INDEPENDENT PURCHASING COOPERATIVE
Independent Purchasing Cooperative, Inc.
9200 South Dadeland Boulevard, Suite 800
Miami, Florida 33156
Technical Support: firstname.lastname@example.org
Independent Purchasing Cooperative, Inc. (“IPC”) is the host of and manages www.ipcoop.com and www.mysubwaycareer.com (together, the “Websites”). IPC is an independent non-profit purchasing cooperative which is owned by and provides services to Subway® Franchisees around the world (the “Subway® Franchisees”).
IPC’s privacy practices are consistent with U.S. law, Canada’s Personal Information Protection and Electronic Documents Act, and other applicable law, including the European Union’s General Data Protection Regulation (“GDPR”), which governs the collection, storage, use, and transfer of personal information for European Union residents. IPC’s privacy practices are also consistent with U.S. Department of Commerce Privacy Shield requirements regarding the collection, storage, use, and transfer of personal information from the European Economic Area, and it is Self-Certified under the Privacy Shield Framework.
IPC acts as both a controller and processor of your Personal Information within the meaning of the GDPR. The legal bases for IPC’s processing of your Personal Information is your general and express consent as detailed herein and IPC’s pursuit of legitimate business interests.
General and Express Consent Regarding Information
B. Consent to Share and Disclose Information. By submitting Personal Information to IPC, and or/by accessing and using the Websites, you expressly consent to IPC sharing your Personal Information as follows:
IPC shares Personal Information with the following Subway®-related entities and third-party agents or service providers who perform functions on our behalf:
(1) IPC’s wholly-owned subsidiaries Value Pay Services LLC and PLXIS LLC;
(2) Subway® international purchasing cooperatives that are owned by Subway® Franchisees and which provide services to the Subway® Franchisees (the “Co-op Group”);
(3) the franchisor of the Subway® line of restaurants Doctor’s Associates Inc. (“DAI”), and Franchise World Headquarters LLC (“FWH”), which provides core business-related services to DAI (the “Subway® Group”); and
(4) Subway® Group advertising entities that are members of the Subway Franchisee Advertising Fund Trust (the “FAF Group”).
All of these entities are “Third Parties”.
In addition, IPC may also share Personal Information with companies that provide support services to it, such as credit card processors, mailing houses, web hosts, technical support providers, fulfilment centers, or other service providers, as well as companies involved in enforcing or investigating transactions or business operations, because these companies may need information about you in order to perform their functions. IPC limits the use of information shared with these companies to the purpose for which IPC hired them, but IPC does not control these companies. These companies are “Service Providers”. In this policy, both Third Parties and Service Providers are “Recipients”.
C. Consent to International Data Transfers. IPC and the Recipients are multi-national entities with operations throughout the world. In order for those entities to be able to provide you with suitable goods, services, and promotions, you expressly consent to your Personal Information being transferred and disclosed internationally, including within and outside the U.S., Canada, and the European Union. Some of these jurisdictions may have laws that provide less protection to your Personal Information than you receive under the laws in our own jurisdiction. The U.S., for instance, has not received a decision from the European Commission determining that it provides adequate protection to Personal Information. Canada, by contrast, has received such a decision. IPC will take reasonable steps to ensure that any transfer or disclosure of Personal Information to or within any jurisdiction is in compliance with applicable law and receives the level of protection required by the Privacy Shield Framework referenced above and the GDPR. Such steps will include reliance upon the Privacy Shield certification process, other similar processes where applicable, and/or GDPR-compliant data transfer agreements incorporating approved standard contractual clauses for the protection of Personal Information. You can obtain additional details regarding those safeguards by contacting IPC’s Privacy Officer, as set forth below.
D. Consent to Electronic Notice If There is a Security Breach. If IPC or a Recipient is required to or wishes to provide notice of unauthorized access of their data security systems or unauthorized or unlawful access to or processing of your Personal Information, you agree that IPC and/or the Recipient may do so by posting notice on the Websites or sending notice to any email address which IPC or the Recipient has for you.
E. Right to Withdraw Consent. You have the right to withdraw your consent to IPC’s collection, storage, use, and transfer of your Personal Information at any time. You also have the right to request that IPC provide you with access to, correct, delete, or restrict the processing of your Personal Information. If you wish to exercise any of those rights, please contact the IPC Privacy Officer as set forth below.
Collection and Use of Personal Information
A. Personal Information Collected in Connection With Online Purchases and Registration of Subway® Cards. Personal Information collected in connection with online purchases and registration of Subway® Cards includes name, email address, zip code, birthdate, gender, mobile phone number, Subway® Card and PIN numbers, and credit card information. Some of this information is shared with IPC in connection with its role as administrator of the Subway® Card program.
B. Personal Information Collected on the Websites. Personal Information collected on the Websites includes email address and survey feedback related to your experiences in Subway® restaurants. IPC shares this information with the Co-op Group, the Subway® Group, and the FAF Group for marketing purposes if you elect to receive communications.
