Privacy Policy for Greggs Digital and Customer Services

United Kingdom

Last updated June 2021

This Privacy Policy explains what happens to the personal information we collect from you during visits to our shops, via the Greggs App, online via our website, by telephone, post, email, our digital marketing and advertising, social media or any other ways you might engage with us.

We may update this Privacy Policy from time to time and we will endeavour to update you of any significant changes if we hold a valid email address for you provided via the Greggs App or online. We recommend you also review this page occasionally to ensure that you’re happy with any changes. If we do change it, we will post the revised version here and change the “last updated date” (the date it applies from) at the top of the statement.

Please take time to read this Privacy Policy carefully so you understand how we treat and use your personal information and get in touch with us if you have any concerns.

Who are we?

We are Greggs plc, one of the UK’s leading food-on-the-go retailers ("we" or "us"). Greggs plc is registered at Companies House under company number 00502851 and our registered office is at Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.

We are also registered with the Information Commissioner’s Office under registration number Z7225689.

If you have a question regarding how we use your personal information, please address your communication to the "Data Protection Analyst" using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

We take data protection very seriously and respect the privacy of our customers. We are committed to protecting and respecting your privacy, in accordance with the UK General Data Protection Regulation ("UK GDPR").

What information do we collect from you?

We may collect the following personal information from you:

  • Your name and contact details (emails address, telephone number, postal and billing address, social media handle);

  • Your mobile telephone ID (i.e. your unique address that identifies your mobile device);

  • Your date of birth;

  • Your gender (if you choose to provide this);

  • Your marketing preferences;

  • Any information you include in correspondence or feedback you send to us, in forms, competitions, promotions or surveys you submit to us, when using our website, Greggs App (including in-app chat) or via our social media pages;

  • Any information you provide in customer research or customer satisfaction surveys we may conduct to evaluate and improve our products and services.

  • Your image on CCTV in our shops;

  • Your payment card and, in relation to certain goodwill payments, your bank account number and sort code, items purchased, the date and time of your transaction, amount purchased, whether you used a particular coupon or deal, and payment information, such as your credit/debit card or gift card or loyalty program details, when you make an in-store or online purchase;

  • Your mobile device information (or information about the device you use to access our website or services, including your Internet Protocol (IP) address (i.e. your unique address that identifies your device on the internet), your Internet service provider, device type, model and manufacturer, device operating system and platform, date and time stamps, IDs that allows us to uniquely identify your browser, mobile device and information in relation to your account and advertising you might have interacted with.

  • Your browsing history on our Greggs App, Website or information from when you visit and engage with content or targeted advertising on third party platforms or social media networks.

We may also collect information about how you use any of our digital services including:

  • Which products you purchase from us;

  • How frequently you purchase them;

  • When you visit our shops;

  • How much you spend with us;

  • Which of our shops you frequently use; and

  • How you’ve arrived at registering or using our digital services

Location Data

Where you have enabled location tracking services on your mobile device, we may also collect location information from you so that you can use your Greggs App to find your nearest Greggs shop and more about your shopping habits with us in order for us to send you more personalised offers on our products and services.

Aggregated Data

We collect, use and share aggregated data such as statistical or demographic data. We could derive this aggregated data from your personal information where you’ve given us permission to do so. For example, to understand differences in usage of users accessing a specific Greggs product or service in different parts of the U.K.

Nevertheless, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which we will use in accordance with this Privacy Policy.]

How is your information held?

Once collected, your personal information will either be held on the secure systems of our third party suppliers involved in the operation of a Greggs account or held on our customer database on our own secure systems within the United Kingdom (for further details, please see the “Who has access to your information” section below).

When you speak to us by phone you will be notified that your call will be recorded. This recording is held on our Avaya System, also held on our own secure system within the United Kingdom.

How will we use your information?

We will only use your personal information when the law allows us to do so, which may be:

  • To fulfil a contract we have with you; or

  • When it is our legal duty; or

  • When it is in our legitimate interests (or those of a third party); or

  • When you consent to it.

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interests, we will tell you what that is.

We may use your personal information for the reasons and in accordance with the legal basis below:

Purpose of Processing Your Personal Information

Legal Basis

Account administration - Account administration purposes for any registered account(s) you hold with us.

This is both:

  • Necessary for the performance of a contract with you for the operation of any account; and

  • Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Free rewards

To provide you with free rewards based on:

  • Your birthday;

  • Your purchasing habits;

  • Your location and / or the shops that you visit;

  • Products that we think you might be interested in.

This is both:

  • Necessary for the performance of the contract with you for the operation of your Greggs account; and

  • Necessary for our legitimate interests to ensure that our customers receive rewards that are tailored to them and are in line with their expectations.

