Last updated July 2023
Who are we?
We are Greggs plc, one of the UK’s leading food-on-the-go retailers ("we" or "us"). Greggs plc is registered at Companies House under company number 00502851 and our registered office is at Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.
We are also registered with the Information Commissioner’s Office under registration number Z7225689.
We take data protection very seriously and respect the privacy of our customers. We are committed to protecting and respecting your privacy, in accordance with the UK General Data Protection Regulation ("UK GDPR").
What information do we collect from you?
We may collect the following personal information from you:
Your name and contact details (emails address, mobile telephone number, postal and billing address, social media handle);
Your mobile telephone ID (i.e. your unique address that identifies your mobile device);
Your date of birth;
Your gender (if you choose to provide this);
Your marketing preferences;
Any information you include in correspondence or feedback you send to us, in forms, competitions, promotions or surveys you submit to us, when using our website, Greggs App (including in-app chat), email or via our social media pages;
Any information you provide in customer research or customer satisfaction surveys we may conduct to evaluate and improve our products and services.
Your image on CCTV in our shops;
Your payment card and, in relation to certain goodwill payments, your bank account number and sort code, items purchased, the date and time of your transaction, amount purchased, whether you used a particular coupon or deal, and payment information, such as your credit/debit card or gift card or loyalty program details, when you make an in-store or online purchase;
Your mobile device information (or information about the device you use to access our website or services, including your Internet Protocol (IP) address (i.e. your unique address that identifies your device on the internet), your Internet service provider, device type, model and manufacturer, device operating system and platform, date and time stamps, IDs that allows us to uniquely identify your browser, mobile device and information in relation to your account and advertising you might have interacted with.
Your browsing history on our Greggs App, Website or information from when you visit and engage with content or targeted advertising on third party platforms or social media networks.
We may also collect information about how you use any of our digital services including:
Which products you purchase from us;
How frequently you purchase them;
When you visit our shops;
How much you spend with us;
Which of our shops you frequently use; and
How you’ve arrived at registering or using our digital services
Where you have enabled location tracking services on your mobile device, we may also collect location information from you so that you can use your Greggs App to find your nearest Greggs shop and more about your shopping habits with us in order for us to send you more personalised offers on our products and services.
We collect, use and share aggregated data such as statistical or demographic data. We could derive this aggregated data from your personal information where you’ve given us permission to do so. For example, to understand differences in usage of users accessing a specific Greggs product or service in different parts of the U.K.
How is your information held?
Once collected, your personal information will either be held on the secure systems of our third party suppliers involved in the operation of a Greggs Account or held on our customer database on our own secure systems within the United Kingdom (for further details, please see the “Who has access to your information” section below).
When you speak to us by phone you will be notified that your call will be recorded. This recording is held on our Avaya System, also held on our own secure system within the United Kingdom.
How will we use your information?
We will only use your personal information when the law allows us to do so, which may be:
To fulfil a contract we have with you; or
When it is our legal duty; or
When it is in our legitimate interests (or those of a third party); or
When you consent to it.
A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interests, we will tell you what that is.
We may use your personal information for the reasons and in accordance with the legal basis below:
Purpose of Processing Your Personal Information
Account administration - Account administration purposes for any registered account(s) you hold with us.
This is both:
To provide you with free rewards based on:
This is both:
Notifications and account information - To send notifications or account information to you by email, SMS text or app push notifications. We may select products that we believe you may be interested in based upon the information that we collect about how you use your Greggs account.
This is both:
Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.
This is necessary for our legitimate interests to improve our service to our customers. We may also have legal obligations or be exercising a legal right to do this.
Location services so that you can use your Greggs App and account to find your nearest Greggs’ shop.
On the basis of consent, specifically where you have enabled location tracking services on your mobile device.
To create and maintain a record to identify where you have been in touch with us in the past, including the reason for that previous contact and how it was resolved.
This is necessary for our legitimate interests in order to ensure that we have a good record of customer contacts so that we can:
Responding to you
This is necessary for our legitimate interests to improve our service to our customers.
This is necessary for our legitimate interests so we can:
This is either (depending on the circumstances):
This is either (depending on the circumstances):
This is both:
This is necessary for our legitimate interests to ensure that we can better understand the type of customer holding an account.
