1 | P a g e
Gapbuster Worldwide Pty. Ltd.
Level 2, 80 Dorcas St,
South Melbourne, VIC 3205, Australia
PO Box 7205, Melbourne 8004, Australia
(ABN) 25 071 857 424
(P) +61 3 9867 3477
(F) +61 3 9867 2677
(W) www.gbw.solutions
MYSTERY SHOPPER PRIVACY POLICY
This privacy policy (hereinafter: Policy) is provided to you by GAPbuster Worldwide Pty, Ltd
("GBW", "we", "us"), located in Australia, and is applicable to the processing of personal data of
EU-based individuals. Personal data, or personal information, means any information about an
identified or identifiable individual. Data that cannot be traced back to a person (anonymous
data) is not included.
GBW qualifies as the 'controller' in terms of the EU General Data Protection Regulation (GDPR)
and we collect your personal data when you visit the GBW website
[https://kodohub.gbw.solutions/#/login OR http://xec.gbw.solutions/], when you perform
assignments and when you apply for or access your account as a mystery shopper, as well as
when you engage with us in the context of the provision of our services to you or your company.
Please read this Policy carefully to understand how we handle your personal information.
WHAT PERSONAL DATA DO WE COLLECT?
GBW collects the following information about you:
your name, age/date of birth and gender;
your contact details: postal address including billing and delivery addresses, telephone
numbers (including mobile numbers) and e-mail address;
your user name and password(s) for your account on the GBW website;
your bank account number (IBAN) or PayPal details;
personal data included in your correspondence and communications with GBW;
Information obtained through our use of cookies (IP addresses and device information);
your received payments history;
the results and outcomes of your mystery shopper activities (including evaluation, scoring and
error history);
demographic information to provide you with opportunities in your area; and
any information that you voluntarily provide to us.
Most of the above personal data is collected directly from you, for example when you set up an
on-line account on our websites, or send an email to our contractor services team. Some limited
personal data is collected indirectly, for example your IP address and information about your
device, which is collected through our use of cookies.
If you fail to provide certain requested information which is necessary for us to be able to
consider your application or enter into a contract with you, we will not be able to process your
application successfully, or enter into a contract with you.
AUTOMATED DECISION MAKING & PROFILING
Your personal information will not be subject to automated decision making and profiling within
2 | P a g e
the meaning of the GDPR. We do ask you to answer certain onboarding questions during your
registration process, in order to establish eligibility for respective projects within GBW and to
mitigate any potential conflict of interest. This process is done automatically, but always with
human involvement.
HOW WE USE YOUR DATA
GBW uses your personal data:
to onboard you as a mystery shopper;
- to manage your registered account(s) that you hold with us;
to verify your identity (only through the use of cookies);
for security purposes, including crime and fraud prevention, and the investigation, detection and
prosecution thereof;
with your agreement, to contact you via phone and electronically regarding potential jobs
and scheduled jobs in your area;
to enable GBW to manage contractor service interactions with you, to ensure timely payment for
your work and to communicate with you in relation to the mystery shopper activities you perform for
us;
to conduct statistical analysis for our legitimate interest; and
to ascertain eligibility for jobs.
More specific information about the types of personal data that we process for the above listed
purposes, can be found in Appendix 1, as attached to this Policy.
3 | P a g e
HOW WE PROTECT YOUR DATA
Our controls
GBW is committed to keeping your personal data safe and secure.
Our security measures include: -
encryption of data;
regular scenario planning and crisis management exercises to ensure we are ready to
respond to cyber security attacks and data security incidents;
penetration testing of systems;
security controls which protect the entire GBW IT infrastructure from external attack and
unauthorised access;
internal policies setting out our data security approach and training for employees; and
- we will wherever possible anonymise the data to ensure it can’t be used to identify an individual.
WHAT YOU CAN DO TO HELP PROTECT YOUR DATA
GBW will never ask you to confirm any bank account details via email. If you receive an email
claiming to be from GBW asking you to do so, please ignore it and do not respond. When in
doubt, please always reach out to us first for confirmation that we are indeed the sender of
the email.
If you are using a computing device in a public location, we recommend that you always log out
and close the website browser when you complete an online session.
In addition, we recommend that you take the following security measures to enhance your online
safety both in relation to GBW and more generally: -
keep your account passwords private. Remember, anybody who knows your password
may access your account;
when creating a password, use at least 8 characters. A combination of letters and
numbers is best. Do not use dictionary words, your name, email address, or other personal
data that can be easily obtained. We also recommend that you frequently change your
password. You can do this accessing your account, clicking ‘your account’, clicking ‘your
data’ and selecting ‘change password’;
avoid using the same password for multiple online accounts.
