Privacy and Cookie Notice

What Services are Covered by this Privacy Notice?

This Privacy Notice describes how we handle your personal information when you use this website and or when you avail of our services (“Services”) in any of our stores. Among others, these Services may include the following:

• Customer service;
• In-store transactions;
• Foreign Exchange (ForEx) and Remittance services;
• Gift registry;
• Gift wrapping;
• Personal shopper services; and
• Order delivery services

This also outlines the purposes for which we use your personal information and the measures we implement to protect the privacy and security of your information.

References in this Privacy Notice to “we”, “us” or “our” are references to SM Store.

What are not covered by this Privacy Notice?

This Privacy Notice DOES NOT cover the processing for:

• Recruitment and employment purposes. Such is covered by the corresponding Privacy Notice in the applicable Careers Website and in the respective employment contracts with our employees.
• Sourcing and accreditation of vendors. Such is covered by the relevant data privacy provisions in their respective contracts with us and by a separate Privacy Notice made accessible to them.
• The SM Business Center Operations (BCO) which include bills payment and the processing of civil registry documents. Such is covered separately by the SM BCO Privacy Notice displayed at the respective counters.
• ShopSM, SM Markets, SM Appliance and SMAC. Each of these brands are covered by their respective Privacy Notices.

What Personal Information Do We Collect and How Do We Collect Them?

When you avail of our Services, we may collect or receive all or some of the following categories of personal information:

• Identifiers. Personal identifiers and profile data, such as full name, email address, home or delivery address, signature and SM Advantage Card No. or
  SM Prestige Card No.
• Contact Data. Contact data such as your mobile or telephone number

When you enter our premises, we may collect the following categories of personal information:

• CCTV Footage. Videos and snapshots of your likeness may be captured inside our premises.

When you use this website, we may collect the following categories of personal information:

• Technical Data. Technical data such as cookies, web beacons and other similar technologies for storing information.

When you avail of our ForEx and Remittance services, we will collect additional Know-Your-Customer information in order to comply with regulations set by the Bangko Sentral ng Pilipinas (BSP) and the Anti-Money Laundering Council (AMLC):

• Know-Your-Customer (KYC) Information. This includes your date and place of birth, gender, nationality, digital copy of valid government-issued ID, relationship with a politician or politically exposed person, source of income and other information as may be required by said regulations.

When you pay via credit card, debit card, or e-wallet, you will be redirected to a separate website controlled by a Payment Gateway Provider. Such provider will collect your personal and financial data to process your payment according to its own terms and conditions and privacy policy. Once payment is processed, the Payment Gateway Provider will share to us the following information below to confirm your payment:

• Name of issuing bank
• Name of cardholder
• Last four digits of the credit or debit card used or masked card information
• E-wallet Account Number
• Amount involved

We may use such information to process payment-related concerns such as requests for refunds or similar complaints.

How Do We Use Your Personal Information?

We will use your information only for the following legitimate purposes (“Purposes”):

Customer Interaction and Service:

• Providing you with products, services, promos, or activities that you have availed;
• Processing your orders, payments and completing your transactions with us;
• Contacting you in relation to your inquiries, requests or complaints;
• Maintaining your accounts when you register in or use our digital platforms, including our mobile applications;

Analytics, Marketing and Promotion:

• Performing data analytics, data enrichment and profiling for statistical, marketing, analytical, and research purposes;
• Conducting business analyses to improve our services;
• Sending out market surveys, campaigns, promotions, and other marketing activities;
• Communicating relevant products and services and advisories to you;

Legal and Regulatory Purposes:

• Complying with the requirements of the law and legal proceedings;
• Preventing, detecting, and investigating a crime;
• Pursuing or defending our legal claim;

Security and General Business Operations:

• Ensuring the security of our premises and the safety of our personnel and visitors; and
• Carrying out other legitimate business purposes.

Do We Share Your Personal Information to Other Entities?

