We collect and process the Personal Information of various categories of people who interact with us, who are mostly people who come to our restaurants, use and fill forms on our website, or order food via an online platform or app.
Our Services are not intended for children and we do not knowingly collect Personal Information relating to children. For more information, please refer to the “Children” section below.
Types of personal information we collect
identity information, such as your name, initials, gender, age, and the month, day, and occasionally year of your birth;
contact details, such as your email address, delivery address, billing address, mailing address, and phone number(s);account user name and other account identifiers;
communication preferences and registration information;
transaction history, for example, the details of individual or aggregate orders, orders per location, last four digits of your credit card number, whether food was picked up or delivered, etc.;
browsing technical information, for example, IP address, login data, browser type and version, operating system, and other technology on the devices you use to access our website. For more information, please see the “Cookies and Automatic Data Collection: Do Not Track” section below;
device technical information, for example, the MAC address, geographic location information, and assigned IP of devices used to access in-store wireless internet; and,any other Personal Information we may obtain through you interacting with us through the Services.
Except as described above, we do not collect, store, process, or receive credit card numbers from our Partners (as defined in the “How we Collect Personal Information” section below) or otherwise. This type of information may be collected by our Partners and subject to their privacy policies.
How we collect personal information
We obtain Personal Information in a variety of ways, sometimes through a platform that is owned, operated, or “powered by” third-party partners or service providers (collectively, our “Partners”). In connection with your interactions with us through the Services, we may collect Personal Information from you or from other sources. This information may be Personal Information that you directly provide to us, such as information that you provide when you visit the Services, or information that is passively or automatically collected from you, such as information collected from your browser or device. This information may either be Personal Information or Anonymous Information, depending on the collection source.
In some instances, Chestnut Bakery may also collect information from third party sources, upon whom we rely to provide the Services. We use both business partners and service providers, such as payment processors and analytics providers, to perform services on our behalf. Some of these Partners may have access to information about you that we may or may not otherwise have (for example, where you sign up directly with that provider) and may share some or all of that information with us. In response to public health guidance or mandates from government authorities, we may collect health information from our customers as we are required or deem appropriate to provide a safe space for you and our employees.
We use the following third-party services in order to provide the best user experience to you:
when you order online via the Site your identity and registration information will be processed by us, and your contact details will also be collected so we can communicate with you about your order if required.
when you order via one of our delivery Partners (for example, Deliveroo), a subset of your identity and contact information will be processed by us so we can fulfil your order. These services will maintain their own privacy policies.
when you use the Mobile App your identity, contact information, and registration information will be processed by us. when you use our in-store wireless internet service, we will ask to collect identity and contact information, as well as marketing preferences. Further to this, technical information about the device you use will also be captured to facilitate the service. In-store wireless internet service is provided by third-party partners and will be subject to Privacy Policies that are presented as part of the connection process.
when you post information on or through our website or send us emails or other communications. In addition, when you visit or use this website, we may automatically gather and store certain technical information about your usage. For more information, please see the “Cookies and Automatic Data Collection: Do Not Track (DNT)” section below.
we collect the online usernames of those who leave reviews of our food or stores on online platforms.
when you otherwise provide us with your Personal Information.
In addition to the categories of information described above, Chestnut Bakery may also collect aggregated information or other Anonymous Information that does not directly identify you.
We encourage you to review the privacy policies for each third-party service provider or Partner so that you are informed about the information they may collect and use about you.
Cookies and Automatic Data Collection; Do Not Track (DNT)
We use both session cookies (which expire once you close your browser window) and persistent cookies (which stay on your computer until they expire or until you delete them) to provide you with more personal and interactive experiences on the Site. Persistent cookies can be removed by following the help directions for your internet browser. If you choose to disable all or most cookies, some areas of the Site may not function properly.
For the Chrome web browser, please visit this page from Google:
For the Internet Explorer web browser, please visit this page fromMicrosoft: https://support.microsoft.com/kb/278835
For the Firefox web browser, please visit this page from Mozilla: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
For the Safari web browser, please visit this page from Apple: https://support.apple.com/en-gb/HT201265
For any other web browser, please visit your web browser’s official web pages.
