Wham Logo

Privacy Policy

Updated: October 2023


We at WHAM! WORLD (“we”, “us” or “our”) respect your privacy.

For the purpose of this policy, to the extent any of the following entities process your personal information, each will be considered a “data controller” of your personal information:

WHAM! WORLD is a company located in the United Kingdom. This privacy policy applies to the processing of personal data by WHAM! WORLD.


This Policy explains our approach to any personal information that we might collect from you using this website (the “Site”) and in other situations or interactions with us, and the purposes for which we process your personal information. This Policy also sets out your rights in respect of our processing of your personal information.

This Policy will inform you of the nature of the personal information about you that is processed by us and how you can request that we delete, update, transfer and/or provide you with access to it or otherwise cease processing it for a specific purpose. This Policy is intended to assist you in making informed decisions when using the Site.

This Policy complies with the standards set by Regulation (EU) 2016/79 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

This privacy notice is not intended to apply to the processing of personal information of Mystery Box employees which is dealt with under our separate workplace privacy policy.


Personal information is information that identifies you as an individual. Categories of personal information we collect can be found on our Contact page, where you are free to provide your basic contact information to enable us to respond to your enquiry.


We may collect and receive your personal information using different methods:

Personal information you provide to us. You may give us your personal information directly. This will be the case when, for example, you contact us with enquiries, complete forms on our Site or in hard copy or participate in a survey, subscribe to receive our marketing communications or provide feedback to us otherwise through your interactions with us.

Personal information we collect from you automatically. When you access and use our Sites, we will automatically collect certain technical information about your equipment, browsing actions and patterns. We collect this personal information by using cookies and other similar technologies (see Cookie Policy section below).

Publicly available Personal information. From time to time we may collect personal information about you from publicly available sources or media reports or personal information about you that you or a third party may make publicly available to us (for example through speaking at events or publishing articles or other news stories).


Our primary goal in collecting personal information from you is to:

  • Verify your identity
  • Provide our services to clients
  • Help us improve our products and services and develop and market new products and services
  • Carry out requests made by you to us
  • Investigate or settle inquiries or disputes
  • Comply with any applicable law, court order, other judicial process, or the requirements of a regulator
  • Enforce our agreements with you
  • Protect the rights, property or safety of us or third parties, including our other clients and users of the Site
  • Provide support for the provision of our Services, and
  • Use as otherwise required or permitted by law



The following describes how we use personal information that we collect through this Site:

  • Client information

Information we collect with respect to our clients and potential clients is used to enable us to respond to client requests, to administer client accounts with us, to conduct credit checks, and to verify and carry out financial transactions for payments made to us.

  • Media and informational inquiries

We may collect information for interviews requests, for media questions, or requests for information about our company. We may also provide you with the opportunity to sign up for newsletters or to receive copies of blogs and other information that we make available. Contact information may be requested in each case, together with details of other personal information that is relevant to these inquiries. This information is used in order to enable us to respond to your requests or media requests.

  • Cookies

We use cookies and similar other technologies to collect information from the computer hardware and software you use to access the Site, or from your mobile. Please see our COOKIE POLICY for additional information.

The information you provide to us may be archived or stored periodically by us according to our standard backup processes and our document retention policy.


We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you,
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests,
  • Where you have consented to a certain use of your personal information, or
  • Where we need to comply with a legal or regulatory obligation


To the extent permitted under applicable laws, we will also process, transfer, disclose, and preserve personal information when we have a good faith belief that doing so is necessary.

In circumstances where we rely on consent we will ask for your consent at the point of collection. Where we intend to further process your personal information, we may contact you to seek your consent for new purposes.

Our COOKIE POLICY describes additional uses of personal information. We have a legitimate interest in ensuring that content from the Site is presented in the most effective manner for you and for your computer.

Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required.

Please see the next section for information relating to our legal basis for using personal information for marketing purposes.


We may use your personal information to form a view on what we think you may want or need, or what may be of interest to you. We may provide you with marketing information about our products and services we feel may interest you:

  • If you have given your consent to receiving marketing material from us at the point we collected your information, where required by law, or
  • Otherwise in our legitimate interests provided these interests do not override your right to object to such communications. In those cases, we believe that we have a legitimate interest in sending you marketing communications to provide you with the very best service we can and to optimise the benefits you receive from our business transactions with you


We strive to provide you with opt out choices regarding your personal information uses, particularly around marketing and advertising. To see how you can opt out of marketing communications, please see the section entitled CHOICES AND MEANS.

We will get your express opt-in consent before we share your personal information with any company outside of Mystery Box and its related businesses for its marketing purposes.


We also collect personal information about you from various third parties and public sources. We reserve the right to supplement your personal information with information we gather from other sources which may include information we gather from online and offline sources.


We do not intend to or knowingly collect personal information from children.


We are committed to keeping the personal information you provide to us secure and we will take reasonable precautions to protect your personal information from loss, misuse or alteration.

To safeguard against unauthorised access to personal information by third parties outside our organisation, all electronic personal information held by us is maintained on systems that are protected by up-to-date secure network architectures that contain firewalls and intrusion detection devices. The data saved in servers is “backed up” (i.e. the data are recorded on separate media) to avoid the consequences of any inadvertent erasure, destruction or loss otherwise. The servers are stored in facilities with high security, access protected from unauthorised personnel, fire detection and response systems. The location of these servers is known to a limited number of our employees.

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:

  • Unauthorised access;
  • Improper use or disclosure;
  • Unauthorised modification; and
  • Unlawful destruction or accidental loss


All of our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all users of our services.

Information regarding job applications is encrypted and transmitted in a secure way. You can verify this by looking for a closed lock icon at the bottom of your web browser, or looking for “https” at the beginning of the URL. Only employees or third parties who need the information to process a specific request are granted access to personally identifiable information.


