Your privacy is very important to Subway Franchisee Advertising Fund Trust, B.V., (“SFAFT BV“, “we” or “us”). This Privacy Statement discloses how SFAFT BV collects, protects, uses and shares Personal Information gathered about you, whether in writing, verbally, electronically, or while you interact with either the website located at www.subway.co.nz, (together with any and all future websites operated by or on behalf of SFAFT BV, the “Websites”) or the Subway mobile application (the, “SUBWAY® App”). (Together, the Websites and the SUBWAY® App are referred to herein as the “Sites”). SFAFT BV’s privacy practices are consistent with New Zealand's Privacy Act (1993) and the 12 Information Privacy Principles.
Although the Sites may be available for viewing or downloading worldwide, they are only intended for users in New Zealand. SFAFT BV or its affiliated entities (collectively, the SUBWAY® Group) maintain websites and mobile applications that are intended for users in other countries around the world, and those websites and applications are governed by other privacy statements. To view the privacy statement applicable to your country, please go to: http://www.subway.com/subwayroot/exploreourworld.aspx. At the top of the page, please click on CHANGE, which brings you the EXPLORE OUR WORLD page. To choose your country click on the country name, then go to the very bottom of the country’s home page and click the PRIVACY STATEMENT link.
SUBWAY® restaurants are independently owned and operated by SUBWAY® franchisees. This Privacy Statement also does not govern the privacy practices and procedures of those franchisees, including any email or other marketing campaigns those franchisees may conduct, nor of any SUBWAY® Development Agent (“DA”). Nor does this Privacy Statement apply to information collected by the SUBWAY® Group through channels other than the Sites.
- 1.1 EU-US Privacy Shield Framework
FWH on behalf of other Subway® Group US affiliated entities has certified its commitment to comply with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce (“DoC”) and the Federal Trade Commission (“FTC”) for the collection, use and retention of Personal Information from European Union (“EU”) Member States and European Economic Area (“EEA”) member countries, including the Privacy Shield Principles. In the event of any conflict between the provisions of this Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about Privacy Shield, and to view FWH’s certification page, please visit: http://www.privacyshield.gov.
- 1.2 S.-Swiss Safe Harbor Framework
FWH continues its commitment to comply with the U.S.-Swiss Safe Harbor Framework (“Swiss Safe Harbor”) as set forth by the DoC regarding the collection, use and retention of Personal Information from Switzerland. FWH has certified that it adheres to the seven (7) Swiss Safe Harbor privacy principles, namely: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. If there is any conflict between the provisions in this Privacy Statement and the Swiss Safe Harbor privacy principles, the Swiss Safe Harbor privacy principles shall govern. To learn more about the Swiss Safe Harbor, please visit http://www.export.gov/safeharbor; and to view FWH’s certification page, please visit https://safeharbor.export.gov/list.aspx.
- Key Definitions
For purposes of this Privacy Statement, the following definitions apply:
- Data Subject is an identified or identifiable natural person.
- Personal Information is any information or set of information about an identified or identifiable natural person, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the person; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a person that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
- Privacy Shield Principles collectively means the seven (7) privacy principles as described in the Privacy Shield: (1) notice, (2) choice, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement and liability, as well as the supplemental privacy principles and the associated guidance set forth in those certain “Frequently Asked Questions” as agreed by DoC and the European Commission.
- Process or Processing of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
- Sensitive Data or Sensitive Personal Information is a subset of Personal Information that may include, but is not limited to, an individual’s racial or ethnic origins; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health or disabilities; sex life, sexual orientation; biometric data where Processed to uniquely identify a person; or criminal (or alleged criminal) activities, proceedings or convictions.
- NOTICE – WHAT PERSONAL INFORMATION DO WE COLLECT AND WHERE DO WE KEEP IT?
The types of Personal Information we may collect (directly from you or from third party-sources) and our privacy practices depend on the nature of the relationship you have with FHW and the requirements of applicable law. We endeavor to collect information only to the extent relevant for the purposes of Processing. Below are the legal bases and some of the ways we collect information and how we use it.