Notifications and account information - To send notifications or account information to you by email, SMS text or app push notifications. We may select products that we believe you may be interested in based upon the information that we collect about how you use your Greggs account.

This is both:

  • Necessary for the performance of the contract between you and us for the operation of your Greggs account; and

  • Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Personalised Marketing

  • to better tailor offers and services to your needs, including:

  • To send you marketing about Greggs’ products, to provide personalised content and information.

  • This will include targeted content and advertising where we identify you across our platforms, identifying where if and where you use multiple devices

On the basis of consent, specifically where you have opted to receive direct marketing via the preference settings in any Greggs account, where you have opted to receive our email communications or indicated you consent to being tracked using the first and third party cookies as detailed in our Cookie Policy.

Profiling

  • to help us build up a picture of the things you’ll find most useful from us to make advertising tailored to you whenever possible.

  • We will build and develop a customer profile for you based on the products and services you use and/or buy to target and develop content, advertisements or marketing materials which are most likely to be of interest to you.

  • These could also appear as advertising on third party websites or social media platforms that you visit.

On the basis of consent, specifically where you have opted to receive direct marketing via the preference settings in any Greggs account, where you have opted to receive our email communications or indicated you consent to being tracked using the first and third party cookies as detailed in our Cookie Policy.

Data analytics

  • To conduct data analytics and analysis studies to review and better understand trends and improve our business, use of our website, Greggs App and social media which relates to us as well as to help us measure traffic and usage trends for the services we provide and to understand more about the demographics and behaviours of our users.

This is necessary for our legitimate interests to improve our service to our customers. We may also have legal obligations or be exercising a legal right to do this.

Location data

  • Location services so that you can use your Greggs App and account to find your nearest Greggs’ shop.

On the basis of consent, specifically where you have enabled location tracking services on your mobile device.

Customer record

  • To create and maintain a record to identify where you have been in touch with us in the past, including the reason for that previous contact and how it was resolved.

This is necessary for our legitimate interests in order to ensure that we have a good record of customer contacts so that we can:

  • monitor complaints regarding our business and any on-going or recurring issues that you may have. This will help us to make sure you receive proper assistance when you contact us and where relevant, that we understand the background to any issues you may have;

  • identify any potentially fraudulent complaints or series of complaints; and

  • review and assess the quality of our responses to complaints for training and development purposes.

Responding to you

  • To respond to your question or comment and to evaluate and improve our products and services.

This is necessary for our legitimate interests to improve our service to our customers.

Monitoring use

  • To monitor any use you make of our website, Greggs App and information and communication systems and social media accounts, to remember information so that you will not have to re-enter it during your visit or the next time you visit the our website.

This is necessary for our legitimate interests so we can:

  • ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution and also to protect your personal information; and

  • improve our service to our customers.

Vouchers

  • To send gift vouchers or voucher codes to you.

This is either (depending on the circumstances):

  • Necessary for the performance of a contract to which you are a party, for example if your contact relates to the operation of your Greggs account. Processing is necessary so that we resolve the issue and ensure that we have properly provided our services to you; or

  • Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service and to investigate and resolve the reasons why that may not be the case; or

  • On the basis of consent, specifically where we ask your consent to be able to use your data to send gift vouchers or voucher codes to you.

Complaints

  • To contact you to discuss any complaint that you have made and to update you on how it is being resolved.

This is either (depending on the circumstances):

  • Necessary for the performance of a contract to which you are a party, for example if your contact relates to the operation of your Greggs account. Processing is necessary so that we can investigate the issue and ensure that we have properly provided our services to you; or

  • Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service and to investigate and resolve the reasons why that may not be the case.

Order fulfilment

  • To fulfil your order, complete your transaction and update aspects of your Greggs account such as your rewards information.

This is both:

  • Necessary for the performance of a contract with you to fulfil your order; and

  • Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Custom Audiences

  • to help Social Media networks target you with tailored adverts. In some cases we will send encrypted customer emails to social media networks so that they can build custom audiences of our customers, which we can then target with tailored adverts. Social media networks will only be able to use customer emails to identify a user profile where this email data already exists on their network.

This is necessary for our legitimate interests to ensure that we can better understand the type of customer holding an account.

We also need to compile reports detailing the number and nature of customer contacts received within certain periods of time, which we will use within the business for management purposes. We use reasonable efforts to remove all personal information from these reports, but sometimes (for example, where personal information is contained in the message box of the “Write to us” section on our website), it may not be practical for this personal information to be removed or anonymised.

We always aim to use your personal information in an ethical and non-intrusive way. We will not use your personal data to target, segment, or profile individuals based on their health, negative financial status or condition, political affiliation or beliefs, racial or ethnic origin, religious or philosophical affiliation or beliefs, sex life or sexual orientation, data relating to an alleged or actual commission of a crime, for any unlawful or discriminatory purpose or in any other manner that would be inconsistent with your reasonable expectation of privacy.

