Privacy Policy - WaySpa

Last Updated: May 31, 2019

Introduction and Scope of Practices

Blackhawk Network (Canada) Ltd. and its Canadian affiliates (“Blackhawk,” “we,” “us,” or “our”) care about your personal information. This Privacy Policy (“Policy”) describes how we use and disclose the personal information (which includes “personal data” as defined under applicable EU and other data protection laws) we collect about you, and the rights you have regarding such information. This Policy applies to the personal information Blackhawk collects about users of our websites (including, mobile applications, and the services and features therein (together the “Sites”), as well as the information we collect in providing our services (the “Services”) and when individuals communicate with us about our Sites and Services, whether in person, by telephone, by mail, or other means. When we act as a data processor or service provider on behalf of another controller or entity, we collect, use, and disclose certain personal information only under the controller’s instruction, and our processing of your personal information is subject to their instructions and privacy policy.

This policy explains:

  • How we collect, use, and share information from or about you;
  • How our online advertisements (such as banner ads) on third party sites treat data;
  • Your choices about our use of your personal data;
  • How you can access and update your information; and
  • How you can exercise your rights

Sometimes, we appear on a site owned by a third-party (like a Blackhawk page or handle on a social media site) or link to a third-party site. When we do, that third party’s privacy policies and terms of use, not ours, will apply unless you are told otherwise. Also, some of Blackhawk’s Services are offered through banks or other financial institutions. In those cases, the third-parties’ policies will govern their use of your personal information.

Personal Information We Collect

We collect personal information directly from you, through third parties, or automatically through our Sites and related to our Services, subject to applicable laws as set out below. We may collect personal information directly from you, when you provide it to us. This can occur when you fill out applications, create accounts, complete a purchase, add money to your account, send in forms, take surveys, or fill in various online fields on our Sites. We also collect personal information when you contact us with inquiries, customer support requests, or employment applications. You do not have to provide us with your personal information. However, if you choose not to disclose certain information, we may not be able to provide you with certain services, such as retaining shopping cart choices.

We may also collect the personal information of third parties when you provide it to us. For example, if you choose to use our service to send a gift to a friend or register a family member for an account, we will ask you for their name and address or email address. In addition, we may collect third party personal information through our “Refer a Friend” program. Blackhawk stores this information for the sole purpose of completing the transaction. If you provide us with the personal information of a third person, you must have their consent to do so, if required under the applicable law. If you provide personal information of a friend or family member and they want us to delete this information, they should contact us at We may not always be able to remove their personal information and we will let them know if we cannot do so and why.
. We may not always be able to remove their Personal Data and we will let them know if we cannot do so and why.

Personal Information We Collect Directly from You:

Account Registration and Customer Service

We may collect the following types of Personal Data from you through our Sites and related to our Services, subject to applicable laws:

  • Contact information, such as name, email address, mailing address, fax or phone number;
  • Payment and financial information, such as credit or other payment card information, bank account, or billing address;
  • Shipping address and related details;
  • Your resume, employment and education history, name and contact details, background details, and references when you apply to job postings or contact us about employment opportunities;
  • Company and employment information;
  • Government-issued identification and tax numbers, including Social Insurance Number (for clients and potential clients);
  • Device geolocation (geographical location)
  • Device identifiers such as IP address;
  • Unique identifiers such as user name, account number, or password;
  • Preference information such as product wish lists, order history, or marketing preferences;
  • Information about your business such as company name, company size, or business type; and
  • Demographic information, such as age, gender, interests and postal code.

Where the Personal Data we collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you accordingly at the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a client or provide products or services to you.

Comments, Posts and Submissions

When you submit online forms, participate in surveys, contests, promotions, or sweepstakes, join online chat discussions or post on a blog, request customer support, or submit testimonials, we collect your personal information, such as contact information, and other information you choose to share. We display personal testimonials of satisfied customers on some of our Sites and in print advertisements, with consent. Some of our Sites offer publicly accessible blogs. Any information you provide in these areas may be read, collected, and used by others who access them. You may remove your comments or posts from the blog or community forum. If you are unable to do so, contact us at If we are unable to remove your personal information, we will let you know why.