You can learn more about cookies here:
Network Advertising Initiative: https://www.networkadvertising.org/
In addition to cookies, Chestnut Bakery uses “pixels” to enable certain cookies or advertisements on the Site and to track the number of times a link or advertisement is served on a webpage. A pixel is a tiny, 1×1 image that is loaded when you visit our Site, but instead of calling up an image, it causes a cookie or application to be downloaded. Pixels can be used to track user activities, track the number of times a user has viewed a particular link or advertisement, track and optimize website traffic, display advertisements, keep track of advertising commissions, and otherwise collect data for online marketing and website analysis. As with cookies, our Site utilizes both session pixels and persistent pixels.
The cookies that we use for functionality and security purposes are considered necessary cookies, without which the Site would not function properly. These cookies allow some of the basic functions of our Site to work properly, such as remembering your preferences as you navigate the Site. In addition, these cookies help us secure the Site by preventing cross-site request forgery attacks and by throttling excessive request rates.
We also use Google Analytics on our Site to collect usage data, to analyze how users use the Site, and to provide advertisements to you on other websites. This information is anonymous and does not include personal information. Please visit the following website for information about how you can opt out of having Google Analytics collect data from you when you are using the Site: https://tools.google.com/dlpage/gaoptout/
Any automatically collected information is statistical, aggregated, or Anonymous Information and does not include personal information.
Please note that our Site is not configured to accept and respond to web browser Do Not Track (DNT) signals. As such, if you would like to exercise your privacy rights, we encourage you to do so by submitting a request using the methods described below.
Use of your personal information
We will only use your Personal Information for the purposes for which it has been provided to us. Generally, we will process your Personal Information in order to:
fulfill your order;
identify sales trends and monitor store performance;
administer our rewards program, which is made available through the Mobile App and only available in the United Kingdom;
present the Site to you;
provide you with Chestnut Bakery related information, promotions, offers, products, or services that you request from us or that you have consented to receive;
promote Chestnut Bakery via email direct marketing if you have shared your email when interacting with the Services and have agreed to receive marketing messages, which you may opt out of at any time;
fulfil any purpose for which you provide Personal Information;
provide customer support;
respond to law enforcement requests and as required by applicable laws, rules, court order, or governmental regulations;
fulfill any other purposes with your explicit consent.
We may also use your Personal Information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent.
We will not perform any automated decision-making processes involving the information that we collect.
Direct Marketing and Other Communications
We may periodically engage in direct marketing if you have opted-in to receive it. You will be able to opt out at any time by following the instructions included in every email sent to you via the “Unsubscribe” link contained in the email footer.
Changing the purpose for which we use your personal information
We will not collect additional categories of Personal Information or use the Personal Information that we have collected for materially different, unrelated, or incompatible purposes without providing you notice.
We will only use your Personal Information for the purposes for which it has been provided to us, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose and GDPR-compliant.
How we share and disclose personal information
We may need to share your Personal Information with other organizations from time to time, but to the extent required by applicable law, rule, or governmental regulation, we will maintain responsibility for what they do with your Personal Information and how it is processed. We require all third parties to respect the security of your Personal Information and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Information for their own purposes and we only permit them to process your Personal Information for specified purposes and in accordance with our instructions. For example, we may share your information:
with service providers who process Personal Information for us, including those providing IT and system administration services and hosting;
if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Chestnut Bakery, our employees, our customers, or others;
to provide information to our representatives and advisors, including our attorneys and accountants, to help us comply with legal, accounting, and security requirements; and, to organizations with which, or people with whom, we may be involved in the provision of any services to you in support of our business, for example email marketing platforms, customer relationship management systems, or store management platforms.
We may also share your Personal Information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent.
