Privacy Policy

This privacy notice applies to all personal information we collect or process about you. Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified.

By using this site, you agree with the terms of this Privacy Policy. Whenever you submit information via this site, you consent to the collection, use, and disclosure of that information in accordance with this Privacy Policy. In the event that we transfer the business (in whole or in part) to another entity, you also agree that your data may be transferred to such new entity.

This privacy notice is effective from and including 25 May 2018. It may vary from time to time so please check it regularly.

Personal information we use

We will collect personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us) and information we collect about you from other sources, described below.

You will be informed at each information collection point what information is required and what information is optional.

Note that we may be required by law to collect certain personal information about you, or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of our obligations.  We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.

Information we collect directly from you

• When you visit our websites the web server collects some basic information such as your browser type, MAC or IP address, internet service provider’s domain name, which pages you accessed on the site, and when.
• As you navigate through a Web site, certain information can be passively collected (that is, gathered without your actively providing the information) using various technologies and means, such as Internet Protocol addresses, cookies, Internet tags, and navigational data collection.

This site may use Internet Protocol (IP) addresses. An IP Address is a number assigned to your computer by your Internet service provider so you can access the Internet and is generally considered to be non-personally identifiable information, because in most cases an IP address is dynamic (changing each time you connect to the Internet), rather than static (unique to a particular user’s computer). We use your IP address to diagnose problems with our server, report aggregate information, determine the fastest route for your computer to use in connecting to our site, and administer and improve the site.

A “cookie” is a bit of information that a Web site sends to your Web browser that helps the site remember information about you and your preferences. This site does not use cookies.

“Session” cookies are temporary bits of information that are erased once you exit your Web browser window or otherwise turn your computer off. Session cookies are used to improve navigation on Web sites and to collect aggregate statistical information. This site does not use session cookies.

“Persistent” cookies are more permanent bits of information that are placed on the hard drive of your computer and stay there unless you delete the cookie. Persistent cookies store information on your computer for a number of purposes, such as retrieving certain information you have previously provided (e.g., passwords), helping to determine what areas of the Web site visitors find most valuable, and customizing the Web site based on your preferences. This site does not use persistent cookies.

“Internet tags” (also known as single-pixel GIFs, clear GIFs, invisible GIFs, and 1-by-1 GIFs) are smaller than cookies and tell the Web site server information such as the IP address and browser type related to the visitor’s computer. This site does not use Internet tags.

“Navigational data” (“log files,” “server logs,” and “clickstream” data) are used for system management, to improve the content of the site, market research purposes, and to communicate information to visitors. The information collected for these purposes is the IP address that requested the web page. This site uses navigational data.