Other Communications and Support

We collect Personal Data when you communicate with us relating to the Services, including during phone calls (and call recordings), chats, or over email. Personal Data gathered may include contact information, employment details, user preferences, and any other information you choose to share. Please only provide us Personal Data that we need in order to respond to your request.


With your consent, we may collect your location-based information for purposes such as to help you locate a store offering our products and services in your area. On some Sites we collect location-based information for fraud prevention purposes. You may opt out of location-based services at any time by changing the settings on your device. If you do, you might not be able to use certain features, especially when we use location-based information to prevent fraud.

Personal Information We Collect from Third Parties:

Sometimes, we may collect personal information from third party sources. For example, subject to applicable law, we may confirm your address with the postal service or we may receive personal information about you from our clients who use our Services. Similarly, if our users choose to send a gift to their friend through our Sites, we will ask for the friend’s name and contact details.

We may also conduct a referral service where users may refer other people they know to our Services, subject to restrictions under applicable local laws. If you choose to use our referral service to tell your friends about our Services, we will provide you with a referral code and signup instructions that you can share with your friends. Where permitted by local law, we conduct such referrals on an opt-out basis. If personal information about you has been provided to us and you want us to delete it, you may email us at

Personal Information We Collect Automatically

We and our service providers automatically gather information about your use of the Sites and Services through cookies, web beacons, java script, log files, pixels, and other technologies, which include: your domain name, browser type, browser language preference, device type and operating system, page views and links you click within the Sites, IP address, device ID or other identifier, location information, date and time stamp, and time spent using the Services, referring URL, your activity within the Sites, and device geolocation information (where permitted by your device settings).

We also collect information from analytic services, including Google Analytics, to compile and analyze information derived from the use of our Services, such as aggregate usage patterns, user preferences, peak demand times, preferred content and other information.

See the “Cookies and Online Tracking” section below for details

Use of Your Personal Information and Legal Bases (where applicable)

We may use the personal data we collect for the following purposes:

  • Provide Our Services: To provide our Services, operate our Sites, respond to your inquiries and fulfill your requests and orders, process your payments, for bug and error reporting and resolution, to perform upgrades and maintenance;
  • Customer Service and Support: To send you important information, such as changes to terms, conditions, and policies and/or other administrative information;
  • Personalization: To personalize your experience on a Site or using the Services, such as by tailoring the content we send or display to you in order to personalize help and instructions, and to otherwise personalize your experience using the Services (“profiling” under EU data privacy law);
  • Marketing and Promotions: To send you marketing communications you have signed up for; and
  • Advertising and Referrals: To assist in advertising the Services on third party websites and to track referrals from partner websites.
  • Analytics and Improvement: To better understand how users access and use the Services, and for other research and analytical purposes, such as to evaluate and improve the Services.
  • Verify Identity and Detect Fraud: To verify your identity and/or location in order to allow access to your accounts, conduct online transactions, and secure your Personal Data, and for risk control, fraud detection and prevention, and compliance with laws and regulations;
  • Protect Our Legal Rights and Prevent Misuse: To protect the Services, prevent unauthorized access and other misuse, and where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of our Terms of Use or this Privacy Policy.
  • Comply with Legal Obligations: To comply with the law or legal proceedings such as when required to disclose information in response to lawful requests by public authorities, including responding to national security or law enforcement disclosure requirements.
  • General Business Operations: Where necessary to the administration of our general business, accounting, recordkeeping and legal functions.

Aggregate and Anonymized Information

We may also generate aggregated, pseudonymized and/or anonymized information about users for marketing, advertising, research or similar purposes.