Group Wide and Partner Marketing
We also need to compile reports detailing the number and nature of customer contacts received within certain periods of time, which we will use within the business for management purposes. We use reasonable efforts to remove all personal information from these reports, but sometimes (for example, where personal information is contained in the message box of the “Write to us” section on our website), it may not be practical for this personal information to be removed or anonymised.
We always aim to use your personal information in an ethical and non-intrusive way. We will not use your personal data to target, segment, or profile individuals based on their health, negative financial status or condition, political affiliation or beliefs, racial or ethnic origin, religious or philosophical affiliation or beliefs, sex life or sexual orientation, data relating to an alleged or actual commission of a crime, for any unlawful or discriminatory purpose or in any other manner that would be inconsistent with your reasonable expectation of privacy.
How long will we hold your information for?
We will only hold your personal information for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
In general, this means we will hold your personal information for as long as you are an active customer of Greggs. While this will vary for each customer, this data will typically cover up to a 10-year period of your activity with us, but may be longer depending on how long you have used our Digital Services.
How we consider you to be an active customer of Greggs
We consider you an ‘active’ customer of Greggs, and therefore retained on the database, if within the previous 24 month period you have:
a) Made a digital transaction with us – such as placing a click and collect order via the Greggs App, making a purchase on greggs.co.uk, or scanning/using the Greggs App at a Greggs shop; or
b) Received 1 or more stamps, or rewards, in any of the six product categories in the last 24 months; or
c) Had a financial account/wallet balance of any size that has topped up within this period (auto or manual); or
d) Not otherwise already contacted our Customer Care Team to request that your personal information or Greggs Account is removed from our system.
If you cease to be an active customer of Greggs by not engaging in any of the above interactions with us, we will delete your Greggs account and your personal information.
Circumstances where we may retain your personal data
If you make a complaint we also may need to hold your personal details for a longer period. We may also retain your transaction history for analysis purposes.
In some circumstances you may continue to receive marketing communications from Greggs after your Greggs Account is deleted if you do not opt out.
Notice of deletion
If your contact details are still valid, in most cases we will aim to notify you in advance of our intention to close your Greggs account after 24 months of inactivity, we may, at our discretion, proceed to close your Greggs account sooner if we deem you to no longer be an active customer of Greggs.
Data Retained by our Customer Care Team
In all other cases and where you contact our Customer Care Team we hold your information for 3 years from the date of your contact or if you contact us again within that period of time, for a period of 3 years from the date of your last contact with us. Information held relating to an injury complaint involving a minor will be retained for 3 years following the minor turning 18.
We will hold your personal information for this length of time because:
In the case of a Greggs Account it will ensure that your account is kept available for your use for a reasonable period of time before closure;
It will help us to handle any Greggs Account queries you may have within this period of time;
It will identify any trends in the nature of your contact with us; and
It will allow us to investigate a complaint.
After expiry of retention periods your data may be anonymised for market insight purposes and to measure the performance of our business.
We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.
We will from time to time review our retention periods but we will only ever hold your personal information for as long as we believe is necessary for reasons set out above.
Only processing the personal information that we need to
Your personal information will only be processed to the extent that it is necessary for the specific purposes we tell you about.
Who has access to your information?
We reserve the right to pass any or all of your personal information to the police, or any other law enforcement agency for the purposes of:
Compliance with any of our legal obligations;
Crime detection or prevention;
Your misuse, or suspected misuse, of our website or any Greggs account.
Where your contact relates to any legal proceedings or prospective legal proceedings against us, we may need to pass your personal information onto our insurers and legal advisers for the purposes of assessing any such proceedings. We may also be required to share your personal information if we are under a duty to do so in order to comply with any legal obligation or to protect our rights, property or the safety of our business, customers, suppliers or employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
We will also share your personal information with the following categories of third parties:
Service providers acting as processors who provide insight services, delivery of marketing and communications services and IT and system administration services.
Where you need to send something to us (for example, a sample of a product you have purchased from us) or where we need to send something to you (for example a gift), your personal information may need to be passed onto our third party suppliers to help us to achieve this.
Where your contact involves one of our third party partners (for example Just Eat, Iceland and franchise partners) if necessary we will pass on your information (unless you ask us not to) in order to resolve your complaint or query.
