Privacy & Data Collection Policy

This policy sets out how Smokemart & GiftBox uses and protects any information that you give us while using this website. Smokemart & GiftBox is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

What we collect

We may collect the following information:

  • name
  • contact information including email address
  • demographic information such as postcode, preferences and interests
  • other information relevant to customer surveys and/or offers

For the exhaustive list of cookies we collect see the List of cookies we collect section.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.
  • We may use the information to improve our products and services.
  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

  • whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
  • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by letting us know using our Contact Us information

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee will be payable. If you would like a copy of the information held on you please email us this request using our Contact Us information.

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

List of cookies we collect

The table below lists the cookies we collect and what information they store.

Cookie Name Cookie Description
FORM_KEY Stores randomly generated key used to prevent forged requests.
PHPSESSID Your session ID on the server.
GUEST-VIEW Allows guests to view and edit their orders.
PERSISTENT_SHOPPING_CART A link to information about your cart and viewing history, if you have asked for this.
STF Information on products you have emailed to friends.
STORE The store view or language you have selected.
USER_ALLOWED_SAVE_COOKIE Indicates whether a customer allowed to use cookies.
MAGE-CACHE-SESSID Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGE Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-STORAGE-SECTION-INVALIDATION Facilitates caching of content on the browser to make pages load faster.
MAGE-CACHE-TIMEOUT Facilitates caching of content on the browser to make pages load faster.
SECTION-DATA-IDS Facilitates caching of content on the browser to make pages load faster.
PRIVATE_CONTENT_VERSION Facilitates caching of content on the browser to make pages load faster.
X-MAGENTO-VARY Facilitates caching of content on the server to make pages load faster.
MAGE-TRANSLATION-FILE-VERSION Facilitates translation of content to other languages.
MAGE-TRANSLATION-STORAGE Facilitates translation of content to other languages.

Privacy Policy

Privacy Policy – Viva Energy Retail SMGB Pty Ltd
Last updated: 1 July 2024

Purpose of policy
1.1 Viva Energy Retail SMGB Pty Ltd (ABN 44 670 895 904) and its related entities (SMGB, we, us, our) values your privacy. This Policy sets out how your personal information is collected, used, and disclosed.

1.2 The Websites and Apps covered by this Policy include:
(a) smokemart.com.au;
(b) giftbox.com.au.

1.3 From time to time, the current version will always be available at otr.com.au. If we change this Policy in any material way, we will post a notice on our Websites and Apps (as relevant) along with the updated Policy. We may also contact you via your contact information we hold on file, for example by email or some other equivalent measure. You may also obtain a copy of the current version of our Policy by contacting us at any time.

1.4 We encourage you to read this Policy each time you deal with us so that you are aware of any changes made to it.

1.5 In this Policy, we use the term:
(a) ‘physical customers’ to refer to individuals who visit us at our consumer retail stores, whether or not they receive goods and services from our consumer retail stores;
(b) ‘online customers’ to refer to individuals who use our Websites and Apps to view our goods and services, and who receive goods and services from us via our retail Website and Apps;
(c) ‘commercial customers’ to refer to individuals who purchase commercial and wholesale goods and services from us or who borrow commercial plant and equipment from us, and individuals at businesses who purchase commercial and wholesale goods or services from us;
(d) ‘suppliers’ to refer to individuals who provide us with goods or services, and individuals at businesses who provide us with goods or services;
(e) ‘participants’ to refer to individuals who participate in competitions we hold or attend events we hold;
(f) ‘members’ to refer to individuals who join any of our membership programs or clubs;
(g) ‘users’ to refer to individuals who subscribe to our newsletters, engage with us on social media platforms, or who enquire about our goods and services via electronic means; and
(h) ‘applicants’ to refer to individuals who apply for employment or other engagement with us.

1.6 In some circumstances, you may belong to more than one of these groups, and multiple sections of this Policy will then apply to you.

What is Personal Information, and what do we collect?
2.1 Personal Information is any information or opinion about you that identifies you or is capable of identifying you, even if the information is not true, and whether or not it is in physical form.