YOUR RIGHTS
Under the GDPR, you have the following rights in relation to the personal data we process about you:
the right to ask what personal data we hold about you (also called the 'right of access' to your
personal data) at any time, free of charge.
However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded, or
excessive;
the right to ask us to rectify, update and correct any out-of-date or incorrect personal data
that we hold about you free of charge; and
4 | P a g e
the right to ask us to erase your personal data (your 'right to be forgotten');
- the right to ask us to restrict the processing of your personal data;
- (as set out above) the right to opt out of any marketing communications that we send
you;
under circumstances, the right to request that your personal data be provided
to you or a third party in a “structured, commonly-used and machine-readable
format” ('right to data portability');
object to the processing of your personal data by us;
the right not to by subject to automated decision making and profiling;
If you wish to exercise any of the above rights, please contact us using the contact details set out
below.
LEGAL BASIS FOR GBW PROCESSING CONTRACTOR PERSONAL
DATA
GENERAL
GBW collects and uses your personal data because it is necessary for:
the pursuit of our legitimate interests (as set out below);
the purposes of complying with our duties and exercising our rights under a contract with
you; or
complying with our legal obligations.
In general, we only rely on consent as a legal basis for processing in relation to sending direct
marketing communications to contractors via email or text message and in relation to certain
types of cookies on our website.
More specific information about the types of personal data that we process based on these
legal grounds, can be found in Appendix 1, as attached to this Policy.
You have the right to withdraw consent at any time, either in the same way you consented,
by contacting us via the 'Contact Information' provided below or via our Shopper Enquiry Line
System (as further explained in the next paragraph). Where consent is the only legal basis for
processing, we will cease to process data after consent is withdrawn. The withdrawal of your
consent does not affect the lawfulness of the processing operations that we carried out
before the withdrawal.
WHERE DO I REQUEST MY PERSONAL DATA AND/OR WITHDRAW
MY CONSENT?
Simply log into our Shopper Enquiry Line System and select the category ‘Personal Data’ under ‘New
Enquiry’, after which, select the relevant sub category.
http://xec.gbw.solutions/XEEnquiry/NewEnquiry.aspx
https://kodohub.gbw.solutions/#/newenquiry
We aim to provide you with the requested information without delay and at the latest within one month
of receipt.
5 | P a g e
GBW is able to extend this one month period by a further two months where requests are
complex or numerous. If this is the case, we must inform you within one month of the receipt of
the request and explain why the extension is necessary.
OUR LEGITIMATE INTERESTS
Where we process your personal data on the legal ground 'legitimate interest', this shall
include one or more of the following interests:
conducting our general business activities and for the effective management of our
business;
- protecting our rights, property and business;
- protecting our contractors, employees and other individuals and maintaining their
safety, health and welfare;
understanding our contractors’ preferences and needs;
improving existing services and developing new products and services;
complying with our legal and regulatory obligations in Australia;
preventing, investigating and detecting crime, fraud, illegal or anti-social behaviour
and prosecuting offenders, including working with law enforcement agencies;
handling contractor contacts, queries, complaints or disputes and to be able to ensure an efficient
application process;
initiating and/or responding to claims and complaints;
- carrying out marketing and sales related activities;
effectively handling any legal claims or regulatory enforcement actions taken against GBW;
- investigating and/or engaging in a (proposed) sale, merger, acquisition or consolidation or
a disposal of assets or business activities; and
fulfilling our duties to our contractors, colleagues, shareholders and other stakeholders.
COOKIES
Like most websites, GBW websites use cookies to collect information. Cookies are small data files
which are placed on your computer or other devices (such as smart ‘phones or ‘tablets’) as you
browse this website. They are used to ‘remember’ when your computer or device accesses our
websites. Cookies are essential for the effective operation of our websites and to help you
schedule your jobs with us online. More information about the cookies, can be found via
[https://gbw.solutions/en/privacy#anchorCookies].
HOW ARE COOKIES MANAGED?
The cookies stored on your computer or other devices when you access our websites are designed
by:
GBW, or on behalf of GBW, and are necessary to enable you to select jobs on our website;
third parties who participate with us in marketing programmes; and
WHAT ARE COOKIES USED FOR?
