Doing All We Can To Ensure Your Privacy & Security
Last Updated: 25 May 2018
We are a corporation registered in the Republic of Singapore with company number 201812772R and a registered office at 6 Raffles Boulevard, Marina Square, #03-308, Singapore 039594. For the purpose of the General Data Protection Regulation (“GDPR”), we are the data controller. Our data privacy & protection officer can be contacted at [email protected]
What information do we collect about you?
We receive, collect and store any information you enter on our website or provide us in any other way. In addition, we collect the Internet protocol (IP) address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information and purchase history. We may use software tools to measure and collect session information, including page response times, length of visits to certain pages, page interaction information, and methods used to browse away from the page. We also collect personally identifiable information (including name, email, password, communications); payment details (including credit card information), comments, feedback, product reviews, recommendations, and personal profile.
How will we use the information about you?
We use your information to fulfill your purchase request and/or our contract of service with you, to administer your membership with our frequent cyber program, CyberPass and/or our corporate travel program for small and medium enterprises, SparkPass. We also use your information to maintain our website and mobile application, and to tailor our products and services to your preferences to provide the best service possible. In addition we use your information to market our products and services to you, and those of our group companies, partners and agents (with your consent where required by applicable law).
Who do we share your information with?
We share your data with our third party service providers to the extent necessary for them to provide their services such as payment processors and field-operating personnel. We use these third parties services solely to process or store your information for the purposes described in this policy. We also share your information with our strategic alliance partners, other organizations who help us provide our services, related group companies and our overseas stations and with government bodies as required by law.
Where do we process your information?
Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall.
All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
How long do we keep hold of your information?
We retain your information for as long as it is necessary to fulfill the purpose for which it was collected, the legal or business purposes of Variantz, or as required by relevant laws. We will usually keep your Customer Data for up to 7 years to ensure that any contractual disputes can be addressed. For EU residents, we will endeavor to delete data within 30 days of a request for erasure or contact you if it will take longer.
How will we notify you of changes?
1. The types of Customer Data we collect
The types of Customer Data that Variantz collects depends on the circumstances of collection and on the nature of the service requested or transaction undertaken.
There are two broad categories of Customer Data that Variantz collects:
• Personal Data. The data we collect includes but is not limited to:
(i) personal information that can be used to identify an individual, such as name, gender, date of birth, personal identification numbers;
(ii) contact information, such as mailing address, phone number, email address;
(iii) payment information, such as credit or debit card information, including the name of cardholder, card number, billing address and expiry date;
(iv) product/service information, such as serial numbers, time, location of use, type and method of use;
(v) information on your other purchases made through Variantz, such as tracking your purchases through our website;
(vi) your customer preferences, purchases, products that you would like or other service preferences;
(vii) information about your product or service usage;
(viii) information about your interactions with our staff;
(ix) information about your interactions with our field staff, such as the details of any complaint cases, call details, and other information relevant to assist our field staff to service you;
(x) health information, such as doctors’ notes, medical certificates and letters and requests related to medical conditions;
(xi) information we receive from the queries you enter into our chatbot and Website (as defined below);
(xii) information we receive from product and/or service bookings made via our online corporate booking platform;
(xiii) information we receive from other sources e.g. our page on social media websites; and
(xiv) business contact information, such as the contact details of the employees of our vendors and corporate customers, as well as the contact details collected by our divisions.
For purposes of this policy statement, Customer Data means Personal Data and Technical Data.
We also use Customer Data to derive Statistical Data, such as the number of subscribers. This is processed and stored purely for analytical purposes, and is entirely anonymous. This information will not be stored to your customer record, and will only be aggregated for statistical analysis so that we can better understand Variantz's customer profile and improve Variantz's service offering.
Special categories of information or “sensitive personal data”
Certain categories of Customer Data, such as information about your race, ethnicity, religion or health, are considered special categories of information, or “sensitive personal data” under the GDPR.
Generally, we try to limit the circumstances where we collect your sensitive personal data. However, this can occasionally occur because you have made certain requests in connection with your service arrangements that reveal or suggest something about you that could be considered “sensitive personal data”, or if you otherwise choose to provide such information to us.
• if you request a particular type of feature, e.g. Muslim prayer time, this may imply or suggest that you are a member of a particular religion; or
• if you request specific medical assistance from us and/or an operator, e.g. the provision of a wheelchair, this may reveal that you have a particular medical condition.