2.2 Sensitive Information is a subset of Personal Information and includes information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information, and biometric information (that is, data derived from your physical characteristics, such as a fingerprint) and biometric templates (that is, a stored digital template of biometric information, such as a fingerprint or retina scan).

2.3 The kinds of Personal Information we collect about you depends on our relationship with you, and we limit the information we collect to what is reasonably necessary for one or more of our functions or activities. Generally, we will collect your name, commentary or opinion about you, and other information relevant to providing you with the information, goods and services you or someone on your behalf are seeking.

2.4 If you are a physical customer: we may also collect CCTV images and audio of you, your vehicle and your vehicle’s registration number. We will only collect your name and contact details if you provide them to us in relation to a query or complaint. Identifiable transaction details are collected by third party payment gateways and are not stored by us. We may collect Sensitive Information from you in the form of a biometric template of your face, collected via CCTV images and used in conjunction with facial recognition technology.

2.5 If you are an online customer: we may also collect your contact details, email address, payment details, delivery address and instructions, details related to your online shopping experience, and information about your use of our Website and Apps and the device you are using (including numbers that identify your device, IP address, geographic location of your IP address, and of your device where that is relevant to the goods, services and information we are providing, cookie information, and user preferences). You may choose to enable or disable information you share with us via the Website or App in your browser or device settings. Disabling the sharing of some information may affect your ability to use certain features of the Website or App, and your user experience generally.

2.6 If you are a commercial customer: we may also collect your contact details, ABN (if applicable), business name, information about your role, and your date of birth and drivers licence (for sole trader and partnership borrowers of our equipment, for the purpose of registering our security interest on the PPSR).

2.7 If you are a supplier: we will also collect your contact details, ABN, business name, bank account details (for payment of your invoices), and information about your role.

2.8 If you are a participant: we will generally only collect your name and contact details, however some competitions, surveys, market research and events we run require us to collect additional information about you, for example, participating in events with catering may require you to provide us with your dietary requirements. We will notify you at the time if we need to collect more information, and the reasons for collecting it.

2.9 If you are a member: we will also collect your contact details, information contained in your membership application, and information related to your member interactions with us.

2.10 If you are a user: we may also collect your email address, social media account name and contact details, any images or videos shared with us via social media, details of your enquiries and feedback, and information about your interaction with us through social media.

2.11 If you are an applicant: depending on your potential or actual position with us, we will also generally collect your Personal Information contained within an application and CV/resume, employment history, personal information derived from a reference, personal information derived from an interview, personal information derived through testing (including psychometric or aptitude testing), licences and other certificates and qualifications, and information included in a passport, birth certificate, visa or other documentation demonstrating your right to work in Australia.

2.12 We support your ability to make decisions about the Personal Information you provide to us, however if you choose not to provide us with the information requested, or it is incomplete or inaccurate, we may not be able to provide you with the information, goods and services you are seeking. If you are an applicant, refusal to provide personal information may mean we are unable to process your application.

How we collect Personal Information
3.1 We will generally collect Personal Information directly from you when you interact with us, such as in person, by email, by phone, by enquiry or feedback form, or via our Website and Apps, social media channels, interviews (via any method), any of our standard forms (including application forms, membership forms, etc), contract negotiation, our employment and engagement application process, our surveys (where applicable), registration and attendance at our events, facilities and accommodation, or any other means when you provide us with your Personal Information.

3.2 We may also need to collect Personal Information about you from third parties from time to time where it is necessary for us to do so and it is unreasonable or impractical to collect directly from you, where you have consented to us doing so, or where we are otherwise required to or authorised to by law. Those third parties include:
(a) if you are a supplier or commercial customer: publicly available records such as the Australian Securities Investment Commission, Australian Business Register, Australian Financial Security Authority (PPSR), and land titles offices;
(b) if you are a physical customer or online customer: third party payment gateways, law enforcement agencies, and licence plate recognition providers;
(c) if you are an online customer or user: technology service providers and social media platforms;
(d) if you are an applicant: referees when they provide references, academic institutions or training and certification providers, providers of licence and background-checking services, recruiters and other service providers who assist in the engagement process, and other publicly available sources such as social media platforms.