The main purposes for which cookies are used are: -
6 | P a g e
For technical purposes essential to effective fraud prevention
- Track the users, so GBW can apply rotation rules and follow client expectations.
o Mainly used for Local storage of surveys (Reference to cookies)
- Track Cookies for Shopper Quality purposes to avoid Fraudulent activities
- Google Analytics tracks cookies for our users.
7 | P a g e
CONTACT INFORMATION
If you have any questions about how GBW uses your personal data that are not answered here,
or if you want to exercise your rights regarding your personal data, please contact us by any of
the following means:
email:Contactus@gbw.solutions
- phone us on: +61 3 9867 3477;
write to us at: GBW, Lvl 4, 99 Queenbridge Street, South Melbourne, Victoria 3006, Australia
You have the right to lodge a complaint about the way we process your personal data with
your local supervisory authority, such as the Information Commissioner’s Office in the UK,
or the Dutch Data Protection Authority in the Netherlands. Further information, including
contact details, is available at http://gbw.solutions/
SHARING DATA WITH THIRD PARTIES
GBW will not disclose your personal data to any third party, except as set out below. We
will never sell or rent personal data to other organisations for marketing purposes.
We share your data with:
governmental bodies, regulators, supervisory authorities, law enforcement agencies,
courts/tribunals and insurers where we are required to do so (e.g. upon their legally
binding request);
third party service providers, banks, payment service providers and hosting providers;
other parties (including legal advisors, attorneys, consultants and auditors) when necessary: (i)
to comply with our legal obligations, (ii) to exercise our legal rights (for example in court cases),
(iii) for the prevention, detection, investigation of crime or prosecution of offenders; and/or (iv)
for the protection of our employees and contractors.
INTERNATIONAL TRANSFERS
To deliver products and services to you, it is sometimes necessary for GBW to share your data
with parties located outside of the European Economic Area (EEA). This will typically occur
when service providers are located outside the EEA. These transfers are subject to special rules
under applicable data protection laws.
If this happens, we will ensure that your personal data are adequately protected and that the
transfer will be compliant with applicable data protection laws. Our standard practice is to
perform transfer impact assessments and to enter into ‘standard data protection clauses’ with
the recipients of your data, which clauses have been approved by the European Commission for
such transfers. Those clauses can be accessed here.
In addition, we are committed to ensure that (where required) our transfers comply with any
additional requirements or guidelines from the European Court of Justice, applicable data
protection laws and/or guidance of supervisory authorities in relation to the transfer of
personal data.
8 | P a g e
HOW LONG DO WE KEEP YOUR DATA?
We will not retain your data for longer than necessary for the purposes set out in this Policy.
Different retention periods apply for different types of data, however the longest we will
normally hold any personal data is 7 years. For more specific information about the retention
terms that we apply, we kindly refer to Appendix 1, as attached to this Policy.
CHANGES TO THIS POLICY
We may change this Policy from time to time. If the changes are substantial, we will always
actively inform you about them and provide you with a new version of the Policy. The date on
which the last revisions were made is included at the bottom of this Policy.
Last updated: December 2022.
9 | P a g e
APPENDIX 1 PROCESSING ACTIVITIES
The situations in which we will process your personal data are listed more specifically below.
Purpose
Personal data
Legal basis
Retention period
If you visit and use the website and/or have an account with us
To measure and improve
interest in our website,
to customise your user
experience according to
your behaviour and
interests.
Data about your device and
browser type
IP address
Data your use of the website,
web pages viewed,
hyperlinks you clicked on and
websites you visited before
coming to our website
Necessary for our
legitimate interests
(to keep the website
up-to-date and
relevant) and/or
based on your
consent to the
placement of
cookies.
For the duration of
the cookie with a
maximum period of
6 months or, if the
processing is based
on your consent,
until the moment
you withdraw your
consent (whichever
is earlier).
To manage our website,
identify problems, to
protect our business, to
solve problems and to
prevent potentially
prohibited or illegal
activities (for example by
checking the amount of
devices on which you log-
in or register with us).
Data about your device and
browser type
IP address
Data your use of the
Website, web pages viewed,
hyperlinks you clicked on and
websites you visited before
coming to our Website
Account information, such as
username and password
Necessary for our
legitimate interests
(for running our
business, providing
IT services, ensuring
network security and
to prevent fraud and
other prohibited
activities).
For the duration of
the cookie with a
maximum period of
6 months or, if the
processing is based
on your consent,
until the moment
you withdraw your
consent (whichever
is earlier).