Where you have used our click and collect service or top up finctionality via the Greggs App, your payment has been processed by our payment provider Adyen. For more information on how your information has been processed by our payment provider please go to https://www.adyen.com/policies-and-disclaimer/privacy-policy
When you contact us via networks such as Twitter, Instagram and Facebook we will occasionally use this data for internal analysis purposes. Please refer to:
https://en-gb.facebook.com/policy.php for their individual privacy policies and how your personal data is used.
When you use our shop Wi-Fi service, which is provided by Sky Wi-Fi, we do receive summaries of your behaviour and usage statistics which we’ll use for internal analysis purposes. Please refer to https://www.sky.com/help/articles/sky-wifi-privacy-and-cookie-policy for more information how your personal data is used.
If you have any queries on how we work with these 3rd party providers, please contact firstname.lastname@example.org
Apart from the circumstances set out above, we will not disclose your personal information to any third parties without your consent, unless we are satisfied that they are legally entitled to the information. Where we disclose your personal information to a third party, we will have regard to the data protection principles.
We will not:
Sell your personal information to third parties; or
Share your personal information with third parties for marketing purposes (unless you have given your consent for us to do so).
Permit any decisions to be taken about you using automated decision-making means.
Automated processing for personalised communications
Links to other web sites and services
Greggs App and website may contain links to and from third party websites of our business partners, advertisers, and social media sites and our users may post links to third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability resulting from you following a link to these websites. Additionally, other privacy policies may apply when you engage with us through a co-branded or co-sponsored promotional or marketing activity. We strongly recommend that you read the privacy policies and terms and conditions of use of any third party website or service to understand how your information will be collected, used and shared. We are not responsible for the privacy practices or the content on the websites of third-party sites.
How can you find out about and update your information?
You have the right to ask for a copy of the personal information that we hold about you.
If you wish to do so, please contact us:
By email at email@example.com
By post for the attention of the Data Protection Analyst, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.
In order to fulfil your request, we may need to first verify your identity.
The accuracy of your information is also important to us. If you change contact details or if you believe that any of the other personal information we hold is inaccurate, incomplete or out of date, please contact us:
Via the Greggs App;
Via the “Write to us” section at www.greggs.co.uk/contact;
By post for the attention of the Customer Care Team, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU;
By telephone on 0808 1473447.
Ø Request details from us of the recipients of your personal information or the categories of recipients of your personal information, if it is supplied by us to any third parties;
Ø In certain circumstances have the processing of your personal information restricted;
Ø In certain circumstances be provided with the personal information that you have supplied to us, in a portable format that can be transmitted to another company;
Ø In certain circumstances not to be subject to a decision that is based solely on automated processing which would have a legal or significant impact on you;
Ø In certain circumstances object to any processing we are carrying out about you when the basis for our processing is legitimate interests.
If you wish to exercise any of the rights set out above, you must make the request in writing addressed to the "Data Protection Analyst" using one of the methods set out above.
Withdrawal of consent
If you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time. This will not affect the legality of our consent based use before you withdrew your consent.
The right to object and deletion
You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the “right to be forgotten”.
There may be legal or other reasons why we need to keep or use your information, but please tell us if you think that we should not be using it.
We may sometimes be able to restrict the use of your personal information (although in doing so this may affect your ability to continue using your Greggs account). This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.
How we keep your data secure
We and our third party suppliers use reasonable, appropriate and up to date security methods to keep your data secure and to prevent unauthorised or unlawful access to your information. We limit access to your personal information to those employees, subcontractors, consultants and other third parties who have a business need to use it. They will only process your personal information on our instructions. They are subject to obligations of confidentiality.
We have put in place procedures so that we can deal with any actual or suspected personal information breach and we will let you and the Information Commissioner's Office know of a breach where we are legally required to do so.
Transferring your personal information outside the UK
We will not transfer your personal information outside the UK unless such transfer is compliant with the UK GDPR. This means that we cannot transfer any of your personal information outside the UK unless:
The UK Government has decided that another country or international organisation ensures an adequate level of protection for your personal information; or
The transfer of your personal information is subject to appropriate safeguards, which may include: Binding corporate rules; or
Standard data protection clauses adopted by the UK Government; or
One of the derogations in the UK GDPR applies (including if you explicitly consent to the proposed transfer).
Right to make a complaint
If you have any issues with our processing of your personal information and would like to make a complaint, you may contact the Information Commissioner's Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. More information can also be found at https://ico.org.uk/make-a-complaint/