C. Other Details Relating to Websites Use.
User Name and Password. IPC requires that you create a username and password in order to access the Member or non-public pages on the Websites. IPC does not divulge usernames or passwords to anyone. Should you need to change or remove your username or password, contact the IPC Privacy Officer as set out below.
Email & Mobile Updates. You may have the opportunity to elect to receive email and mobile communications from IPC and the FAF Group. IPC and the FAF Group will only email you or send you mobile messages or alerts if you elect to receive such communications. If you elect to receive such communications, IPC and the FAF Group will send you occasional updates about new additions to the Websites as well as special offers and promotions of which you can take advantage. If at any time you decide you would rather not receive these types of communications from IPC or the FAF Group, you can revoke your election by clicking the unsubscribe link at the bottom of any IPC or FAF Group email, or by updating the contact preferences for your account (if you have one), or you may opt-out of mobile messages or alerts by following the instructions provided in the messages you receive. You may also opt out by contacting and providing your details to the Privacy Officer as set out below.
Contests and Surveys. From time to time, IPC may run voluntary contests or surveys through the Websites. Those contests or surveys may request Personal Information with your response, such as your name, address, home or mobile telephone number, and/or email address. IPC and the FAF Group will use the information provided solely in connection with the contest or survey conducted.
The table below explains the cookies we use and why.
|These cookies collect information in an anonymous form including the number of visitors to the site, how visitors reached the site and the pages visitors have visited.|
|Load Balancing||BIGipServer and TS01||These cookies enable us to balance the workload by, for example, recording which server a user’s browsing session has been allocated to ensure they only deal with a single server for the duration of their session.|
|Session ID||ASP.NET Session ID||These cookies help us recognize a visitor’s language preference.|
If you do not wish to receive a Cookie, or if you wish to set your browser to warn you each time a Cookie is being sent, or if you wish to disable all Cookies, you can adjust your internet browser settings to accomplish that. Please note that by disabling Cookies, you may not have access to some features available on the Websites.
Internet Protocol (IP) Address. Every computer and other electronic device which has a connection to the internet has an Internet Protocol (IP) address associated with it. IPC may use your IP address to help diagnose problems with IPC’s server, to administer the Websites, and to maintain contact with you as you navigate through the Websites. Your device’s IP address also may be used to provide you with information based upon your navigation through the Websites. IPC does not link IP addresses to any Personal Information, but does employ anti-fraud device fingerprinting technology which uses IP addresses to determine a device’s geolocation.
D. Prospective and Actual Subway® Franchisees. IPC collects and uses Personal Information from prospective and actual Subway® Franchisees in order to provide services to them. IPC may collect this information from the Subway® Franchisees directly or IPC may receive it from the Co-op Group, the Subway® Group, the FAF Group, or other sources. IPC may use a prospective or actual Subway® Franchisee’s Personal Information to respond to incoming service and support requests from such Franchisee, to communicate with such Franchisee regarding such Franchisee’s account(s), to calculate, determine, and distribute such Franchisee’s patronage dividend check, to collect Franchisee feedback, to conduct Franchisee satisfaction surveys, to offer promotions to such Franchisee, and to send other service informational mailings. IPC may also provide a Subway® Franchisee’s Personal Information to a courier or freight forwarder in order to fulfil any order placed by such Franchisee.
E. Prospective Subway® Restaurant Employees. IPC collects and uses Personal Information from prospective Subway® Restaurant employees for the purpose of enabling them to be considered for employment at Subway® Restaurants of their choosing. This information includes name, address, home or mobile telephone number, email address, SSN/I.N., employment history, other employment-related information, and personal references. IPC shares this information with Subway® Franchisees selected by the user for the purpose of enabling the user to be considered for employment at Subway® Restaurants. IPC may also share this information with third party service providers, such as credit agencies, in order to perform background checks on the user in connection with his/her application for employment at Subway® Restaurants.
F. Customers of Subway® Restaurants. IPC collects and uses Personal Information from Subway® Restaurant customers in order to provide services to such customers. Personal Information collected from Subway® Restaurant customers includes Subway® Card and PIN numbers, and credit card information (for purchases of goods and services), products and services offered and purchased, enquiries and feedback.
G. Sensitive Personal Information. IPC does not intend to collect Sensitive Personal Information and will not otherwise share your Sensitive Personal Information with anyone unless you give your explicit consent. The term “Sensitive Personal Information,” includes, but is not limited to, information revealing racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, sexual orientation, disabilities, health and veteran status.
Storage, Disclosure, and Retention of Personal Information
A. Storage, Security, and Integrity of Personal Information. IPC may store or process your Personal Information in the U.S. and/or other countries. IPC uses commercially reasonable efforts to ensure that your Personal Information is safeguarded against loss, misuse, unauthorized access, disclosure, alteration, and destruction. IPC will endeavour to protect your Personal Information by using technical and organizational security measures appropriate to the sensitivity of the information in its control. These measures include safeguards to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, modification, and destruction.