- 3.1 Prospective Employees
If you submit an application for employment with our affiliates within the SUBWAY® Group, the Personal Information collected may include, but is not limited to: name, address, telephone number, facsimile number, email address, date of birth, citizenship, professional and educational background experience, such as information that may be recorded on a resume or application form, criminal background, bank account information for Electronic Funds Transfer, financial statement, and taxpayer identification number. The SUBWAY® Group may need to obtain Personal Information about you from third parties in order to supplement, update or verify your information, and/or to process your application for consideration as a SUBWAY® Group employee. Applicable law may require that you authorize a third party to share your Personal Information with the SUBWAY® Group before we can acquire it. Failure to provide any requested information may negatively impact consideration of your employment application. By applying to become an employee of the SUBWAY® Group, you consent to our collection, use, and disclosure of your Personal Information in this manner.
All information, including Personal Information submitted by you as part of the application process, will become part of your employee file should you become an employee. Employees’ Personal Information is governed by separate policies and not by this Privacy Statement.
Prospective employees’ Personal Information is collected for use in connection with your expression of interest in employment with the SUBWAY® Group or its affiliates, either for a specific position or, unless you advise us otherwise in writing, for reference in connection with potentially available future positions.
Please note that this Privacy Statement does not apply to SUBWAY® restaurant employment applications submitted through the SUBWAY® website, which are transmitted directly to independently-owned and operated franchisees who are seeking employees in the relevant market area.
- 3.2 Consumers
SFAFT BV collects consumer information in a number of ways.
- 126.96.36.199 Information You Voluntarily Provide Us
You may choose to communicate with us in some of the following ways:
- Consumer-facing programs, including but not limited to subscription services, email information, newsletters, and news and offers;
- SUBWAY® account user registration;
- Placing an order from a SUBWAY® restaurant through one of the Sites;
- Various contests, promotions, competitions or sweepstakes (collectively, “Promotions”);
- Surveys; and
- When you contact us by telephone, email, or postal mail with a question or concern.
In addition, holders of SUBWAY® Loyalty Cards and SUBWAY® Gift Cards (collectively the “SUBWAY® Card”) provide us with certain information when they register their cards through the Sites. YOU MUST BE thirteen (13) YEARS OLD OR OLDER TO REGISTER A SUBWAY® CARD.
In each case, we collect Personal Information that you voluntarily provide us, including first and last name, email address, mobile telephone number, user name and password (if you have registered a SUBWAY® account), payment information and transaction details (if you place an order with a SUBWAY® franchisee through the Sites).
- 188.8.131.52 Information Collected Automatically
As detailed in Section 3.4, the Sites also collect Personal Information automatically, including IP address, device ID and, in the case of the SUBWAY® App, your location information and information concerning the type of mobile or other access device you are using to access the SUBWAY® App. Some of that information collection can be modified by adjusting your browser or device settings.
SFAFT BV also maintains a robust social media presence and activities. Those activities include:
- 184.108.40.206 Forward-To-A-Friend and Refer-A-Friend
The Sites contain referral features that allow you to inform a friend about a SFAFT BV web page or promotion. SFAFT BV may use any email address provided when using this referral feature to send both an initial email and a subsequent email to recipients about the particular promotion, product or service in which you indicated your "friend" may have an interest. We will not send emails to recipients who have opted out of receipt of promotional emails from us.
- 220.127.116.11 Other Social Media Activities
From time to time, SFAFT BV may maintain social media accounts or engage in other social media activities. In all cases, SFAFT BV will comply with the terms of this Privacy Statement and the privacy policies applicable to those social media platforms or networks.
SUBWAY® franchisees may sponsor their own social media pages or websites. Those franchisees and their activities are not subject to this Privacy Statement.
- 3.3 Franchisees, Prospective Franchisees and Development Agents
If you choose to submit an electronic application seeking consideration as a prospective SUBWAY® franchisee through the Website, you agree that SFAFT BV may disclose your Personal Information to our affiliates within the SUBWAY® Group as well as to third-party service providers as part of the SUBWAY® Group’s consideration of your franchise inquiry. Personal Information collected from prospective franchisees may include, but is not limited to: name, address, telephone number, facsimile number, email address, date of birth, citizenship, educational background, criminal and other background checks, bank account information for Electronic Funds Transfer, financial statement, resume, litigation history, and taxpayer identification number.
All information, including Personal Information submitted by you as part of the application process, will become part of your franchise file should you choose to proceed and submit a franchise application.
By applying to become a SUBWAY® Development Agent (“”DA”) via the Website, you will provide Personal Information in connection with that application.
- 3.4 All Internet Users - Cookies, Web Beacons, Internet Protocol (IP) Address, Aggregate Information
- 18.104.22.168 Cookies
Like many other websites, we use data collection devices such as "cookies" on certain web pages to help analyze our web page flow and measure promotional effectiveness. A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer's hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website and services.
