Data Protection Policy
We want to make sure you feel reassured about what happens when you browse our website or give us any of your information.
For the purpose of the Data Protection Act (the “Act”), the Data Controller of our Services for UK customers is UBR Limited. Data Controller is just a legal term that means we have responsibilities in respect of your Personal Information under the Act. Our registered company number is 09012942.
All information will be held and used in accordance with the Act. If you want to read more about the Act, you can do so here: ico.org.uk/your-data-matters/
1. What information will you collect about me?
When you visit our Service (in a restaurant, on a mobile device, tablet or desktop) or download and use our App, you may provide us with information personal to you including for example your name, your address, your postcode, your email address, your mobile phone number and your date of birth, whether you are a student, and the other information outlined below (your "Personal Information"). You may provide additional Personal Information if you wish.
You may provide us with Personal Information in a number of ways:
1) by subscribing to receive email, SMS or Push communications from us
2) by making an order using an online ordering service or an App. We may collect information such as what items you’ve browsed, your favourite orders, if you’ve applied any dietary filters and if you have selected one of our restaurants as a favourite.
3) by inputting your payment details – but only in order to complete a transaction.
4) by allowing us to collect your physical geolocation through an App (if you have enabled Location Services and agreed to allow us to send you Push messages).
5) by signing up for promotions or competitions.
6) by corresponding with our Customer Experience team by email, live chat, in writing, on social media or telephone, in which case we may retain the content of your emails, letters or conversations together with your title, name, email address, the social media username that you’re using, telephone number and our responses.
We also collect information about your device, including (where available) your IP address, operating system and browser type, the geographical location of your device, how you use our Service, and the date and length of your visit. This information is collected automatically. This information is aggregated and it does not identify you as an individual. We do this to help improve your experience on our Service.
2. How will you use my Personal Information:
We use your personal information for the purposes of:
1) allowing us to respond to any correspondence;
2) contacting you with information about products, services, news and special offers, if you’ve given your consent when you registered with us;
3) making sure you get the best experience from our Service - depending on what computer or device that you’re using;
4) if you’re using an App (and you have given us permission to do so by enabling this on your device), sending you ‘Push’ notifications containing information about our products and services and to provide you with information in the App;
5) notifying you about changes or updates to any of our Services;
6) carrying out market research and product development;
7) meeting legal, regulatory and compliance requirements;
8) investigating any complaints about the Service; or
9) investigating any safety or security incidents or breaches.
3. Do you share my Personal Information with anyone else?
We only share information with companies that we use to help us better understand and serve you. We never sell or give your Personal Information away to anybody.
We may share your Personal Information with:
Our Group entities:
We’ll share your “Personal Information” with people or departments within our Group but only if they have a need to access it.
We engage third party payment processors to process payments. These third party processors may store your payment card details, if you want them to, to speed up your transaction time. If you do not want to take advantage of this, please do not select this function.
We may also share Personal Information with third parties for marketing, advertising and strategic development purposes to help us understand customer trends and patterns and to make sure that we are talking to you about the most relevant things. We have Agreements in place that define what third parties can and cannot do with your Personal Information. We also conduct periodic reviews of third parties to ensure compliance. However we will only send marketing to you where you have previously consented to receiving marketing materials from us.
We may also share such details with auditors or legal professionals to obtain professional advice. If we do this, your statutory data protection rights will be preserved.
You should be aware that if we’re requested by the police, a regulatory or government authority in the investigation of suspected illegal activities to provide your Personal Information, then we are entitled do so.
Occasionally, we’ll ask to share your Personal Information with third parties for marketing purposes. We’ll only do this when we have your explicit consent to do so (for example, when you enter a competition we’ll ask for your consent). If you don’t give your consent, it won’t prejudice your chances in any competitions.