You have the right under certain circumstances:

  • To see the personal information we hold about you,
  • Request your data be corrected or erased where appropriate,
  • To restrict the processing of your personal information while we investigate your concern,
  • Where processing is based on your consent, to receive your personal information in a commonly used electronic format, or ask that we move your personal information in that format to another provider, where your request relates to the data that you gave us directly and where technically possible, and
  • To object to your personal information being processed where we are relying on our or a third party’s legitimate interest to do so or for the purpose of direct marketing,
  • To withdraw your consent at any time when processing relies upon consent.


Data subjects have the right to be provided with information as to the nature of the personal information we store or process about them, and to request deletion or amendments. These requests can be made verbally or in writing at our contact information provided in the section below entitled ENFORCEMENT RIGHTS AND MECHANISMS. We will respond within one month to such requests.

If access is denied, data subjects have the right to be informed about the reasons for denial. Data subjects may use the dispute resolution described in the section entitled ENFORCEMENT RIGHTS AND MECHANISMS, as well dispute resolution available through a competent regulatory body or authority. We will handle, in a transparent and timely manner, any internal dispute resolution procedure relating to the collection and processing of personal information.

If any information is inaccurate or incomplete, a data subject may request that data be amended. It is every person’s responsibility to provide us with accurate personal information and to inform us of any changes (e.g. new home address or change of name).

If a data subject demonstrates that the purpose for which the data is being processed is no longer legal or appropriate, the data will be deleted, unless applicable law requires otherwise.

To exercise these rights, please contact us using the information provided in the following section of this Policy.


We generally offer you the opportunity to choose whether your personal information may be (a) disclosed to third-party controllers, or (b) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorised by you. We obtain opt-in consent for certain uses and disclosures of sensitive data. Unless we offer you an appropriate choice, we use personal information only for purposes that are materially the same as those indicated in this Policy. To exercise your choices you may contact us as indicated in this Policy.

To opt-out of any further use of your personal data or from any future promotional or marketing communications or any other communications from us, you should send a request to us at the contact information in the section immediately below containing our contact details. We will process your request within a reasonable time after receipt. Please note that if you opt out in this manner, certain aspects of this Site may no longer be available to you.

We may share personal information with our affiliates as described above under PARTIES WE SHARE YOUR INFORMATION WITH. We may disclose personal information without offering an opportunity to opt out, and may be required to disclose such information (a) to third-party processors we have retained to perform services on our behalf and pursuant to our instructions, (b) if we are required to do so by law or legal process, or (c) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. We also reserve the right to transfer personal information in the event of an audit or if we are sold or we transfer all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganisation, dissolution or liquidation).


This Site contains links to third party websites and services. Please remember that when you use a link to go from our Site to another website or you request a service from a third party, this Policy no longer applies.

Your browsing and interaction on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control, or endorse the privacy practices of any third parties.

This Site may integrate with social networking services. You understand that we do not control such services and are not liable for the manner in which they operate. While we may provide you with the ability to use such services in connection with our Site, we are doing so merely as an accommodation and, like you, are relying upon those third-party services to operate properly and fairly.

This Policy does not apply to these third-party websites and third-party service providers.


We use cookies and similar technologies to collect personal information from the computer or other device you use to access the Site. “Cookies” are pieces of information that may be placed on your device for the purpose of collecting data to facilitate and enhance your communication and interaction with our Site. We may also allow certain third parties to place cookies as described below.

We use cookies and other technologies on all our sites to ensure the best possible experience on our Site. These uses include:

  • We use analytical cookies to recognise and count users of our Site, measure the effectiveness of our content, and understand how visitors use our Site. We currently use Google Analytics for this purpose
  • We may place, or allow a third party to place, functional cookies to make a website easier to use, such as cookies that maintain a user’s session


You can review your Internet browser settings to exercise choices you have for certain cookies. If you disable or delete certain cookies in your Internet browser settings, you might not be able to access or use important functions or features of this Site, and you may be required to re-enter your log-in details.

To learn more about the use of cookies for Google Analytics, please visit the Google Analytics Opt-Out Brower Add-on at https://tools.google.com/dlpage/gaoptout/


For purposes of EU data protection law, the data controller of the personal information that we control is the at Mystery Box entity described in this Policy which processes the personal information.

We will respond diligently and appropriately to requests from DPAs about this Policy or compliance with applicable data protection privacy laws and regulations. Our employees who receive such requests should contact their human resources manager or business legal counsel. We will, upon request, provide DPAs with names and contact details of relevant persons. With regard to transfers of personal information between our entities, the importing and exporting entities will (1) cooperate with inquiries from the DPA responsible for the entity exporting the data and (2) respect its decisions, consistent with applicable law and due process rights. With regard to transfers of data to third parties, we will comply with DPAs’ decisions relating to it and cooperate with all DPAs in accordance with applicable legislation.


We retain personal information only for as long as is necessary for the purposes described in this Policy, after which it is deleted from our systems.

Regarding personal information we have processed in connection with the supply of our services to clients, we may retain personal information relevant to our services for up to five years from the date of supply and in compliance with our obligations under the EU General Data Protection Regulation (or similar legislation around the world). We may then destroy such files without further notice or liability.

Regarding any other personal information we have processed, we may retain relevant personal information for up to three years from the date of our last interaction with the relevant individual and in compliance with our obligations under the EU General Data Protection Regulation (or similar legislation around the world). We may then destroy such files without further notice or liability.

If any personal information is only useful for a short period (e.g. for a specific event or marketing campaign or in relation to recruitment), we may delete it at the end of that period.

If you have opted out of receiving marketing communications from us, we will need to retain certain personal information on a suppression list indefinitely so that we know not to send you further marketing communications in the future.