SM Store ensures that your personal information shall be shared only in a manner that respects your privacy and in compliance with the requirements of the DPA. We may share your personal information to the following in certain circumstances:

Our Affiliates and Subsidiaries

We may share your personal information to our affiliates and subsidiaries in relation to the Purposes declared in this Privacy Notice.

Service Providers

Our service providers may access and/or use your personal information (identifiers, contact data and technical data). These may include our marketing partners, third-party logistics providers, consultants, system providers, service providers and hosting providers (“Business Partners”) and those that help us with our business activities. Through the execution of data privacy agreements or similar contracts, we require our service providers to keep your personal information secure and we prohibit them from using or sharing your personal information for any purpose other than the Purposes declared in this Privacy Notice.

Government Agencies

We may also share your personal data (identifiers, contact data, CCTV footage, KYC information) in compliance with applicable laws or when required by a competent court, relevant government office or agency pursuant to DPA legislation and other applicable rules and regulations pertaining to data privacy.

What are our Legal Bases for the Processing of Your Personal Information?

We may process your personal information based on one or more of the following legal grounds:

• Consent: We may process your personal information or sensitive personal information based on your explicit consent. This means that you have provided clear and voluntary permission for us to use your data for specific purposes, which you can withdraw at any time.
• Contractual Obligation: If you have entered into an agreement with us, we may process your personal information to fulfill our obligations under that contract. This includes providing the services or products you’ve requested and managing the associated transactions.
• Legal or Regulatory Obligation: In certain situations, we may need to process your personal information or sensitive personal information to comply with legal or regulatory requirements, such as tax or anti-money laundering regulations, or responding to lawful requests from government authorities.
• Legitimate Interests: We may process your personal information when it’s necessary for our legitimate interests, provided those interests are not overridden by your rights and interests. This could include improving our services, conducting marketing activities, or ensuring the security of our systems.

How Long Do We Retain Your Personal Information?

We will keep the personal information we collect about you for as long as necessary to carry out the Purposes set forth in this Privacy Notice. We have adopted general data retention policies taking into consideration the purpose of collection and as well as the mandates of relevant laws and regulations.

Our general retention periods are outlined below, reckoned from the date of your last interaction with us:

We reserve the right to retain your personal data longer than the above stipulated periods if continued processing is (a) necessary for the protection of lawful rights and interests of natural or legal persons in administrative, quasi-judicial or legal proceedings, or; (b) necessary for the exercise or defense of legal claims, or; (c) when the data was provided to government or public authority.

How Do We Dispose Your Personal Information?

Electronic files shall be erased, while physical records shall be shredded for disposal. When appropriate, anonymization techniques may be performed to permanently remove identifiable information from our records.  In all cases, we will make sure that the personal information is destroyed in a way that prevents unauthorized people from accessing, processing, or retrieving it.

What are the Risks Involved?

Risk is the chance that a harmful incident may happen. In the context of personal data, risk refers to the chance that someone might collect, use, disclose, or access your personal data in an unauthorized manner or in a way that may cause you harm. In order to ensure that the risks to your personal information are minimized, we employ various measures to safeguard your personal information. However, this does not guarantee protection against all threats such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority. In case a security incident occurs, we’re prepared to respond and manage such incidents in line with our policies and in accordance with regulations.

Where Do We Store Your Personal Information?

Your personal data are stored in a secure facility in the Philippines or in other countries where we or our Business Partners have facilities. When we transfer your personal information to other countries, we comply with the requirements of DPA Legislation or relevant regulation for such transfer and take steps to ensure that your personal information is protected and processed in accordance with this Privacy Notice.

How Do We Protect Your Personal Information?

We implement industry-standard organizational, technical and physical security measures to protect the confidentiality, integrity, and availability of the personal data that we process.

Only authorized personnel are granted access to the personal data that we collect from you. We have instituted policies and procedures to ensure that your personal data are safeguarded against unauthorized access, alteration, and disclosure. Access rights are reviewed regularly to ensure that the controls are in place. Our systems are protected by a variety of network security measures, including firewalls and similar network devices. Our systems and websites are scanned on a regular basis. In addition, all sensitive information you supply is sent through a secured channel and encryption methods are implemented whenever suitable.

