Privacy Policy

Privacy Notice

PRIVACY NOTICE

Last updated: August 2021

Comvita UK Limited ("Comvita, “we”, “our”, “us”) takes the privacy and security of personal data very seriously.

We ask that you read this Privacy Notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

This Privacy Notice applies (unless a different notice is displayed) to the processing of personal information collected by us in the usual course of business, including when you visit our website at Comvita.co.uk ("Website") or interact with us on social media platforms including, but not limited to Facebook and Twitter (collectively “Social Media”).

1.WHO WE ARE

Comvita UK Limited is a wholly owned subsidiary of Comvita Limited, a company domiciled in New Zealand, and listed on the New Zealand Stock Exchange (“NZX”). We provide a full range of health, wellness and beauty products including Manuka Honey, Propolis and Olive Leaf Extract.

Comvita is the controller of the personal information that we process for the purposes described in the Privacy Notice.

2.INFORMATION WE MAY COLLECT AND HOW WE USE IT

Information you provide to us

2.1. There are various ways we may interact with you over the Website or our Social Media pages. Comvita collects the following information about you when you use the Website (including Comvita’s Social Media pages):

2.1.1. We collect personal information when you enter these into our Website to buy a product or register for our newsletter. This includes your name, postal address, contact number, items purchased and payment details.

2.1.2. When you set up an account on our Website on sign up to receive a newsletter or marketing from us we may collect certain personal information to provide you with access to your account including your name, email address, password, mobile number and any referral codes.

2.1.3. Within your account we may also store any profile information you chose to share, other addresses used for orders, any card details you store on your account, details of your communication preferences and any correspondence with customer service.

2.1.4. Limited financial information that you provide when placing orders through the Website.

2.1.5. Copies of any messages with Comvita's customer service team via live chat or directly.

2.1.6. Surveys and competitions: From time-to-time we may request information via surveys or competitions. Participation in these surveys or competitions is completely voluntary. Information requests may include contact information (such as your name and email address), and demographic information (such as your postcode and

age). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the use and satisfaction of this Website.

2.1.7. Comments, reviews and posts on Social Media. Comvita may collect personal information (for example, your name, email address, social media identifier and the contents of your comment, review or post) when you leave a comment, post a review or send a post via Social Media or otherwise provide information on Social

Media.

2.2. We may use this information in the following ways:

2.2.1. to provide our service(s) to you as a user of the Website and/or Social Media, including enhancing your user experience;

2.2.2. to process and fulfil your orders for our products;

2.2.3. to provide you with access to your account on our Website;

2.2.4. to provide you with newsletters and other information about special offers or features of the Website

and/or Social Media which we think may be of interest to you and for related marketing purposes, if you have submitted your contact details to us for these purposes or otherwise provided your consent for us to do so;

2.2.5. for marketing third party products and services to you, if you have provided your consent for this;

2.2.6. to ensure that content from the Website and/or Social Media is presented in the most effective manner for you and your computer;

2.2.7. to notify you about changes to our products and/or the Website and/or Social Media;

2.2.8. to notify you about product recalls;

2.2.9. to deal with any support requests or questions you raise; and

2.2.10. when managing and maintaining the Website and/or Social Media including the security of our Website.

2.3. We do not collect any ‘Special Categories of Personal Data’ about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Information we collect automatically

2.4. When you visit our Website or interact with us on Social Media, we use cookies and similar technologies to automatically collect certain information from your browser or device. This may be considered "personal data" under data protection laws.

2.5. We may collect information about your computer including your IP address, operating system and browser type for system administration and to report aggregated information as well as site tracking information.

2.6. For more information about cookies please see below and read our Cookie Notice.

Cookies and similar technologies

'Cookies' are small pieces of information that are stored by your browser on your computer's hard drive. Most web browsers automatically accept cookies, but you can usually change your browser to prevent that. For further information about our use of cookies or other similar technologies, your choices regarding the use of cookies, and how you can block certain cookies in connection with our Marketing Activities, please read our Cookie Notice.