Purpose of Use>

Purposes of Use (see above) Legal Bases of Processing (where applicable)

Provide Our Services

Customer Service and Support

  • Necessary to enter into or perform a contract with you (upon your request, or as necessary to make the services available)
  • Our legitimate business interests*



Advertising and Referrals

  • Our legitimate business interests*
  • With your consent

Analytics and improvement

  • Our legitimate business interests*

Protect Our Rights and Prevent Misuse

Verify Identity and Detect Fraud

Comply with Legal Obligation

  • Compliance with law
  • Establish, defend or protect of legal interests
  • Our legitimate business interests*

General Business Operations

  • Our legitimate business interests*
  • Establish, defend or protect of legal interests
  • Compliance with law

* For personal information from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. Our legitimate interests include our interests in verifying identify, detecting and preventing fraud, protecting and improving our products and services, in support of our general business operations, and to comply with our legal obligations. We only send marketing communications to EU consumers who provide opt-in consent or who are covered by “soft opt-in” exemptions.

How We Disclose Personal Information We Collect

We do not sell your Personal Data to third parties.


Blackhawk Network (Canada) Ltd. and its Canadian affiliates are part of a global group of companies. We disclose personal information among our affiliated and subsidiary companies in furtherance of the purposes set out in this Policy; their processing of your personal information is subject to this Policy. Blackhawk affiliates have executed written agreements with each other that impose appropriate safeguards for the protection of your personal information in compliance with applicable privacy laws.

Service Providers

We disclose your personal information to certain companies that provide services to us and on our behalf and subject to our written instructions, such as shipping payment, hosting, and other support services; these companies may be located in the EU, the USA and other jurisdictions.

Clients and Partners

Where we process personal information on behalf of our clients or partners, we process and share your personal information with that entity subject to its instructions. In such cases the client or partner is the controller of your personal information. This Policy does not apply to Blackhawk’s processing of your personal information in its capacity as the client or partner’s data processor and our use of your personal information is subject to their instructions. Rather, where our client or partners process and use your personal information as controllers, their own privacy policy applies.

Referral Partners

We offer referral-based commission systems through third-party partners so that publisher websites may refer users to our pages to make purchases. These partners will be identified when you sign up, and we will obtain your consent in jurisdictions where this is required (and not other legal basis applies). Your personal information collected in such cases will be owned and controlled by both Blackhawk and the partner as independent data controllers. This Policy governs only Blackhawk’s use of such data. The partner’s own privacy policy governs its use of the data.

Product Short Notices

Some products offered in conjunction with banks have unique data sharing agreements. Where relevant, Blackhawk will make available to you short privacy notices of each product’s sharing policies on its website.

Additional Disclosures

We may also disclose your personal data in the event of the situations below.

  • As permitted or required by law, such as to comply with a subpoena, or similar legal process;
  • When we believe in good faith that disclosure is necessary to respond to claims asserted against us, protect our rights, protect your safety or the safety of others, investigate fraud, comply with legal process (e.g., subpoenas or warrants), or respond to a government request;
  • If Blackhawk is involved in a merger, acquisition, or sale of all or a portion of its assets, or in the event of a bankruptcy or dissolution of our business, your personal information may be transferred to an acquiring business or third party, including in contemplation of or related to due diligence for such business transactions, subject to any applicable restrictions under applicable laws; and
  • To any other third party with your prior consent.

Aggregate and Anonymized Information

We may share aggregate or anonymized information about you with third parties for marketing, advertising, research or similar purposes.

Cookies and Online Tracking

We and our third-party service providers may collect information automatically when you use the Site or Services, or read our emails, including through cookies, beacons, pixels, tags, scripts, and HTML5, as well as log files. We, or our service providers, may combine this information with other information, including personal information we collect about you, to record your preferences, gather information about the use of our Services, identify when our emails are viewed, personalize content and ads and track information about the performance of our advertisements.

Log files

Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files. We may link this data to personal information we have collected about you.