How we collect data from you
Variantz collects Customer Data, either directly from you or from your authorized representatives (i.e. persons whom you have authorized and/or persons who have been validly identified as being your authorized representative (e.g. your organisation’s corporate service manager) pursuant to our then-current security procedures).
Variantz also collects Customer Data from third parties which are located in various countries. This includes, but is not limited to, our Variantz partners, our service providers, including our subsidiaries, or through our Website, mobile services, any posts on our Variantz-specific pages on social media websites and other channels including our service counters and retail operations.
2. Is the provision of Customer Data required?
The collection of the following types of Customer Data is mandatory to enable Variantz to fulfill our contract of service with you. These types of Customer Data are marked as mandatory on our booking form. If you do not provide this information, we will not be able to provide you with our services and/or products required.
• User details, e.g title, first/given name, last/family name, date of birth, whether you are an EU resident.
• Contact details, e.g. email address, mobile phone number, home number or business number.
• Payment details, e.g. the name on the credit or debit card, the credit or debit card number, expiry date and card verification value on the credit or debit card, and billing address which will be transmitted to our payments processors.
Additional information may be mandatory if you are using the product/service in a specific country, or if you are using the product/service on behalf of a business registered in a specific country, e.g. your gender, nationality, passport number, the country of issue of your passport, the name, GST registration number and address of the business you are using on behalf of, and your business email address and phone number.
The collection of the following types of Customer Data is mandatory to enable Variantz to administer your membership with CyberPass: (i) title; (ii) last/family name; (iii) first/given name if you do not have a last/family name; (iv) date of birth; (v) email address; (vi) mobile phone number; (vii) mailing address; (viii) gender; (ix) nationality; and (x) whether you are an EU resident.
The collection of the following types of Customer Data is mandatory to enable Variantz to administer your membership with SparkPass: (i) title; (ii) last/family name; (iii) first/given name if you do not have a last/family name; (iv) date of birth; (v) email address; (vi) mobile phone number; (vii) mailing address; (viii) gender; and (ix) nationality.
These types of Customer Data are marked as mandatory on our sign up form. If you do not provide this information, you will not be able to benefit from points accruals and membership tier benefits and we will not be able to provide you with our services and/or products required.
The failure to supply the following types of Customer Data will result in (i) Variantz being unable to update you on our latest products and/or launches; and/or (ii) your inability to enter or participate in contests, promotions or redemption activities organised by Variantz:
• Contact Information e.g. email address, telephone number; and
• Country of residence.
3. How we use your Customer Data
If you are an EU resident, we are required to disclose the legal basis for processing your data under the GDPR. We will use the Customer Data in the following ways:
In accordance with our contract of service with you, we will use the Customer Data to:
• process and assist you with any transactions related to your service, fulfilling such booking and investigating potential fraudulent transactions);
• notify you about changes to our service, including through service alert messages via Variantz’s mobile services facility;
• provide services (e.g. to provide you with a personalized application experience);
• in accordance with our contract with you as a CyberPass member, we will use the Customer Data to:
i. maintain your CyberPass account;
ii. facilitate membership-related transactions and services;
iii. enable the member to log in using the CyberPass account on any of the platforms hosted by Variantz or any member of the Variantz group (where possible); and
iv. Send you membership status updates and other account related information.
As it is in our legitimate interests to be responsive to you, to provide customised services and marketing and to ensure the proper functioning of our products, services and organisation, we will use your Customer Data to:
• improve the Website and to ensure content from the Website is presented in the most effective manner for you and your device;
• administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• monitor and record calls for quality, training, legal compliance, analysis and other related purposes in order to pursue our legitimate interest to improve service delivery;
• send you surveys by email (including surveys related to our CyberPass or SparkPass programs, if you are a member, as detailed below). You can opt-out of receiving these surveys at any time by contacting us;
• send you service emails, such as reminders when you have not checked out your purchases on our Website. You can opt-out of receiving service emails at any time by contacting us;
• respond to your enquiries, requests or feedback;
• enforce our terms, conditions and policies;
• allow you to participate in interactive features of the Website, when you choose to do so;
• customise our products and services to you, including by responding to and catering for your customer preferences;
• personalize the content you see on our Website and on our infotainment systems, by enabling you to save your preferences on our infortainment systems;
• keep the Website safe and secure;
• aggregate Customer Data into anonymized statistical data (such as number of users using a particular feature), which we will use for statistical analysis so that we can better understand Variantz's customer profile and improve Variantz's service offering;
• to customize our marketing e.g. send you targeted marketing on places you would like to visit, based on your responses to optional questions on our Website and your prior purchases. If you are an EU resident, you can object to this profiling and opt-out of receiving such targeting marketing;
• In relation to our CyberPass program:
i. market and communicate to CyberPass members information on Variantz, and CyberPass promotions, contests, events and lucky draws, including those conducted by Variantz or CyberPass program partners (with your consent where required by applicable laws);
ii. contact CyberPass members regarding product and customer related surveys and market research;
iii. respond to email and call inquiries from CyberPass members;
iv. provide services to celebrate special occasions; and
v. send CyberPass members CyberPass-related news and CyberPass e-statements and associated promotions and offers (with your consent where required by applicable laws).