• Where you sign up for a newsletter, fill out a feedback form, complete a “contact us” form, enter a competition or complete an application form we collect personal information such as your email address, name, contact number, postcode and date of birth. Not all fields are mandatory, and provision of the information is optional but if you provide less information this may limit your use of our online and offline services. Where you enter a competition or promotion we may share your details with the retailers from time to time at the property to which the competition relates.  This will be made clear to you at the time you sign up to the competition or promotion in individual terms and conditions.
• Where you register online or place an order for a gift card we, or a third party service provider on our behalf, collect your name email address, billing and delivery address, phone number and credit or debit card details. These details may be shared between data controllers, for example when you agree to sign up to the Liverpool ONE newsletter; name, email, date of birth and postcode is transferred into the database management system.
• When we send emails to you we review whether these have been opened and whether you have clicked on any links within these. We will also use cookies to track your behaviour on our website to ensure we continue providing relevant content.
• When you download and use our mobile app or use our website we collect information on your location at the time of use. This occurs whether or not you have used the Wi-Fi at the centre.  To opt out of the collection of your MAC or IP address and location turn off your device’s Wi-Fi and Bluetooth capabilities. When you login to our centre Wi-Fi we collect your location, personal information entered which may include social media profiles – used to sign up. This information is used to understand customer movement around the centre, if you agree to signup to the Liverpool ONE newsletter information including: first and last name, email address, postcode and date of birth is transferred via an API feed into our central database.
• You may be asked to complete a survey or questionnaire either directly at our centres or via email, SMS or post and in doing so we may ask for details such as your age, gender and postcode. The information captured is for research purposes and so we can understand the type of visitors coming to our centre to help improve our offer.
• We occasionally stream videos on social media, such as Facebook and Instagram live, and take and display photography on our website and social media of members of the public using and enjoying our centre. Photography and video will be used by third parties to promote Liverpool ONE and the experience available within the centre. We inform members of the public of the possibility or photography, and video through the signs placed around the centre or building.
• We operate CCTV at our centre, and at times our team may operate body worn recording equipment for the purposes of public safety, crime prevention and prosecution, insurance, property management. In some circumstances we may share this footage with third parties for the purposes of public safety, crime prevention and prosecution.
• Where we own a building, we capture personal data within the system which controls access to our buildings. This comprises personal data of people who work in a building and those who visit or occupy it. This may include name, occupation, employer and contact details.  In relation to access control and visitor data where the data relates to us, we consider ourselves to be the data controller.  Where the personal data relates to our tenants’ staff, contractors or visitors, our tenants may also be data controllers depending on the circumstances.
• Where we do not own a building but we provide property management services for the building owner and/or we provide access control system services for the building owner we capture personal data within the access control system. This comprises personal data of people who work in a building and those who visit or occupy it and includes name, occupation, employer and contact details.  The data controller in these situations will be the building owner or the tenants of the building owner and we are a data processor.
• Where we own a building or we provide property management services for a building owner we collect data on accidents in order to comply with health and safety legislation.
• Where you are a tenant living at one of our buildings you provide us with personal data such as references and financial information, identity documentation, your contact details and the contact details of your next of kin, bank account details and information relevant to health and safety matters at the building (such as any difficulty you may have in using the stairs in the event of a fire). This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
• Where you are a commercial tenant you provide us with personal data such as financial and business information, contact details and bank account details. This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
• Where you work for a tenant within the centre we may be provided with your contact details by your employer or yourself. This information will be used to liaise regarding estate management matters including key holders for emergencies. Your personal information (upon your agreement) will be used to communicate marketing and commercialisation opportunities and to liaise about estate management matters. Tenant employee information will be stored on locked databases within the Liverpool ONE management suite and via ONE View, our retailer communications app.
• Where we provide property management services for a third party landlord (who is not us) we can be provided with personal data on tenants and their employees where this is necessary for us to carry out these services. We are not the data controller in these circumstances and are a data processor for the third party landlord.

Information we collect from other sources:

• If you use the Wi-Fi networks in our centre, the Wi-Fi provider will collect personal information about you, such as your name, email address and postcode, which is required in order for you to log onto the Wi-Fi network. This is then shared with us and moved into our database upon newsletter opt-in.  Although database subscription is based on an opt-in procedure, we will always give you an option to unsubscribe from all marketing communications from us in each email that we send to you.
• If you access one of the Wi-Fi networks in our using your social media, such as Twitter or Facebook, Instagram, or other online accounts, we are also provided with the data that is shared by your social media/online provider. Information on what personal data is being shared should be available to you from your own social media/online provider.
• Through your use of the Wi-Fi networks in our centre data is also collected and shared with us which shows how often, how long and from where you are accessing the Wi-Fi and your movements within a centre/ building and your browsing history.
• Third party car park operators which are not part Liverpool ONE. CCTV and ANPR (Automatic Number Plate Recognition) cameras at may be in operation within car parks at our properties. These carparks will display signs at the locations where this is used showing that it is in operation. Our car park operators can obtain the name and address of an individual from the Driver and Vehicle Licensing Agency (DVLA) for parking enforcement purposes. In most cases our car park operators are controllers of your number plate data when they use it to manage the terms and conditions of use of car parks at our sites including using it to apply parking charges for cars which outstay their allotted time.  When car park operators are controllers for these purposes we are not responsible for the way in which our car park operators use your ANPR data. Please see their privacy notices for further information on how they handle your personal information. Liverpool ONE does not use this personal information as part of our marketing or profiling.
• Our footfall counter operators use detectors to count the volumes of customers using our centre and entries into stores always. We do not operate facial recognition or collect personal information. The third-party operator of this software is the data owner and processer. Non-personal information is provided to Liverpool ONE in an aggregated format.
• We use social media such as Facebook, Twitter and Instagram either ourselves or through third party advertising agencies, to carry out digital advertising on the profiles of users who we think may be interested in our advertising campaigns based on events of ours that they have attended, what marketing communications they have subscribed to and which parts of our website they have visited or users who are in a similar demographic to our marketing persons. Advertisers will also use your publicly accessible information such as pages you like, other events attended. Information on how advertising is shown to you should be available from your own social media provider.