Do We Use Cookies?

Our website collects computer cookies to enable you to browse our website and to enable us to address your concerns and inquiry better. We utilize two major kinds of cookies as described below.

Necessary Cookies – These cookies are essential to enable you to browse our website and use its features. These cookies are stored on your browser as they are essential for the working of the basic functionalities of the websites.

Third-Party Cookies – We utilize these cookies to help you browse our website in a more personalized manner for your better convenience and experience. These cookies will be stored in your browser only after we have obtained your consent.

Consent on Cookies – You may withdraw your consent by choosing the opt-out function in our cookie setting. However, by opting out of these third-party cookies, your browsing experience may be affected. You may also later opt-out from said third-party cookies after giving your consent by clearing your cookies and other site data in your browser settings.

What if You are a Minor?

SM Store shall not knowingly collect the personal data of a person below 18 years old without any legal basis or consent of the minor’s parent/s or legal guardian. Should it come to our attention that the personal data of minors was provided without a legal basis or consent of the minor’s parent/s or legal guardian, such personal data shall be destroyed or deleted in a secure manner.

Minors are advised not to provide any personal data, such as their name, age, gender, email address, contact information, among others, and should consult their parent(s) or guardian(s).

What are Your Rights and Obligations?

You are responsible for ensuring that the personal data you provide is accurate and up-to-date and that you are of legal age when you submit any data to us. We may update or correct our records in case of clerical errors / discrepancies between the entries and the proof of identity or other supporting documents which you submit to us.

We encourage you to use the latest version of web browsers for your own safety and security. Updated web browsers are normally equipped with security features that provide anti-phishing protection, improved parental controls, and tools to prevent malware and other privacy threats. We will not be liable for any damage, loss, injury, or claim that may result when you fail to comply with these obligations.

As provided under the DPA, you have the following data privacy rights:

• Right to be informed. You have the right to be informed of the collection and processing of your personal data, the purpose for which they will be processed, among others. Thus, you are required to read this privacy notice before giving your consent to the collection and processing of your personal data.
• Right to object. You have the right to object to the processing of your personal data. You will be given an option or opportunity to withhold your consent to the processing of your personal data whenever the SM Store communicates with you
• Right to access your information. It is your right to obtain confirmation on whether or not data relating to you are being processed as well as other relevant information about the processing involved.
• Right to updating or rectification. You have the right to rectify or correct any inaccuracy or error in your personal data by submitting your request for rectification or correction
• Right to erasure or blocking. You have the right to the erasure or blocking of your personal data in accordance with the requirements of the DPA, subject to restrictions imposed by other regulations.
• Right to damages. You have the right to be indemnified if you incur damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal data.
• Right to data portability. You have the right to obtain a copy of your data in an electronic or structured format if the same is processed by electronic means and in a structured and commonly used format by submitting a proper request.
• Right to file a complaint. If you have reason to believe that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated, you have the right to file a complaint.

If you intend to exercise any of your abovementioned data privacy rights you may contact our Data Protection Officer (DPO).

How Can You Contact the DPO?

For inquiries regarding the processing of personal data, as well as any concerns or complaints regarding data privacy, or should you want to exercise your rights as a Data Subject, you may contact the DPO using the information below:

The Data Protection Officer
SM Store
SM Retail Headquarters
J.W. Diokno Boulevard corner Bayshore Ave.
MOA Complex, Pasay City 1300
Tel: (+632) 8811-0000
CLICK HERE FOR THE DPO EMAIL PER SM STORE ENTITY

We encourage you to submit your inquiry and/or concerns in writing for proper documentation and tracking. Our response will be within 15 days upon receipt.

How Will You Know if this Privacy Notice Changes?

SM Store may change this Privacy Notice from time to time without prior notice. Revised versions of this Privacy Notice will be posted on this page, together with an updated effective date.

Last updated on September 19, 2024.