• If you are a participating company under the SparkPass program (“Participating Company”) and if you are a Corporate Service Manager (“CSM”) or Assistant Corporate Service Manager (“ACSM”), we will use the Customer Data to:
i. maintain the Participating Company’s SparkPass account;
ii. facilitate Participating Company-related transactions and services;
iii. market and communicate to the CSMs and ACSMs information on Variantz, and SparkPass promotions, contests, events and lucky draws, including those conducted by Variantz or SparkPass program partners (with your consent where required by applicable laws);
iv. contact the CSMs and ACSMs regarding product and customer related surveys and market research;
v. respond to email and call enquiries from the CSM and ACSMs; and
vi. Send the CSMs and ACSMs programme information updates and other account related information.
• If you are a Participating Company under the SparkPass program and if you are a Corporate User (“CU”), we will use the Customer Data to:
i. maintain your travel records in the Participating Company’s SparkPass account;
ii. facilitate Participating Company-related transactions and services;
iii. contact the CUs regarding product and customer related surveys and market research; and
iv. respond to email and call enquiries from the CUs.
• if you are an employee of an entity with a contractual relationship with us:
i. to contact you to perform our services, and in particular, to monitor and record calls for quality, training, legal compliance, analysis and other related purposes in order to pursue our legitimate interest to improve service delivery;
ii. enforce our terms and conditions against your employer; and
iii. communicate with you about products, services, promotions, events and other news and information we think will be of interest to you.
If you are an EU resident, you can object to this profiling and opt-out of receiving such targeted marketing. For more information on this right, click here
With your consent where required by applicable laws, we will use your Customer Data to:
• send you marketing and promotional materials in relation to products and services offered by Variantz, Variantz’s subsidiaries and affiliate and service partners, as well as Variantz's appointed agents including in relation to the CyberPass and SparkPass programs; and
• register you for CyberPass.
You have the right to withdraw your consent at any time by contacting us at [email protected]
4. Disclosure of your Customer Data
Variantz will share your Customer Data with selected third parties in the situations set out below:
• our service providers (including field personnel, security personnel and providers of infotainment and internet connection);
• advertisers and advertising networks that require the data to select and serve relevant adverts to you and others;
• analytics and search engine providers that assist us in the improvement and optimisation of the Website.
Variantz will share your Customer Data with any member of our group, which means our overseas stations and our subsidiaries in order to better customise your preferences:
• For the purposes of our contract with you, i.e. to:
i. Fulfill purchases of product/service and facilitate provisioning of product/service;
ii. Manage customers from our subsidiaries or partners and are CyberPass or SparkPass members;
iii. Manage customers during service disruptions and provide necessary assistance and services;
• As it is in our legitimate interests to be responsive to you, to provide customised services and marketing, to:
i. Respond to complaints or compliments received by Variantz from customers who are sharing their service experience operated by our subsidiaries;
ii. Providing an enhanced customer experience and personalizing offers to customers;
iii. Anticipating the servicing needs of customers;
iv. Understanding customers better through analytics and research (including marketing research) to support personalisation;
v. Contacting customers about CyberPass and SparkPass program related updates, surveys and offers; and
• For the purposes of undertaking targeted direct marketing and other forms of marketing or advertisement, provided we have the consent of the recipient and/or have provided the opportunity to opt-out, in each case where required by applicable law. Variantz will also use and disclose your Customer Data to persons who have been validly identified as being you or your authorized representative(s) pursuant to our then-current security procedures, for the purpose of the relevant transaction or inquiry. In particular, each of the customer who are grouped under the same Customer Name Record (“CNR”) number shall be deemed to be authorized representatives of each of the other passengers under the same PNR number. Variantz will disclose your Customer Data to law enforcement agencies, public or regulatory authorities, securities commissions or other organisations for security, customs and law enforcement purposes, if legally required to do so, or if we have a good faith belief that such use is reasonably necessary to:
• comply with legal obligation, process or request;
• enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
• detect, prevent or otherwise address security, fraud or technical issues; or
• protect the rights, property, health or safety of us, our users, a third party or the public as required or permitted by law (including exchanging Customer Data with other companies and organisations for the purposes of fraud protection and credit risk reduction).