When you have an
account with us, we
will retain the data
for the duration of
your account; until
the moment you
delete your account
or for a period of [2
years] since your
latest login in to the
Platform.
Longer retention is
only possible if
necessary in
connection with
legal proceedings or
legal obligations.
When performing assignments and/or interacting with us (e.g. through your account) as a mystery shopper
To connect you with our
client(s) and provide you
with new mystery
shopping assignments.
your name, age/date of birth
and gender
your contact details
your password(s)
your account or PayPal details
your correspondence and
communications with GBW
source tracking for legitimate
verification purposes
your payment history
Necessary for the
performance of our
contract with you or
necessary to for our
legitimate interest
(business
improvement and
continuity
purposes).
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account.
10 | P a g e
evaluation, scoring and error
history
demographic information
any information that you
voluntarily provide to us
For administrative
purposes in relation to
our mystery shopping
services, to pay fees we
owe to you, your to
administer your account
with us and to provide
you with access to the
website and the mystery
shopping portal and to
check your identity for
this purpose.
your name, age/date of birth
and gender
your contact details
your password(s)
your account or PayPal details
your correspondence and
communications with GBW
source tracking for legitimate
verification purposes
your payment history
evaluation, scoring and error
history
demographic information
any information that you
voluntarily provide to us
Necessary for the
performance of our
contract with you or
necessary to comply
with our legal
obligations
(administrative
obligations).
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account.
If we are legally
obliged to retain the
data to comply with
our legal obligations,
for a maximum
period of [7 years]
after the end of the
contract with you.
To manage our
relationship with you and
to communicate with you
regarding the services,
your questions or
comments and to notify
you about our changes to
our Policy or applicable
terms.
your name, age/date of birth
and gender
your contact details
your correspondence and
communications with GBW
evaluation, scoring and error
history
any information that you
voluntarily provide to us
Necessary for our
legitimate interests
to protect our
business and rights
or necessary to
comply with our
legal obligations
(e.g. to cooperate
with law
enforcement and
regulators).
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account, unless a
longer retention
period is required to
comply with
regulatory
requirement or
defend or prosecute
legal claims.
To notify you about
promotions and special
offers, as well as the
services we offer that
may be of interest to you.
your name, age/date of birth
and gender
your contact details
your correspondence and
communications with GBW
any information that you
voluntarily provide to us
Necessary for our
legitimate interests
(i.e. to be able to
carry out marketing-
related activities) or
your consent for
receiving marketing
messages.
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account.
Where the
processing is based
on your consent,
until the moment
you withdraw
consent (whichever
is earlier).
If you interact with us as an employee on behalf of one of our clients (requesting mystery shopping services)
To manage our
relationship with you
and/or your employer
your name, age/date of birth
and gender
your contact details
Necessary for our
legitimate interests
to protect our
For the duration of
[2 years] after the
end of our contract
11 | P a g e
and to communicate
with you regarding the
services, your questions
or comments and to
notify you about our
changes to our Policy or
applicable terms.
your correspondence and
communications with GBW
evaluation, scoring and error
history
any information that you
voluntarily provide to us
business and rights
or necessary to
comply with our
legal obligations
(e.g. to cooperate
with law
enforcement and
regulators).
with you / your
employer, unless a
longer retention
period is required to
comply with
regulatory
requirement or
defend or prosecute
legal claims.
For administrative
purposes in relation to
our services, to
administer your account
with us and to provide
you with access to your
account.
your name, age/date of birth
and gender
your contact details
your password(s)
your account or PayPal details
your correspondence and
communications with GBW
any information that you
voluntarily provide to us
Necessary for the
performance of our
contract with you /
your employer, or
necessary to comply
with our legal
obligations
(administrative
obligations).
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account.
If we are legally
obliged to retain the
data to comply with
our legal obligations,
for a maximum
period of [7 years]
after the end of the
contract with you.
To notify you about
promotions and special
offers, as well as the
services we offer that
may be of interest to you.
your name, age/date of birth
and gender
your contact details
your correspondence and
communications with GBW
evaluation, scoring and error
history
Necessary for our
legitimate interests
(i.e. to be able to
carry out marketing-
related activities) or
your consent for
receiving marketing
messages.
For the duration of
the contract with
you and/or the
period you have an
account with us, and
[2 years] after
termination of the
contract and/or
account.
Where the
processing is based
on your consent,
until the moment
you withdraw
consent (whichever
is earlier).