These are small files with a unique identifier that are transferred to your browser through our websites. These technologies allow us to collect information such as browser type, time spent on our Sites, pages visited, language preferences, and your relationship with us. We can use this information to analyze trends, administer the website, track users’ movements around the website, measure the effectiveness of our communications, tailor our advertising to you, and gather demographic information about our user base as a whole. These technologies may provide us with information about devices and networks you utilize to access our Services, and other information regarding your interactions with our Services. For detailed information about the cookies used in the Services and how you can manage your cookie preferences or reject cookies altogether, please read and review our Cookie Policy. You can refuse to accept cookies. You will need to manage your cookie settings for each device and browser you use. However, if you elect not to accept cookies, your use of the features on our Sites may be limited or impaired, and you may not be able to access certain features of our Sites at all. For more detailed information about these mechanisms and how we collect activity information, see our Cookie Policy.

Pixels, Web Beacons, Clear GIFs

These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of users of our web pages and our Ad Services, and to personalize content, and to identify when our emails are viewed or forwarded.

Our third party partners use Local Shared Objects, such as Flash cookies, to embed features on our sites. To manage Flash cookies, please click here.

“Do Not Track” Preferences

Our Site does not recognize do-not-track signals, however, we do not track your online activities across different Sites, and we only track your activity within a Site to the extent you log into your account. Therefore, our practices remain the same whether or not you enable the “Do Not Track” feature. For more information about do-not-track signals, please click here or see in our Cookie Policy.

Third-Party Analytics

We partner with third-party ad networks, Facebook, Google and other third-party ad companies to manage our advertising on other sites. Our third-party partner use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you personalized advertising based upon your browsing activities and interests. Please see the “Cookies and Online Tracking” section above or our Cookie Policy for more information.

Marketing and Newsletters

If you subscribe to our newsletters, we will use your name and email address to send them to you. You may choose to stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions included in these emails or accessing the email preferences in your account.

Custom Audiences

Subject to local law restrictions, we may disclose certain information (such as your email address) with third parties – such as Facebook (more info on Facebook Custom Audience here) so that we can better target ads and content to our users, and others with similar interests on these third parties’ platforms or networks (“Custom Audiences”). We may also work with third-party ad networks and marketing platforms that enable us and other participants to target ads to Custom Audiences submitted by us and others. If you would like to opt-out of being included in our Custom Audiences going forward, email us at and we will opt you out of our future Custom Audiences.

Opting Out of Ad Networks

If you wish to not have this cross-site information used for the purpose of serving you targeted ads, you may opt-out of many ad networks by clicking here (or if located in the European Union, click here). You will continue to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer target ads to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms are cookie based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be effective. For more information, go to

For more information about and to opt out of interest based ads from many ad networks, see our Cookie Policy. Note, if you delete cookies or change devices, your opt-out may no longer be effective.

Social Media Widgets

Our Sites include social media features, such as the Facebook “Like” button, either hosted by a third-party or hosted directly on our website (“Widgets”). Please refer to the privacy policies of the relevant third party websites or services to find out more about the collection, use, and disclosure of your information through such features. We will comply with any legal obligations placed on the use of these technologies by certain jurisdictions, which may affect how these Widgets function.


The security of your personal information is important to us. We have implemented safeguards designed to protect the personal information submitted to us. Please note that no data transmission over the Internet cannot be guaranteed to be 100% secure. As a result, we cannot guarantee or warrant the security of any personal information that we process.

If you have any questions about the security of your Personal Data, you can contact us at


We retain your information for as long as your account is active or as needed to provide you services. To the extent permitted by applicable law, we may retain and use your personal information only as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.

Image Submissions and Public Directories

Some of our websites offer you the ability to upload your own image to be used to create a personalized product. You may have the option to make these images available in publicly-accessible directories. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. You may request removal of your Personal Information at any time. To request removal of your personal information from these public forums, please email us at or contact us by postal mail at the address below. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

Data Subject Rights

Certain countries and regions, including the European Union, have enacted laws that provide for privacy rights for individuals located in the EU. Regardless of your location and jurisdiction, Blackhawk may at its sole discretion choose to extend these rights to all individuals, and to comply with requests as detailed below. We do not charge for these services but in certain cases we may require further proof of your identity, or ask you to clarify the scope and nature of your request if it is unclear. Where you are entitled to a right, we will respond to your request within the timeframe set out by law, or where we provide answers on a voluntary basis within a reasonable timeframe.