3.INFORMATION DISCLOSURE TO THIRD PARTIES

3.1. We may disclose your personal information as follows:

3.1.1. for marketing purposes, provided your consent has been given and has not been withdrawn, with the third parties mentioned when we seek consent;

3.1.2. to Social Media partners for identifying other people like you, who may also be interested in our products, provided your consent has been given (for further details, please see the section “SOCIAL MEDIA AND THIRD PARTIES” below).

3.1.3. to service providers who manage aspects of our operations and make them more efficient (for example third parties who provide support services to the Website and/or Social Media, payment providers and delivery agents). This includes The Hut Group who provide services for the running of our Website;

3.1.4. to our insurers, brokers and external auditors;

3.1.5. if Comvita or substantially all its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice;

3.1.6. if we are under a duty to disclose or share your personal data to comply with any legal obligation, or in order to enforce or apply our Website Terms and Conditions and other agreements, including the terms and

conditions of use of any social media platform;

3.1.7. to protect the rights, property, or safety of Comvita or Website and/or Social Media users (this includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction); or

3.1.8. where we have your consent to share information with any other person.

3.2. We only allow third parties to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. One way we achieve this is by placing contractual obligations on third parties governing the use of personal data that we provide them with.

3.3. We will share personal information with law enforcement or other authorities if required by applicable law.

4.LEGAL BASIS FOR PROCESSING

4.1. Our legal basis or collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

4.2. However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you.

4.3. If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

4.4. If we collect and use your personal information in reliance on our legitimate interests, this interest will normally be to operate our Website and communicating with you as necessary to provide our services to you and for our legitimate commercial interest, for instance, when responding to your queries, or improving our Website. We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.

4.5. If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “CONTACT” section below.

5.YOUR RIGHTS – MARKETING

5.1. You will only receive marketing communications from us and/or third parties if you have consented to this when you provided your contact details to us (or if you have otherwise submitted your consent to us for these purposes).

5.2. You have the right to ask us not to use your personal data for marketing purposes. You can request that you stop receiving information from us at any time by contacting us at the details set out below (please see section 14 “CONTACT”).

6.DATA STORAGE AND SECURITY – WHERE YOUR PERSONAL DATA IS HELD

6.1. All information you provide to us is stored on our secure servers and those of our group of companies, service providers and agents.

6.2. We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. We use strict procedures and security features to prevent unauthorised access.

6.3. Agents or contractors who, while providing services to Comvita, have access to information which you give to us are required to keep that information secure and confidential and are not permitted to use it for any purpose other than to carry out the services which they are performing for Comvita.

7.TRANSFERRING YOUR PERSONAL INFORMATION

7.1. As set out in section 6 above, information may be sent electronically to servers outside of the country where you originally entered the information. In addition, that information may be used, stored and processed outside the country where you entered that information. While there is a risk that countries to which information is transferred will not be subject to an information protection regime as rigorous as that of the UK or the European Economic Area (EEA), we will always take steps to ensure that your information is treated securely and adequately protected in accordance with this Privacy Notice.

7.2. Where information is transferred outside the UK and/or the EEA, e.g.:

7.2.1. with our offices outside the UK and/or EEA (including but not limited to our parent company in New Zealand);

7.2.2. with our service providers located outside the UK and/or EEA; and

7.2.3. if you are based outside the UK and/or EEA, the transfers are subject to special rules under European and UK data protection law and whenever we transfer your personal data out of the UK and/or EEA, we ensure a similar degree of protection is afforded to it by ensuring any such transfer out of the UK and/or EEA complies with data protection law and all personal information will be secure. Our group company is based in New Zealand which is deemed adequate by the EU and the UK. We have implemented similar appropriate safeguards with our third party service providers and partners and further details can be provided on request.

8.FOR HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

8.1 If you choose to create an account, we will keep your personal information for as long as your account is open. If you don’t have an account, or choose to close your account, we will keep some of your information until 7 years have passed since we last provided product for you. We consider 7 years to be an appropriate retention period because it is as long as is necessary for us to:

8.1.1. respond to any questions, complaints or claims made by you or on your behalf;

8.1.2. show that we treated you fairly;

8.1.3. keep records required by law; and

8.1.4. satisfy any accounting or reporting requirements.