A few important things you should know about cookies:
- Most cookies are "session cookies," meaning that they are automatically deleted from your hard drive at the end of a session.
- You may encounter cookies from third parties on certain pages of the websites that SFAFT BV does not control. (For example, if you view a web page created by another user, there may be a cookie placed by that web page.)
- Cookies are also used on mobile devices to run the SUBWAY® App.
You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of the Sites if cookies are disabled.
If you use Sites that employ Flash Player, a small Flash Cookie may be used. The purpose of using these cookies is to store your flash player preferences and to enhance your browsing experience. Flash cookies are stored on your computer in a similar way that standard cookies are stored on your computer, except they are stored in a different location. For that reason, it is not possible to block or manage Flash Cookies directly from your browser.
For additional information, and in order to manage or delete Flash Cookies, please visit Adobe's website by clicking here: https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html.
- 22.214.171.124 Web Beacons
SFAFT BV uses web beacons, also called “web bugs,” “pixel tags” or “clear GIFs, to help manage SFAFT BV’s online advertising and promotions.
Used in combination with cookies, a web beacon is an often-transparent graphic image, usually no larger than 1 pixel x 1 pixel, which is placed on a website or in an email, that is used to monitor the behavior of the user visiting the website or sending the email. When the HTML code for the web beacon points to a website to retrieve the image, at the same time it can pass along information such as the IP address of the computer that retrieved the image, the time the web beacon was viewed and for how long, the type of browser that retrieved the image and previously set cookie values.
Web beacons are typically used by a third-party to monitor the activity of a website. A web beacon can be detected by viewing the source code of a web page and looking for any IMG tags that load from a different server than the rest of the website. Turning off the browser's cookies will prevent web beacons from tracking the user's activity. The web beacon will still account for an anonymous visit, but the user's unique information will not be recorded.
SFAFT BV uses its web beacons to track which advertisements and promotions bring users to SFAFT BV’s website. This information does not include your name, address, telephone number or email address.
- 126.96.36.199 Internet Protocol (“IP”) Addresses and Log Files
An IP address is associated with your computer or mobile device's connection to the internet. SFAFT BV may use your IP address to help diagnose problems with SFAFT BV’s server, to administer the Sites and to maintain contact with you as you navigate through the Sites. Your computer's IP address also may be used to provide you with information based upon your navigation through the Sites. SFAFT BV does not link IP addresses to any Personal Information.
Similarly, log file information is automatically reported by your mobile or other access device each time you access the SUBWAY® App. When you register a SUBWAY® account, the SUBWAY® App may automatically record certain information whenever you use the SUBWAY® App. The log files may include information such as your user request, IP address, browser type, the number of times you access the SUBWAY® App and other such information.
- 188.8.131.52 Anonymous and Aggregated Information
Anonymized and aggregated information is used for a variety of functions, including the measurement of visitors’ interest in and use of various portions or features of the Sites. Anonymized or aggregated information is not Personal Information, and SFAFT BV may use such information in a number of ways, including internal analysis, data analytics and research. We also may share anonymized or aggregated information with third parties for our or their purposes, but none of this information will allow anyone to identify you or to determine anything else personal about you.
- NOTICE – WHAT DO WE DO WITH THE PERSONAL INFORMATION WE COLLECT?
First, of course, we use the Personal Information you provide us or that we collect to provide you with the products, services or information you have requested or to improve the functionality or your experience using our Sites.
We also may use your Personal Information to provide you with information concerning SUBWAY® products or services in which we think you may have interest.
On some pages of our Website we may allow third-party advertising partners to set web tracking tools (e.g., cookies and web beacons) to collect anonymous, non-Personal Information regarding your activities on those pages (e.g., your IP address, page(s) visited, time of day). We may also share such information we have collected with third-party advertising partners. These advertising partners may use this information (and similar information collected from other websites) for purposes of delivering future targeted advertisements to you when you visit other (non-SUBWAY®) websites within their networks. This practice is commonly referred to as "interest-based advertising" or "online behavioral advertising."
Pages of our Website that collect information that may be used by such advertising partners for interest-based advertising purposes may be identified by a link to AdChoices on the page.
You have the right to opt out of certain uses and disclosures of your Personal Information, as set out in this Privacy Statement. Prior to disclosing Sensitive Data to a third party or Processing Sensitive Data for a purpose other than its original purpose or the purpose authorized subsequently by you, SFAFT BV will endeavor to obtain your explicit consent (opt-in). Where consent for the Processing of Personal Information is otherwise required by law or contract, SFAFT BV will comply with the law or contract.