The IPC-hosted Websites utilize a variety of different security measures designed to protect Personal Information by users both inside and outside of IPC, including the use of encryption mechanisms, such as Secure Socket Layers or SSLs, password protection, and other security measures to help prevent unauthorized access to your Personal Information.
IPC also takes commercially reasonable steps to ensure that Personal Information is relevant for the purposes for which it is to be used and is accurate for its intended use.
C. Retention of Personal Information. IPC and the Recipients will retain your Personal Information only for as long as necessary to fulfil the purpose(s) for which it was collected and to comply with applicable laws and regulations. Your consent to IPC’s and the Recipients’ use of your Personal Information for such purposes(s) remains valid after termination of IPC’s relationship with you.
IPC Websites and Third-Party Websites
Online Predictive Advertising
Advertising on Other Websites. IPC and the FAF Group also contract with third-party advertising companies to advertise products and services on Websites which are not operated by or on behalf of IPC. Some of these advertisements may contain Cookies placed by such advertising companies which permit the monitoring of your response to such advertisements. IPC and the FAF Group authorize the advertising companies to collect Personal Information via Cookies for the sole purpose of providing advertising services to IPC and the FAF Group. IPC and the FAF Group limit the advertising companies’ use of such information to such purpose, but IPC and the FAF Group do not control such advertising companies.
Electing Out of Online Predictive Advertising. If you do not want to have your Personal Information used as described in this section, change your Cookie settings as described above. Please note that even if you disable Cookies, you may still receive online predictive advertising. Disabling Cookies means that the advertisements you do receive will not be based on your likes or preferences.
Children and Data Collection
IPC will not knowingly allow anyone under thirteen (13) years of age to provide IPC with any Personal Information. Children under thirteen (13) years of age are required to obtain the express permission of a parent or guardian before submitting any Personal Information about themselves to the Websites. If a child under thirteen (13) years of age has provided IPC with Personal Information without the consent of a parent or guardian, the parent or guardian of that child should contact IPC’s Privacy Officer as set forth below. IPC will use commercially reasonable efforts to promptly delete such child’s Personal Information from its servers.
California Privacy Rights
Under California law, California residents can now ask companies with whom they have an established business relationship to provide certain information about such companies’ sharing of personal information with third parties for direct marketing purposes during the past year.
IPC’s policy is to share your Personal Information for direct marketing purposes only with your informed consent. With your consent, from time to time, IPC may share your Personal Information with the Recipients for the purpose of marketing and/or promoting goods, services, and programs to you. If you previously provided IPC with such consent but no longer want your Personal Information to be shared, please contact the IPC Privacy Officer at as set out below and request a change in your preference and/or opt-out of communications without charge.
Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Canada has enacted federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which incorporates ten (10) “Fair Information Principles” regarding your Personal Information. IPC adheres to these Fair Information Principles for Personal Information collected and/or transferred from Canada, which are as follows:
Principle 1 - Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the fair information principles.
Principle 2 - Identifying Purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Principle 3 - Consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 - Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 - Security Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the Personal Information.
Principle 8 - Openness Concerning Policies and Practices. An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9 - Individual Access to Personal Information. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance. An individual shall be able to address a challenge concerning compliance with the fair information principles to the designated individual or individuals accountable for the organization’s compliance.
IPC also adheres to the U.S. Department of Commerce Privacy Shield requirements regarding the collection, storage, use, and transfer of personal information from the European Economic Area. Those requirements embody the principles of: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability. IPC is Self-Certified under the Privacy Shield Framework. For more information concerning the Privacy Shield requirements, visit https://www.privacyshield.gov. IPC’s Privacy Shield Statement and registration details can be viewed at https://www.privacyshield.gov/list.
Questions / Complaints
If you have any questions about IPC’s privacy practices, or you wish to access, correct, or delete your Personal Information, please contact the IPC Privacy Officer as set forth below.
Likewise, any complaints about IPC’s privacy practices should also be directed to the IPC Privacy Officer. The IPC Privacy Officer will endeavour to investigate and attempt to resolve any complaints within 45 days.
European Union residents also have the right under the GDPR to lodge a complaint with your local supervisory authority for data protection.
Under certain conditions, and when all other dispute resolution procedures have been exhausted, you may be entitled to invoke binding arbitration as more fully described on the Privacy Shield Websites at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
The IPC Privacy Officer can be reached by mail, telephone, facsimile, or email, as follows:
IPC Privacy Officer
Value Pay Services LLC
9200 South Dadeland Boulevard, Suite 800
Miami, FL 33156
Telephone: (888) 445-9239
Facsimile: (305) 670-4465
Revised May 5, 2018