8.2. We will not retain your personal information for longer than necessary for the purposes set out in this Privacy Notice.

8.3. When it is no longer necessary to retain your personal information, we will delete or anonymise it.

8.4. In some circumstances you can ask us to delete your data: see section 11 “YOUR RIGHTS”.

9.ADVERTISERS

We do not disclose personal information about individuals to our advertisers or sponsors, but we may provide them with aggregate information about our users. We may also use such aggregate information to help

advertisers reach the kind of audience they want to target (for example, women in London). We may make use of the personal data we have collected from you to enable us to comply with our advertisers' and sponsors’ wishes by displaying their advertisement to that target audience.

10.SOCIAL MEDIA AND THIRD PARTIES

10.1. We work with trusted third parties, including social network sites like Facebook, Twitter, YouTube,

Google+, and with application developers who specialise in social media so we can connect to your social networks. All these companies operate third party sites. We provide access to our Social Media to third parties and business partners so we can generate interest in our products and services among members of your social networks and to allow you to share product and service interests with friends in your network. The Website may also contain links to and from other websites.

10.2. We cannot control how your data is collected, stored, used or shared by these third party sites or to whom it is disclosed. If you follow a link to any of these websites please note that we are not responsible for the privacy practices or the content of such websites save as expressly set out herein in relation to Comvita and the information practices of those websites are not covered by this Privacy Notice. Please be sure to review the privacy policies and privacy settings of these third parties to make sure you understand the information they are sharing. If you do not want a third-party site to share information about you, you must contact that site and determine whether it gives you the opportunity to opt-out of sharing such information.

11.YOUR RIGHTS

11.1. You may have the following rights with regard to the personal information we process about you, which you can exercise free of charge:

Access

The right to be provided a copy of your personal information and check that we are lawfully processing it.

Rectification

The right to require us to correct any mistakes in your personal information, though we may need to verify the accuracy of the new data you provide to us.

To be forgotten

The right to require us to delete your personal information – where there is no good reason for us continuing to process it or where you have successfully exercised your right to object to processing (see below). Note however that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Restriction of processing

The right to require us to restrict processing of your personal information in the following scenarios:

  • if you want us to establish the data’s accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it

Data portability

The right to receive the personal information you provided to us in a structured, commonly used and machine-readable format and / or to transmit that data to a third party, in certain situations. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

To object

The right to object

  • At any time to your personal information being processed for direct marketing (including profiling):
  • In certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision- making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly affects you.

To withdraw consent at any time

This only arises where we are relying on your consent to process your personal data. However, this will not affect the lawfulness of any processing before you withdraw consent.

If you would like to access any of these rights, please email or write to us at the details provided below (see

section 13 “CONTACT”) explaining what right you want to exercise and the information to which your request relates. Please be sure to provide enough information to identify you (e.g. your full name, address, email address and/or any order reference number). Please also provide us with proof of your identity and address (for example, a copy of your passport or recent utility bill).

12.HOW TO COMPLAIN

We hope that we can resolve any query or concern you may raise about our use of your information; however, in the event that we are unable to do so, you have the right to complain to the data protection authority. The supervisory authority in the UK is the Information Commissioner, who may be contacted online at www.ico.org.uk/concerns or alternatively by telephone on 0303 123 1113.

13.CHANGES TO THIS PRIVACY NOTICE

We may occasionally modify our Privacy Notice. When you use our Website or interact with us, you should check the date of this Privacy Notice (which appears at the top) and review any changes since the last version.

If we make any material changes to this Privacy Notice, we will notify you either via email or prominently posted a notice on the Website of such changes.

14. CONTACT

If have any questions, comment or requests regarding our Privacy Notice or our data protection activities, please email privacy@comvita.com or write to us at Comvita UK Limited, Box 220, 5 High Street Maidenhead, SL6 1JT.