3.3 Except as otherwise permitted by law, we only collect Sensitive Information about you if you consent to the collection of the information and if it is reasonably necessary for the performance of our functions and activities. Consent may be implied by the circumstances existing at the time of collection – for example, if you enter one of our physical stores where signs prior to your entry indicate that CCTV is in use, and that facial recognition technology is in use. There may also be circumstances under which we may collect Sensitive Information without your consent, as required or authorised by law.

3.4 When we collect information from you, we will take reasonable steps to inform you about the purposes for collection, the main consequences if you don’t provide the requested information, the other entities to which we usually disclose the information, and whether we are likely to disclose your information to overseas recipients.

3.5 If you provide us with Personal Information about someone else, you must ensure that you are authorised to disclose that information to us and that, without us taking any further steps required by applicable privacy laws, we may collect, store, use and disclose such information for the purposes described in this Policy. Where we request you to do so, you must assist us with any requests by the individual to access or update the Personal Information you have collected from them and provided to us.

How we store and protect Personal Information
4.1 We store your Personal Information in different ways, including in paper and electronic form. We take all reasonable measures to ensure your Personal Information is stored on secure servers (which may be based in Australia or overseas) in a manner that reasonably protects it from interference, misuse and loss and from unauthorised access, modification or disclosure, including electronic and physical security measures, including:
(a) limiting access to the Personal Information we collect about you;
(b) only providing access to personal information once proper identification has been given;
(c) imposing confidentiality requirements on our employees; and
(d) requiring third party providers to have acceptable security measures to keep Personal Information secure.

4.2 When we no longer need your Personal Information for the purpose for which we collected it, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored and kept by us for a minimum of seven years (unless legislation requires us to destroy or permanently de-identify it sooner).

4.3 Despite the reasonable steps we take to secure your Personal Information, if you provide any Personal Information to us via our Website, Apps and online services (including email) or if we provide Personal Information to you by such means, the privacy, security and integrity of your Personal Information cannot be guaranteed during its transmission unless we have indicated beforehand that a particular transaction or transmission of information will be protected (for example, by encryption).

Why we collect, hold, use and disclose Personal Information
5.1 The Personal Information we collect and hold about you depends on your interaction with us and our relationship with you. Generally, we will collect, use, and hold your Personal Information if it is reasonably necessary for or directly related to the performance of our functions and activities, and:
(a) to facilitate our internal business operations, including:
(i) establishing our relationship with you;
(ii) maintaining, managing and developing our relationship with you and communicating with you in the ordinary course of that relationship (including responding to enquiries, information requests, feedback or complaints);
(iii) updating your Personal Information, including destroying or de-identifying it when it is no longer required;
(iv) fulfilling our legal requirements;
(v) analysing our goods and services and customer and supplier needs with a view to developing new or improved goods, services, and business operations;
(vi) conducting market research, monitoring use of our goods and services, and creating aggregated de-identified data about use of our goods and services, Website and Apps;
(vii) contacting you to ask about your experiences with, or impressions of, our products or services, or to provide a testimonial for us (where applicable);
(viii) if you are an online customer or user: streamlining and personalising your experience within our Website and Apps, tailoring our information, goods and services for you, and remarketing (targeting online advertising and direct marketing to you based on your use of our Website and Apps);
(ix) if you are an applicant: considering your application;
(b) to provide you with information about other goods and services that we or our related entities and other affiliated organisations offer that may be of interest to you. You may unsubscribe from our mailing/marketing lists at any time by using the unsubscribe feature on any emails we send, or otherwise by contacting us in writing. We do not use your Sensitive Information for direct marketing purposes; and
(c) for any other purpose identified at the time of collection.

5.2 We may use Personal Information for secondary purposes where it would be reasonable to expect us to do so, and that secondary purpose is related (or directly related in the case of Sensitive Information) to the primary purpose set out above.