We will also disclose your Customer Data to third parties:
• in the event that we sell or buy any business or assets, in which case we may disclose your data to the prospective seller or buyer of such business or assets;
• if we or substantially all of our assets are acquired by a third party, in which case Customer Data held by us about our customers will be one of the transferred assets; or
• to comply with legal obligations, processes or requests (such as disclosing Customer Data to executors in response to court orders).
In addition, Variantz may disclose Customer Data to our legal advisors for establishing, exercising or defending our legal rights, to our other professional advisors, or as otherwise authorised or required by law. Variantz also reserves the right to share Customer Data as is necessary to prevent a threat to the life, health or security of an individual or corporate entities such as Variantz. Further, Variantz will disclose Customer Data, as is necessary, to investigate suspected unlawful activities including but not limited to fraud, intellectual property infringement or privacy.
5. Transfer of information overseas
The Variantz Head Office is based in Singapore. Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall. Customer Data will be transferred to Variantz's offices and appointed agents, including field agents, sales agents and contact center agents, in Singapore and around the world in connection with Variantz’s performance of the contract with you.
This means that Customer Data will be transferred to, and stored at, a destination outside of your country and outside the European Economic Area ("EEA"). We will transfer Customer Data to destinations that you are using the service in and where we operate. The Customer Data is transferred outside the EEA on the basis that it is necessary for the performance of the contract of seervice between you and Variantz.
We will also transfer Customer Data to our partners in strategic alliances in Europe, West Asia and Africa, North Asia, Southeast Asia, Southwest Pacific and the Americas for the purposes of performing any contract of service.
If you are an EU resident, where we transfer Customer Data outside the EEA, this is done either on the basis that it is necessary for the performance of the contract of service between you and Variantz, or that the transfer is subject to the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), pursuant to Decision 2004/915/EC and Decision 2010/87/EU as appropriate.
The Customer Data will also be processed by staff operating outside the EEA who work for us, for our suppliers or our business partners. Such staff are engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.
6. Non-EU Data Subject Rights
If you are not a resident in the EU, you may have certain rights in relation to the Customer Data we hold about you, which we detail below.
You have the right to know whether we process Customer Data about you, and if we do, to access Customer Data we hold about you and certain information about how we use it and who we share it with.
Where permitted by law, Variantz reserves the right to charge a reasonable administrative fee for this service. In exceptional circumstances, Variantz reserves the right to deny you access to your Customer Data and may provide an explanation as required by applicable laws.
Exceptional circumstances include (to the extent allowable under applicable law) where:
• an investigating authority or government institution objects to Variantz complying with a customer’s request;
• the information may, in the exercise of Variantz’s reasonable discretion and/or assessment, affect the life or security of an individual; and
• data is collected in connection with an investigation of a breach of contract, suspicion of fraudulent activities or contravention of law.
You have the right to correct any Customer Data held about you that is inaccurate.
Feedback and complaints
If you have any concerns, feedback or complaints about the use and/or sharing of your Customer Data, we are open to receiving your feedback or complaints.
Exercise of Rights.
To exercise any of your rights, please go to "Contact Us" for instructions.
7. EU Data Subject Rights
If you are a resident in the EU, you may have certain rights in relation to the Customer Data we hold about you, which we detail below. Some of these only apply in certain circumstances as set out in more detail below. We also set out how to exercise those rights.
These rights include:
• The right of access.
• The right of data portability.
• The right of rectification.
• The right of erasure.
• The right to restrict processing.
• The right to object.
Please note that we will require you to provide us with proof of identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please go to "Contact Us" for instructions.
In the event that you wish to make a complaint about how we process your Customer Data, please contact us and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with your data protection authority.
You have the right to know whether we process Customer Data about you, and if we do, to access Customer Data we hold about you and certain information about how we use it and who we share it with.
If you require more than one copy of the Customer Data we hold about you, we may charge an administration fee.
We may not provide you with certain Customer Data if providing it would interfere with another’s rights (e.g. where providing the Customer Data we hold about you would reveal information about another person) or where another exemption applies.