Please note that we only respond directly to you in cases where we are the controller of your personal information. Where we are acting as a data processor on behalf of a client or partner, we will forward your request to the client or partner who is the data controller of your personal information.

Access, Rectification, Portability and Deletion

You may have the right to access, rectify (correct), or delete your personal information held by us or may ask for a restriction of processing. You may also have the right to ask for an overview or copy of your personal information or to request that certain of your personal information be exported to you or to another provider where technically feasible (data portability). On some of our Sites, you may access, rectify, or delete your personal information by making the change directly on your account page. Please note that there are some exceptions to these rights. For example, we will not be able to delete your personal information if we are required by law to keep it or if we hold it in connection with a contract with you. Similarly, access to your personal information may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.

You may also make these requests by sending an email to or by sending your request by postal mail to the address below.

Please note that there are some limitations to these rights. For example, we will not be able to delete your personal information if we are required by law to keep it or if we hold it in connection with a contract with you. Similarly, access to your personal information may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information. If we cannot fulfill your request we will inform you about why we cannot comply with your request.

Withdrawal of Consent

Where we process your personal information on the basis of your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Object to Processing

You have the right to object to processing (including profiling) based on legitimate interest grounds, where we are relying upon legitimate interests to process personal information. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal information for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

Object to Marketing

You have the right to object to our use of your personal information (including profiling) for direct marketing purposes, such as when we use your personal information to invite you to our promotional events.

Right to Lodge a Complaint

You have the right to lodge a complaint with your supervisory authority, if you consider that the processing of your personal information infringes applicable law.

To exercise your rights email (or contact us as indicated in the ‘Contact Us’ section below). Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain personal information. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.

Protecting Children’s Privacy Online

Our Sites are not directed to children and we do not knowingly collect personal information from children under the age of sixteen (16), and we request that such individuals do not provide personal information through our Sites.

International Transfer

The personal information that we collect from you may be transferred to, or accessed in, and stored at a location outside the country in which you reside and may not provide equivalent levels of data protection as your home jurisdiction. It may also be processed outside the country in which you reside by one of our service providers. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws of those jurisdictions.

When Blackhawk stores personal information outside the jurisdiction from which it was collected, we will take steps to ensure that it receives an adequate level of protection in the jurisdictions in which we process and store it. This includes through appropriate written data processing terms and/or data transfer agreements, by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses), or where there is an adequacy decision for a particular country by the EU Commission.

By submitting your personal information, you agree to this transfer, storing, or processing. We will ensure that your personal information is treated securely and in accordance with this Policy.

Updates to This Policy

This Policy may be subject to change. Please review it from time to time. If we make material changes to this Policy about how we process your personal information, we will post those changes on this page and revise the “Last Updated” date at the top and we will notify you by email or prominent notice on this Site prior to the change becoming effective. Where required by law, we will obtain your consent or give you the opportunity to opt out of such changes. Any changes will become effective when we post the revised Policy.

Contact Information

If you have any questions or concerns regarding the way in which your personal information is being processed, please reach out to us using the contact information below:

Chief Privacy Officer

Blackhawk Network, Inc.

6220 Stoneridge Mall Road

Pleasanton, CA 94588

EU Inquiries

You may contact Blackhawk Network, Inc. at the address or email above or the appropriate Blackhawk EU Data Protection Officer listed below, and we will work to properly respond to your inquiry or request.

Blackhawk Network DPO (European Union except Germany, Austria and Switzerland):

Blackhawk Network DPO (Germany, Austria, and Switzerland):

If you have any further queries or complaints that we are not able to answer, you should contact the Data Privacy Supervisory Authority for the country in which you reside. A list of National Data Protection Authorities in the European Economic Area can be found here.

Search by CITY
Submit search request
Reset search fields
Search Articles Submit
Search From