How long will we hold your information for?

We will only hold your personal information for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

In general, this means we will hold your personal information for as long as you are an active customer of Greggs. This data will typically cover up to a 10-year period of your activity with us.

If you make a complaint we may need to hold it longer. From time to time we do purge our database to ensure we are not holding onto your personal information if you no-longer are an active user of Greggs Digital Services and products.

We consider you an ‘active’ customer of Greggs, and therefore retained on the database, if within the previous 24 month period you have:

a) Made a digital transaction with us – such as placing a click and collect order via the Greggs App, making a purchase on greggs.co.uk, or scanning/using the Greggs App at a Greggs shop; or

b) Received 1 or more stamps, or rewards, in any of the six product categories in the last 24 months; or

c) Logged on to your Greggs account via the Greggs App or via the website; or

d) Had a financial account/wallet balance of any size that has topped up within this period (auto or manual); or

e) Not otherwise already contacted our Customer Care Team to request that your personal information is removed from our Greggs account system.

We will use reasonable endeavours to notify you one month in advance of our intention to close your Greggs account and delete your personal information. If we do not hear from you that you wish for your account to be retained within one month of the date of our notification, we will proceed with the closure of your account.

Data Retained by our Customer Care Team

In all other cases and where you contact our Customer Care Team we hold your information for 3 years from the date of your contact or if you contact us again within that period of time, for a period of 3 years from the date of your last contact with us. Information held relating to an injury complaint involving a minor will be retained for 3 years following the minor turning 18.

We will hold your personal information for this length of time because:

  • In the case of a Greggs Account it will ensure that your account is kept available for your use for a reasonable period of time before closure;

  • It will help us to handle any Greggs Account queries you may have within this period of time;

  • It will identify any trends in the nature of your contact with us; and

  • It will allow us to investigate a complaint.

After expiry of retention periods your data may be anonymised for market insight purposes and to measure the performance of our business.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.

We will from time to time review our retention periods but we will only ever hold your personal information for as long as we believe is necessary for reasons set out above.

Only processing the personal information that we need to

Your personal information will only be processed to the extent that it is necessary for the specific purposes we tell you about.

Who has access to your information?

We reserve the right to pass any or all of your personal information to the police, or any other law enforcement agency for the purposes of:

  • Compliance with any of our legal obligations;

  • Crime detection or prevention;

  • Your misuse, or suspected misuse, of our website or any Greggs account.

Where your contact relates to any legal proceedings or prospective legal proceedings against us, we may need to pass your personal information onto our insurers and legal advisers for the purposes of assessing any such proceedings. We may also be required to share your personal information if we are under a duty to do so in order to comply with any legal obligation or to protect our rights, property or the safety of our business, customers, suppliers or employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We will also share your personal information with the following categories of third parties:

  • Service providers acting as processors who provide insight services, delivery of marketing and communications services and IT and system administration services.

  • Where you need to send something to us (for example, a sample of a product you have purchased from us) or where we need to send something to you (for example a gift), your personal information may need to be passed onto our third party suppliers to help us to achieve this.

  • Where your contact involves one of our third party partners (for example Just Eat, Iceland and franchise partners) if necessary we will pass on your information (unless you ask us not to) in order to resolve your complaint or query.

  • Where you have used our click and collect service via the Greggs App payment service your payment has been processed by our payment provider, Square. In doing this you have not created a Square account, but more information on how your information has been processed can be found at https://squareup.com/gb/en/legal/general/privacy-no-account

  • When you contact us via networks such as Twitter, Instagram and Facebook we will occasionally use this data for internal analysis purposes. Please refer to https://twitter.com/en/privacy, https://help.instagram.com/519522125107875 and https://en-gb.facebook.com/policy.php for their individual privacy policies and how your personal data is used.

  • When you use our shop Wi-Fi service, which is provided by Sky Wi-Fi, we do receive summaries of your behaviour and usage statistics which we’ll use for internal analysis purposes. Please refer to https://service.thecloud.net/service-platform/privacy-policy/ for more information how your personal data is used.

Apart from the circumstances set out above, we will not disclose your personal information to any third parties without your consent, unless we are satisfied that they are legally entitled to the information. Where we disclose your personal information to a third party, we will have regard to the data protection principles.

We will not:

  • Sell your personal information to third parties; or

  • Share your personal information with third parties for marketing purposes (unless you have given your consent for us to do so).

  • Permit any decisions to be taken about you using automated decision-making means.