You have the right to receive a subset of the Customer Data we collect from you in a structured, commonly used and machine-readable format and a right to request that we transfer such Customer Data to another party.
If you wish for us to transfer the Customer Data to another party, please ensure you detail that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the Customer Data or its processing once received by the third party. We also may not provide you with certain Customer Data if providing it would interfere with another’s rights (e.g. where providing the Customer Data we hold about you would reveal information about another person).
You have the right to correct any Customer Data held about you that is inaccurate. Please note that whilst we assess whether the Customer Data we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.
You may request that we erase the Customer Data we hold about you in the following circumstances:
• you believe that it is no longer necessary for us to hold the Customer Data we hold about you;
• we are processing the Customer Data we hold about you on the basis of your consent (please see here for the types of Customer Data we process on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the Customer Data;
• we are processing the Customer Data we hold about you on the basis of our legitimate interest and you object to such processing. Please provide us with detail as to your reasoning so that we can assess whether there is an overriding interest for us to retain such Customer Data;
• you no longer wish us to use the Customer Data we hold about you in order to send you promotions, special offers, marketing and lucky draws; or
• you believe the Customer Data we hold about you is being unlawfully processed by us.
Also note that you may exercise your right to restrict our processing of the Customer Data whilst we consider your request as described below.
Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. However, we may retain the Customer Data if there are valid grounds under law for us to do so (e.g., for the defence of legal claims or freedom of expression) but we will let you know if that is the case. Please note that after deleting the Customer Data, we may not be able to provide the same level of servicing to you as we will not be aware of your preferences.
Where you have requested that we erase Customer Data that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the Customer Data or providing links to the Customer Data to erase the Customer Data too.
Restriction of Processing to Storage Only.
You have a right to require us to stop processing the Customer Data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the Customer Data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or for another’s protection).
You may request we stop processing and just store the Customer Data we hold about you where:
• you believe the Customer Data is not accurate, for the period it takes for us to verify whether the Customer Data is accurate;
• we wish to erase the Customer Data as the processing we are doing is unlawful but you want us to just store it instead;
• we wish to erase the Customer Data as it is no longer necessary for our purposes but you require it to be stored for the establishment, exercise or defence of legal claims; or
• you have objected to us processing Customer Data we hold about you on the basis of our legitimate interest and you wish us to stop processing the Customer Data whilst we determine whether there is an overriding interest in us retaining such Customer Data.
At any time you have the right to object to our processing of Customer Data about you in order to send you promotions, special offers, marketing messages, including where we build profiles for such purposes and we will stop processing the Customer Data for that purpose.
You also have the right to object to our processing of Customer Data about you and we will consider your request. You may object where we are processing the Customer Data we hold about you (including where the processing is profiling) on the basis of our legitimate interest and you object to such processing.
Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims. Also note that you may exercise your right to request that we stop processing the Customer Data whilst we make the assessment on an overriding interest.
Variantz will retain Customer Data for as long as it is necessary to fulfil the purpose for which it was collected, the legal or business purposes of Variantz, or as required by relevant laws. We will usually keep your Customer Data for up to 7 years to ensure that any contractual disputes can be addressed. This includes standing requests which contain sensitive personal data about yourself. You can amend your standing request at any time to change your preferences in the future.
If you opt-out or withdraw your consent to marketing, we will remove you from our marketing database.
Variantz needs your assistance to ensure that your Customer Data is current, complete and accurate. As such, please inform Variantz of changes to your Customer Data by contacting Variantz and submitting your updated particulars to Variantz in writing (see Section 14). If you are a CyberPass member or SparkPass Participating Company, you may update your Customer Data at any time by logging on to your Website account with Variantz.
10. Security safeguards
Variantz takes the protection of your Customer Data seriously but, unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Customer Data, we cannot guarantee the security of your Customer Data transmitted through the Website; any transmission is at your own risk.
11. Links to other websites
Variantz's Website is not directed at children under the age of 16 and Variantz cannot distinguish the age of persons who access and use our Website. If a minor (according to applicable laws) has provided Variantz with Customer Data without parental or guardian consent, the parent or guardian should contact Variantz (see Section 14) to remove the relevant Customer Data and unsubscribe the minor. If we become aware that Customer Data has been collected from a person under the age of 16 without parental or guardian consent, we will delete this Customer Data and, where that minor has an account, terminate the minor’s account.
14. Contact us
Variantz Data Privacy & Protection
6 Raffles Boulevard
Marina Square #03-308