Who we disclose Personal Information to
6.1 We generally disclose your Personal Information for the purposes for which it was collected (set out above). We may disclose Personal Information about you to:
(a) our related entities within the OTR Group;
(b) our employees, contractors, consultants, and volunteers who require the information to assist us with the purposes for which it was collected;
(c) government departments and agencies where required by law;
(d) third party service providers who assist us in operating our business and providing information, resources, goods and services to you or someone else on your behalf (including marketing campaign providers, market research providers, mail processing providers, printers, IT and technology service providers, recruitment providers, and professional advisers such as lawyers, accountants, and auditors);
(e) third parties to whom you have agreed we may disclose your information and where the information was collected from you (or from a third party on your behalf) for the purposes of passing it on to the third party; and
(f) any other entity as otherwise required or authorised by law, including regulatory bodies.

6.2 We may also disclose Personal Information for secondary purposes where it would be reasonable to expect us to do so, and that secondary purpose is related (or directly related in the case of Sensitive Information) to the primary purpose.

6.3 Where we disclose Personal Information to a third party service provider, we take reasonable steps to ensure these service providers have appropriate security for your Personal Information and use it only for the purposes for which it was collected.

6.4 We may expand or reduce our business, and this may involve the sale and/or transfer of control of all or part of our business. Personal Information, where it is relevant to any part of the business for sale and/or transfer, may be disclosed to a proposed new owner or newly controlling entity for their due diligence purposes, and upon completion of a sale or transfer, will be transferred to the new owner or newly controlling party to be used for the purposes for which it was provided.

Overseas disclosure
7.1 We are assisted by a variety of external service providers to operate our business and to provide you or someone else on your behalf with the information, resources, goods and services sought. Some of these service providers may be located overseas, and while there are too many to expressly name, they include Microsoft located in the United States.

7.2 We take reasonable steps to ensure these service providers have appropriate security for your Personal Information and use it only for the purposes for which it was collected.

Third party websites and advertising
8.1 Our Websites, Apps, and online services (including email messages we send to you) may contain links to other websites maintained by a third party (other services). Other services may link to our websites and online services. If you click on a link to another site maintained by a third party they are no longer subject to this Policy. We are not responsible for the privacy practices of the organisations that operate those other services, and by providing such links we do not endorse or approve the other services. We have no responsibility for linked websites owned or operated by a third party and provide them solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or warranties about their accuracy, content, or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

8.2 We may allow third parties to use cookies or other tracking technologies to collect non-personal information about your use of our Websites and Apps, including your IP address, pages viewed and conversion information. This information may be used, among other purposes, to deliver advertising targeted to your interests and to better understand the usage and visitation of our Websites, Apps, and other websites tracked by these third parties. This Policy does not apply to, and we are not responsible for, third party “cookies” or other tracking technologies. We encourage you to check the privacy policies of advertisers and/or ad services to learn more about their privacy practices.

How you can access and correct Personal Information
9.1 You may access the Personal Information we hold about you, subject to certain exceptions. If you wish to access your Personal Information, please contact us via the below:
Mail: Privacy Officer, Level 16 720 Bourke Street, Docklands VIC 3008
Email: privacy@otr.com.au
Phone: +61 8 8333 5777

9.2 We endeavour to respond within 30 days, but will otherwise respond within a reasonable period. We may decline a request for access to personal information in circumstances prescribed by the Privacy Act, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

9.3 We will not charge any fee for your access request but may charge an administrative fee for providing a copy of your Personal Information. We will notify you in advance of any applicable fees.

9.4 In order to protect your Personal Information, we will require identification from you before releasing the requested information.

9.5 If you believe the information we hold about you is incomplete, not up to date, or is inaccurate, please advise us as soon as practicable. We will take reasonable steps to correct the information if we agree that it is incomplete, out of date, or inaccurate. We endeavour to process any request within 30 days.

9.6 If we refuse to correct your Personal Information, we will give you a written notice that sets out our reason for our refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

Complaints
10.1 If you have any queries or concerns about our Privacy Policy, or the way we handle your Personal Information, or you wish to make a complaint about a breach of the Privacy Act or this Policy, please contact us using the details above and we will take reasonable steps to investigate the complaint and respond to you.

10.2 If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner, Australia. To lodge a complaint, visit the ‘Complaints’ section of the Information Commissioner’s website, located at http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.