NOTE: If you participate in any Promotion, the Personal Information that you provide SFAFT BV will be handled in accordance with the privacy rules applicable to that Promotion to the extent they differ from this Privacy Statement.
- 5.1 Compliance with the Digital Advertising Alliance & Do Not Track
The SUBWAY® Group uses the Evidon assurance platform to comply with the cross-industry Self-Regulatory Program for Online Behavioral Advertising as managed by the Digital Advertising Alliance (“DAA”) (http:///aboutads.info). As part of this service, the SUBWAY® Group’s online advertisements and websites are sometimes delivered with icons that help consumers understand how their data are being used and provide choice options to consumers that want more control. The list of our advertising partners may be updated from time to time. To opt-out of internet-based advertising by all DAA-participating companies, please visit http://www.aboutads.info/choices/. Even if you opt-out through this service, we may still collect non-Personal Information regarding your activities on our Sites and use it for non-interest-based advertising purposes as described in this Privacy Statement.
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. SFAFT BV is committed to providing you with meaningful choices about the information collected on the Sites for third-party purposes, and that is why SFAFT BV provides the DAA opt-out link above. However, we do not recognize or respond to browser-initiated DNT signals.
- 5.2 Mobile Collection
Our SUBWAY® App collects your location information and certain other information (such as device ID) automatically. You may opt out of such collection to the extent permitted by your device settings.
- 5.3 CONSENT TO MOBILE AND EMAIL COMMUNICATIONS.
- 5.4 Where We Store Your Personal Information
All Personal Information sent or collected via the Sites is stored in the USA, either on our servers, the servers of our affiliates in the SUBWAY® Group or the servers of our service providers. By using the Sites, you consent to the storage of your Personal Information in these locations.
Where allowed by law, you may use any of the methods set out in Section 10 of this Privacy Statement to obtain confirmation that SFAFT BV is Processing Personal Information about you, and request access, corrections or deletions to Personal Information held about you by SFAFT BV, including where Personal Information is Processed in violation of the Privacy Shield Principles. Such requests will be Processed in line with local laws, where it is legally permissible to do so. Although FHW makes good faith efforts to provide access, there may be circumstances where SFAFT BV is unable to do so, including but not limited to: where the information contains legal privilege, would present a security risk, would compromise others’ privacy, or where it is commercially proprietary. If SFAFT BV determines that access should be restricted in any particular instance, we will endeavor to provide you with an explanation of why that determination has been made and a contact point for any further inquiries.
If necessary, SFAFT BV’s Privacy Officer will contact another individual to assist in completing your requested task. To protect your privacy, SFAFT BV will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
- DATA INTEGRITY – INFORMATION PURPOSE LIMITATION
SFAFT BV retains the Personal Information we receive as described in this Privacy Statement for as long as you use our Sites or as necessary to fulfill the purpose(s) for which it was collected, provide our services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements and comply with all applicable laws. Your consent to such purpose(s) remains valid after termination of SFAFT BV’s relationship with you.
- ONWARD SHARING
SFAFT BV does not sell Personal Information to third parties. SFAFT BV may share Personal Information with our service providers, consultants and affiliates for our and our affiliates’ internal business purposes or to provide you with a product or service that you have requested. Except as described in this Privacy Statement, SFAFT BV will not share Personal Information with a third party unless a customer or prospective employee requests or consents to such disclosure, or disclosure is required or authorized by law.
Payment information will be used and shared only to effectuate your order and may be stored by our service provider for purposes of future orders.
SFAFT BV requires our service providers to agree in writing to maintain the confidentiality and security of Personal Information they maintain on behalf of SFAFT BV, including to provide at least the same level of protection as required by the Privacy Shield Principles, not to use it for any purpose other than the purpose for which SFAFT BV retained them and to notify SFAFT BV if they make a determination they can no longer comply with that obligation. With respect to onward transfers to third-party agents under Privacy Shield, Privacy Shield requires that SFAFT BV remain liable should such agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.
Your Personal Information is considered a company asset and may be disclosed or transferred to a third party in the event of a proposed or actual purchase, any reorganization, sale, lease, merger, joint venture, assignment, amalgamation or any other type of acquisition, disposal or financing of all or any portion of our business or of any of the business assets or shares (including in connection with any bankruptcy or similar proceeding) of SFAFT BV or a division thereof, in order for you to continue to receive the same products and services from, or to continue the same or similar relationship with, the third party.