How we use your personal information and the basis on which we use it

We use your personal information to:

• provide and personalise our services;
• deal with your enquiries and requests;
• comply with legal obligations to which we are subject and cooperate with regulators and law enforcement bodies;
• contact you with marketing and offers relating to products and services offered by us and our tenants (unless you have opted out of marketing, or we are otherwise prevented by law from doing so);
• personalise the marketing messages and offers we send you to make them more relevant and interesting;
• to contact you for research purposes, where you have consented to us doing so, in order to understand what you think of our sites and how we can improve them;
• maintain the quality of our websites and to analyse the use of our websites in order to help guide improvements;
• to better design and optimise the centre to improve the experience of our consumers;
• drive our insights, research and data analytics programme. This is used for research, analysis, testing, monitoring, risk management and administrative purposes and to develop our business, inform business decision making and support the purposes identified elsewhere in this section by collecting statistics, traffic patterns, information on the movement around our centre, demographics, customer satisfaction, geographic catchment, shopper analysis, retail mix, centre performance including footfall and identifying shopping trends.
• we contract with third parties which in certain circumstances will be controllers of your personal data and responsible for managing it properly and in others will be processors who deal with your personal data in accordance with our instructions. Whether a third party supplier (who is not us) is a processor or controller of your personal data depends on the facts and where we appoint a third party processor of your personal data we will put a framework around what we expect them to do with it and how they manage it.  We have identified in paragraphs 1.1(c) (payments), 1.1(i) and (j) (access control) certain cases where third parties are controllers of your personal data.

We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:

• to fulfil our contractual obligations to you, for example to fulfil the terms of a competition or promotion that you have entered or to provide you with information you have requested;
• to comply with our legal obligations to you, for example health and safety obligations while you are on our premises, or to a third party (e.g. the police)
• to meet our legitimate interests, for example to understand how you use our services and our centre and to enable us to derive knowledge from that which in turn enables us to develop new services and further tailor our centre to appeal to a wide variety of persons. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.

We may obtain your consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, Cookies or when we process sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this privacy notice.

Your rights over your personal information

You have certain rights regarding your personal information, subject to local law. These include the following rights to:

• access your personal information
• rectify the information we hold about you
• erase your personal information
• restrict our use of your personal information
• object to our use of your personal information
• receive your personal information in a usable electronic format and transmit it to a third party (right to data portability)
• lodge a complaint with your local data protection authority.

If you would like to discuss or exercise such rights, please contact us at the details below.

We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.

We will contact you if we need additional information from you in order to honour your requests.

Automated decisions about you

We make automated decisions about you based on your personal information in the following circumstances:

• to select personalized offers, discounts or recommendations to send you based on your browsing history; and
• to personalise the marketing messages we send you to make them more relevant and interesting.

These types of decisions will not have legal or similar effects for you, but you can still contact us for further information.

Information Sharing

We may share your personal information with third parties under the following circumstances:

• Service providers and business partners. We may share your personal information with our service providers and business partners that perform marketing services and other business operations for us. For example, your personal data will be transferred to our third-party database management system Act-On.
• Law enforcement agency, court, regulator, government authority, insurer or other third party. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party or to put in place insurance for our centres and other buildings.
• We may share non-personally identifiable information with third parties such as data profiling agencies, partner companies, customers, tenants and suppliers, for example to show trends of our centre and online profiles including website, app and social media channels.

Information Security and Storage

We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing.

We will keep your personal information for as long as we have a relationship with you. Once our relationship with you has come to an end, we will make the necessary steps to ensure your details are removed from our systems or suppressed on request. An unsubscribe from marketing communications will result in your personal data being transferred to a suppression list for twelve months then deleted unless you choose to opt-in again via any of the methods detailed above..  A right to be forgotten request will mean the deletion of all personal information held about you from our marketing database or relevant.

If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.

International Data Transfer

Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal information under European Union law / by the European Commission.  Where this is the case we have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.

Links to Other Web Sites

This site may contain links or references to other Web sites. If you use such links or references you will leave this site. Please be aware that we do not control other Web sites and that, in any case, this Privacy Policy does not apply to those Web sites. We encourage you to read the privacy policy of every Web site you visit.

Contact Us

If you have questions or concerns regarding the way in which your personal information has been used, please contact data@liverpool-one.com.

Our Data Protection Officer can also be contacted at data@liverpool-one.com

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the data protection authority of the United Kingdom using their website https://ico.org.uk/.

Company Registration Details

Liverpool ONE Management Company Limited registered in England

06444922 Registered Office: York House, 45 Seymour Street, London, W1H 7LX

Changes to the Policy

You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time.

24 May 2018