How we protect your personal information
We have put in place appropriate technological and organizational security measures to help prevent your Personal Information from being accidentally lost, used, altered, accessed, or disclosed in an unauthorized way. In addition, we limit access to your Personal Information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Information on our instructions and subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
The safety and security of your information also depends on you. If you choose, or are provided with, a user name, password, or any other piece of information as part of our security procedures, you must treat such information as confidential, and you must not disclose it to any other person or entity. You also acknowledge that your account is personal to you and agree not to provide any other person with access to the Services, or any portion thereof, using your user name, password, or other security information. You agree to notify us immediately of any unauthorized access to or use of your user name or password or any other breach of security. You also agree to ensure that you exit from your account at the end of each session. You should use particular caution when accessing your account from a public or shared computer or device so that others are not able to view or record your password or other personal information. You are entirely responsible for maintaining the confidentiality of the information you hold for your user name, password, or other information related to your account. You may be held liable for losses incurred by us as a result of your failing to keep your login information secure and confidential.
Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information when it is received by us, we cannot guarantee the security of your Personal Information transmitted to our Services. Any transmission of Personal Information is at your own risk. We are not responsible for any circumvention of any privacy settings or security measured related to the Services.
How long personal information is kept
We will only keep your Personal Information for as long as necessary to fulfil the purposes for which we collected it or to enable us to comply with our legal obligations or enforce our legal rights.
Generally, the length of time we keep your Personal Information will depend on the type of Personal Information and the purpose for which we are processing it. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.
At the end of the retention period, we will either delete your Personal Information from our systems completely, or anonymize it so it can be used without identifying you and without the ability to be re-associated with you in the future, such as by aggregating the information.
You can contact us if you would like further information about our retention policy or to request we delete your personal information by using the information in the “Contact Us” section below.
Links to third party websites and social media
The Services may offer social sharing features and other integrated tools, such as the Facebook, Twitter and Pinterest buttons (e.g., “Like,” “Tweet” and “Pin It”), which let you share actions you take on the Services with other media. Your use of these features may enable the sharing of information outside of Chestnut Bakery and, potentially, with the public. If you click on a link to a third-party website or use a third-party service (including, without limitation, those listed above), you will leave the Services and go to the website or service you selected.
The Services is not intended for and we do not knowingly request or gather personal information from users who are under the age of 13. If personal information is gathered from a child under the age of 13 and we learn that the personal information is the information of a child under the age of 13, we will make the effort to delete the information. If you, as a parent or guardian of the child, believe that we might have personal information from a child under the age of 13 or the applicable minimum age in your jurisdiction, please contact us at firstname.lastname@example.org, and we will delete the personal information from our records within a reasonable period of time. Please note that you may have to reach out to our Partners separately to delete the personal information from their records.
British and EU/EEA Privacy Rights
We will only use your Personal Information in compliance with the law. Most commonly, where:
consent has been obtained. For example, we rely on consent when sending special offers on your birthday. You have the right to withdraw your consent at any time and can find out more about your right to withdraw your consent in our “Your Rights and Choices” section.it is necessary for our legitimate interests (or those of a third party), and those interests do not override your interests or fundamental rights. You can find out about your right to object to our processing of your Personal Information when we rely on our legitimate interests in our “Your Rights and Choices” section.we need to perform a contract we are about to enter into or have entered into with you. For example, if you place an order with us or a delivery partner, we need to process your Personal Information in order to fulfil that contract.we need to comply with a legal or regulatory obligation. For example, we may be required to share your Personal Information with any legal or regulatory authority to which we are subject.
If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.
The Personal Information we hold about you needs to be accurate and up-to-date in order to comply with applicable privacy and data protection laws. Please contact us at email@example.com to let us know of any changes to your Personal Information so that we can correct our records.
Personal Information Rights
In addition to the rights outlined in the “Your Rights and Choices” section, EU, EEA, and British citizens have the below additional rights:
Object to processing of your Personal Information where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to our processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes. Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in any of the following scenarios: (a) if you want us to establish the accuracy of the Personal Information retained about you; (b) where our use of your Personal Information is unlawful but you do not want us to erase it; (c) where you need us to hold the Personal Information even if we no longer require it as you need it to establish, exercise, or defend legal claims; or, (d) you have objected to our use of your Personal Information but we need to verify whether we have overriding legitimate grounds to use it. Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
Please contact us in the first instance if you have a concern about how we are dealing with your Personal Information, though EU and British citizens in the UK are entitled to complain at any time to the Information Commissioner’s Office (ICO) at www.ico.org.uk.