Although SFAFT BV makes every effort to preserve user privacy, SFAFT BV reserves the right to disclose Personal Information to a third party in certain limited circumstances, including: (i) to comply with a law, regulation, search warrant, subpoena, judicial proceeding, a court or administrative order, or as otherwise may be required by law; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) to enforce SFAFT BV policies or contracts; (iv) to collect amounts owed to SFAFT BV; (v) to protect users of the Sites from fraudulent or abusive use; (vi) during emergencies when safety is at risk, as determined by SFAFT BV; (vii) where necessary for the establishment, exercise or defense of legal claims; (viii) in the good faith belief that disclosure is otherwise necessary or advisable. In addition, from time to time, server logs may be reviewed for security purposes – for example, to detect unauthorized activity on the Site. In such cases, server log data, containing IP addresses, would be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.
Although "guaranteed security" does not exist, SFAFT BV and our affiliates and service providers use commercially reasonable measures (including all steps required by applicable law) that are designed to safeguard your Personal Information against loss, unauthorized access, use, modification, disclosure or other misuse.
Our payment processing service provider handles all payment information in connection with the Sites and is required to be PCI-compliant.
- REDRESS / COMPLIANCE AND ACCOUNTABILITY
If after reviewing this Privacy Statement, you would like to submit a request or you have any questions or privacy concerns, please contact:
SFAFT BV Privacy Officer,
C/o Subway Franchisee Advertising Fund of Australia Pty Ltd,
Level 1, 42 Amelia Street,
Fortitude Valley, QLD 4006,
Telephone Number: (07)3216 0665
Facsimile: (07)3852 4081
Email Address: firstname.lastname@example.org
Or, if you prefer, you can download the Privacy Information Request Form located at: http://subapps1.subway.com/go/legal/InfoRequestForm.pdf.
SFAFT BV will address your concerns and attempt to resolve any privacy issues in a timely manner. If necessary, the Privacy Officer will contact another individual to assist in completing your requested task.
If you are an EU or Swiss citizen and feel that we are not abiding by the terms of this Privacy Statement, or is not in compliance with the Privacy Shield Principles or Swiss Safe Harbor, please contact SFAFT BV at the contact information provided above. In addition to its internal procedures for resolving potential complaints, SFAFT BV will cooperate with EU data protection authorities (“DPAs”), and you may submit Privacy Shield-related complaints to the attention of your DPA: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, which will establish a panel to investigate and resolve complaints brought under the Privacy Shield. SFAFT BV will fully comply with the advice given by the DPAs and take necessary steps to remediate any non-compliance with the Privacy Shield Principles. Such independent dispute resolution mechanisms are available to EU citizens free of charge. Additionally, you may have a right to invoke binding arbitration under Privacy Shield. The FTC has jurisdiction over the Subway® Group’s US affiliated entities compliance with the Privacy Shield.
- OTHER RIGHTS AND INFORMATION
- 11.1 Information Regarding Children
The Sites are not targeted towards children under the age of thirteen (13). SFAFT BV does understand that children under the age of thirteen (13) may still try to contact SFAFT BV and in so doing may voluntarily provide Personal Information to us. If you are a child under the age of thirteen (13), PLEASE DO NOT submit any Personal Information on the Sites. If you are a parent or legal guardian of a child whom you believe has submitted Personal Information to us, please contact our Privacy Officer using one of the methods set out in Section 10 of this Privacy Statement, and we will take prompt action to delete such information in accordance with applicable law.
- 11.2 Links to Third-Party Websites
- 11.3 Changes to the Privacy Statement
SFAFT BV may update this Privacy Statement from time to time. When SFAFT BV posts changes to this Privacy Statement, we will also revise the "LAST REVISED" date posted at the top of the Privacy Statement. If there are any material changes to this Privacy Statement, SFAFT BV will notify you by email, by means of a notice on our home page or as otherwise required by applicable law. SFAFT BV encourages you to review this Privacy Statement periodically to be informed of how SFAFT BV is protecting your information and to be aware of any changes to SFAFT BV’s Privacy Statement. Your continued use of the Sites after the posting or notice of any amended Privacy Statement shall constitute your agreement to be bound by any such changes.
Any changes to this Privacy Statement take effect immediately after being posted by SFAFT BV.
- 11.4 Other Relevant Policies