Automated processing for personalised communications

We use automated processing so that we can show you personalised advertisements whilst browsing our website or those of other companies, and to build a customer profile for you. Any advertisements you see may relate to your browsing activity on our website from your computer or other devices. These advertisements are provided by us via external specialist providers using techniques such as pixels, web beacons, ad tags, mobile identifiers and ‘cookies’ placed on your computer or other devices. For further information on the use of cookies, or for details of how you can remove or disable cookies at any time - see our Cookie Policy . We may analyse your activity online and your responses to marketing communications. The results of this analysis, together with other demographic data, allows us to decide what advertisements are suitable for you and to ensure that we draw to your attention products, services, events and offers that are tailored and relevant to you. To do so, we use software and other technology for automated processing. This allows us to provide a more personalised services and experience. We may review personal information held about you by external social media platform providers, such as the personal information available on social media platforms including Twitter, Instagram, YouTube, Twitter and Facebook. We aim to update you about products and services which are of interest and relevance to you as an individual. To help us do this, we process personal data by profiling and segmenting, identifying what our customers like and ensuring advertisements we show you are more relevant based on demographics, interests, purchase behaviour, online web browsing activity and engagement with previous communications.

Links to other web sites and services

Greggs App and website may contain links to and from third party websites of our business partners, advertisers, and social media sites and our users may post links to third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability resulting from you following a link to these websites. Additionally, other privacy policies may apply when you engage with us through a co-branded or co-sponsored promotional or marketing activity. We strongly recommend that you read the privacy policies and terms and conditions of use of any third party website or service to understand how your information will be collected, used and shared. We are not responsible for the privacy practices or the content on the websites of third-party sites.

How can you find out about and update your information?

You have the right to ask for a copy of the personal information that we hold about you.

If you wish to do so, please contact us:

  • By email at data.protection@greggs.co.uk

  • By post for the attention of the Data Protection Analyst, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.

In order to fulfil your request, we may need to first verify your identity.

Any questions regarding this Privacy Policy can be sent to us using the same contact details above.

The accuracy of your information is also important to us. If you change contact details or if you believe that any of the other personal information we hold is inaccurate, incomplete or out of date, please contact us:

  • Via the Greggs App;

  • Via the “Write to us” section at www.greggs.co.uk/contact;

  • By post for the attention of the Customer Care Team, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU;

  • By telephone on 0808 1473447.

You may also request an accessible format of this Privacy Policy using these contact details.

In addition to your rights set out elsewhere in this Privacy Policy, you also have the right to:

 Request details from us of the recipients of your personal information or the categories of recipients of your personal information, if it is supplied by us to any third parties;

 In certain circumstances have the processing of your personal information restricted;

 In certain circumstances be provided with the personal information that you have supplied to us, in a portable format that can be transmitted to another company;

 In certain circumstances not to be subject to a decision that is based solely on automated processing which would have a legal or significant impact on you;

 In certain circumstances object to any processing we are carrying out about you when the basis for our processing is legitimate interests.

If you wish to exercise any of the rights set out above, you must make the request in writing addressed to the "Data Protection Analyst" using one of the methods set out above.

Withdrawal of consent

If you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time. This will not affect the legality of our consent based use before you withdrew your consent.

If you wish to exercise your right to withdraw your consent, you must make the request in writing addressed to the "Data Protection Analyst " using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

The right to object and deletion

You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the “right to be forgotten”.

There may be legal or other reasons why we need to keep or use your information, but please tell us if you think that we should not be using it.

We may sometimes be able to restrict the use of your personal information (although in doing so this may affect your ability to continue using your Greggs account). This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.

If you object to our processing of any of your personal information, you must make the request in writing addressed to the “Data Protection Analyst” using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

How we keep your data secure

We and our third party suppliers use reasonable, appropriate and up to date security methods to keep your data secure and to prevent unauthorised or unlawful access to your information. We limit access to your personal information to those employees, subcontractors, consultants and other third parties who have a business need to use it. They will only process your personal information on our instructions. They are subject to obligations of confidentiality.

We have put in place procedures so that we can deal with any actual or suspected personal information breach and we will let you and the Information Commissioner's Office know of a breach where we are legally required to do so.

Transferring your personal information outside the UK

We will not transfer your personal information outside the UK unless such transfer is compliant with the UK GDPR. This means that we cannot transfer any of your personal information outside the UK unless:

  • The UK Government has decided that another country or international organisation ensures an adequate level of protection for your personal information; or

  • The transfer of your personal information is subject to appropriate safeguards, which may include: Binding corporate rules; or

    Standard data protection clauses adopted by the UK Government; or

  • One of the derogations in the UK GDPR applies (including if you explicitly consent to the proposed transfer).

Right to make a complaint

If you have any issues with our processing of your personal information and would like to make a complaint, you may contact the Information Commissioner's Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. More information can also be found at https://ico.org.uk/make-a-complaint/