4. What security measures are in place to protect my “Personal Information”?
The transmission of information via the internet is not completely secure. Although we take steps to protect your information, we can’t guarantee the security of your data transmitted to the Service; any transmission is at your own risk. We have implemented reasonable technical and organisational measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration or disclosure. We’ll continue to maintain and improve these security measures in line with legal and technological developments.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
5. How and where will you store my Personal Information?
Where you’ve chosen a password which allows you to access certain parts of our Service, you’re responsible for keeping this password confidential. We recommend that you don’t share your password with anyone else. We recommend that your password is unique to your account. We will not be liable for any unauthorised access or transactions entered into using your name and password where it has been shared with your permission or if you haven’t taken adequate steps to prevent it on either a desktop computer or another device. If you access our Service using a public computer, we advise you not to store your password and to log out of any parts of our Service. If you’re using a mobile phone or tablet to use our Service, we advise that you have an appropriate passcode.
6. Links, advertisers, third party sponsors & ad-servers
7. How can I find out what Personal Information you hold about me or update my details?
The Act gives you the right to access your Personal Information that we hold. To protect your privacy and security, we’ll take reasonable steps to verify your identity before we carry out your request. We will not ordinarily charge a fee for access to your Personal Information but we are entitled to charge a reasonable fee for providing a copy of your Personal Information to you if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You also have the right to ask us to update or amend any information that is wrong, ask us to stop sending you marketing information or even to ask us to delete your account and the associated Personal Information.
If you have any questions about what we do with your Personal Information, ask us to make any changes to your account or to make a complaint please contact us using one of the methods below:
We hope we can answer any questions or resolve any problems but if you are still unhappy then you can contact the:
United Kingdom: Information Commissioner’s Office via their webservice www.ico.org.uk
8. How long will you keep my information for?
We won’t keep your Personal Information for longer than is necessary for our legitimate business purposes or than is required by law.
9. The use of our service by under 14s
Our Services are not intended for children and are therefore only to be used by anyone aged 14 or over and those under the age of 16 should have their parents or guardians’ permission. We encourage the supervision of children's online activities. For example, parental control tools which are available online to help provide a child-friendly online environment. These tools can also prevent children from disclosing their name, address, and other Personal Information online without parental permission. Your child's privacy is important to us and we are committed to safeguarding children's Personal Information collected online. Users of our Service may participate in many activities without providing any Personal Information. However, if you’d like to participate in certain interactive features on our Service, we’ll ask you to provide us with certain information, such as your email address and age. We will not send any marketing communications to anyone who has disclosed that they are aged under 16.
11. How can I contact you?
Employee Privacy Notice
The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on you as an employee of the Company. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former employees, workers and contractors.
Data controller details
The Company itself is a data controller, meaning that it determines the processes to be used when using your personal data.
Data protection principles
In relation to your personal data, we will:
Types of data we process
We hold many types of data about you, which may include:
How we collect your data
We collect data about you in a variety of ways and this will usually start when we undertake a recruitment exercise where we will collect the data from you directly. This includes the information you would normally include in a CV or a recruitment cover letter, or notes made by our recruiting officers during a recruitment interview. Further information will be collected directly from you when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Personal data is kept in personnel files or within the Company’s HR and IT systems.
Why we process your data
The law on data protection allows us to process your data for certain reasons only:
All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data. For example, we need to collect your personal data in order to:
We also need to collect your data to ensure we are complying with legal requirements such as:
We also collect data so that we can carry out activities which are in the legitimate interests of the Company. We have set these out below:
Special categories of data
Special categories of data are data relating to your:
We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:
We will use your special category data:
We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
Criminal conviction data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment.
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of employment. If you do not provide us with the data needed to do this, we will unable to perform those duties eg ensuring you are paid correctly. We may also be prevented from confirming, or continuing with, your employment with us in relation to our legal obligations if you do not provide us with this information eg confirming your right to work in the UK or, where appropriate, confirming your legal status for carrying out your work via a criminal records check.
Sharing your data
Your data will be shared with colleagues within the Company where it is necessary for them to undertake their duties. This includes, for example, your line manager for their management of you, for maintaining personnel records and the payroll department for administering payment under your contract of employment. Further, we may share your data with our accountants for payroll processing purposes, who are The Hughes Partnership, Vienna House, International Square, Birmingham International Park, Solihull B37 7GN.
We may share your data with third parties in order to obtain references as part of the recruitment process
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.
We do not share your data with bodies outside of the European Economic Area.
Protecting your data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period after your employment has ended.
Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact us.
Making a complaint
The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.