sites and products are not intended for minors. We do not sell the personal data of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the "right to opt-in") from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to the sale of their personal data may opt-out of future sales at any time.
How to exercise this right:
- By contacting us at the toll-free number: 1-877-469-4559; or
- By sending an email to email@example.com, providing details of your request; or
The Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights, and will not engage in the following behaviors:
- Denying you goods or services
- Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
- Providing you a different level or quality of goods or services
- Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services
Exercising Your Rights
When you exercise these rights and submit a request to us, we will verify your identity by asking for information about your relationship with us, such as your name, email address on file, billing or shipping address, phone number, or order number.
We try to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding your verifiable request's receipt. The response we provide will also explain the reasons we cannot comply with your request, if applicable.
4. Authorized Agents
You may authorize a natural person, or a business entity registered with the California Secretary of State, to act on your behalf to make a request to know about personal data collected or to delete your personal data.
To facilitate such an authorization, you must (i) verify your identity to us and provide that authorized agent written permission to make such a request or (ii) provide the authorized agent with power of attorney in your behalf pursuant to the California Probate Code sections 4000 to 4465.
The authorized agent must include those authorizations in your verifiable consumer request.
5. Notice of Financial Incentive
We will not discriminate against you in any manner prohibited by the CCPA because you exercise your CCPA rights. However, we may charge a different price or rate, or offer a different level or quality of goods or services, to the extent that doing so is reasonably related to the value of the applicable data. In addition, we may offer you financial incentives for the collection, sale, retention, and use of your personal data as permitted by the CCPA; such offers may result in reasonably different prices, rates, or quality levels. The material aspects of any financial incentive will be explained and described in our program terms. For details of our current financial incentive program and its terms, including how to opt-in or withdraw from your opt-in, and program benefits, refer to the program terms and conditions.
Please note that participating in incentive programs is entirely optional; participants affirmatively opt into the program, and can opt out of the program (i.e., terminate participation and forgo the ongoing incentives) by following the instructions in the program’s description and terms. We may add or change incentive programs and / or their terms by posting a notice on the program descriptions and terms linked to above, so check them regularly.
6. Children Under the Age of 16
We do not knowingly collect, solicit, or share personal data from children under the age of 16. If we have knowledge that a child under 16 has submitted personal data in violation of this Policy, we will delete that information as soon as possible. If you believe we may have obtained information in violation of this Policy, please email us at firstname.lastname@example.org or call us at 1-877-469-4559.
7. Questions about the CCPA
If you have questions or concerns regarding this statement, you should first contact us via email at email@example.com.
We reserve the right to amend this Privacy Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the Site and update the Notice’s effective date. Your continued use of our Site following the posting of changes constitutes your acceptance of such changes. If we are required by applicable data protection laws to obtain your consent to any material changes before they come into effect, then we will do so in accordance with law.
9. California Shine the Light Law
If you are a California resident and have an established business relationship with us and want to receive information about how to exercise your third party disclosure choices, you must send a request to the following address with a preference on how our response to your request should be sent (email or postal mail). You may contact us in two ways:
You may send an email to firstname.lastname@example.org, or
You may contact us at:
ILLY CAFFÈ NORTH AMERICA
800 Westchester Avenue, Suite 440
Rye Brook, NY 10573
Attn: Your California Privacy Rights
c/o Privacy Administrator
For requests sent via email, you must put the statement “Your California Privacy Rights” in the subject field of your email. All requests sent via postal mail must be labeled “Your California Privacy Rights” on the envelope or post card and clearly stated on the actual request. For all requests, please include your name, street address, city, state, and zip code. (Your street address is optional if you wish to receive a response to your request via email. Please include your zip code for our own recordkeeping.) We will not accept requests via the telephone or by facsimile. We are not responsible for responding to notices that are not labeled or not sent properly, or do not have complete information.
Your Rights Under the EU General Data Protection Regulation (GDPR) (Regulation EU 2016/679) or in the UK under Data Protection Act 2018 (DPA 2018)
Please note that the App AND SITE AREis not directed to the European market and to people within the European territory.
The personal data described above may be stored on servers located in Europe. As a result, this data is protected and processed in accordance with the GDPR. The data processor for the storage of this personal data is illycaffè S.p.A., with its headquarters at: via Flavia 110, Trieste, Italy. illycaffè S.p.A. makes use of its own staff (IT technicians also external to illycaffè S.p.A, marketing staff, collaborators of data sub-processors and IT consultants) for server management and support for data analysis.
The following have been identified as data sub-processors to manage the servers hosting the personal data:
- Salesforce.com Inc., in one of its data centers in Great Britain;
- Engineering D.Hub S.p.A., located at Via Carlo Viola 76 - 11026 Pont Saint Martin (AO) Italy; and
- Adobe Inc. using cloud Amazon Web Services in Frankfurt, Germany.
The list of other possible data sub-processor can be requested by writing to email@example.com.
Personal data is currently stored on these servers and processed only for the purpose of preservation and security, and therefore, pursuant to our legitimate interests including the protection of personal data and the hosting activities. Your personal data is not accessed in Europe unless it is necessary to perform technical activities. In addition, your personal data is not transmitted to other countries outside of Europe.
We retain personal data for as long as necessary to provide our Services and fulfill the transactions you have requested, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.
By providing your personal data for the purposes described above, you consent to processing your personal data in Europe.
If we request personal data from you that is not necessary for the purposes of providing you with our products and services, then you may decline to provide that personal data. However, if you choose not to provide personal data that is necessary to provide a particular service, you may not have access to certain features of that service.
You may be able to exercise the following rights under the GDPR regarding your personal data stored in Europe:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
You may also have the opportunity to object to the processing of personal data and to exercise the other rights contained in Chapter 3 of Section 1 of the GDPR including the right to revoke your consent, where required. (The revocation of your consent does not affect the legality of our processing based on the consent given before the revocation.)
These rights can be asserted by contacting illycaffè S.p.A. at its headquarters in via Flavia 110 in Trieste, Italy, phone +39.040.3890.111, fax +39.040.3890.490, e-mail firstname.lastname@example.org. illycaffè S.p.A. also has a Data Protection Officer available at email@example.com and at the above address in Trieste.
Finally, under the GDPR, you can always file a complaint with a supervisory authority. Because illycaffè S.p.A. (the data processor on behalf of illycaffè North America) is headquartered in Italy, the Italian Data Protection Authority is identified as the supervisory authority. Please see the information on the website www.garanteprivacy.it.