Data Protection

Welcome to the website of HelloFresh. In our capacity as controller within the meaning of the General Data Protection Regulation, we are obliged to comply with statutory provisions on data protection. As a matter of course, we greatly value the protection of your personal data along with fair and transparent data processing. We have provided you below with all the information you need to verify and exercise your data protection rights.
1 Who is responsible for data processing?
The responsible party is:

Grocery Delivery E-Services UK LTD

The Fresh Farm, 60 Worship Street, London

United Kingdom, EC2A 2EZ

dataprotection@hellofresh.co.uk
2 How can I contact the data protection officer?
You can contact our data protection officer at:

Grocery Delivery E-Services UK LTD
The Fresh Farm, 60 Worship Street, London
United Kingdom, EC2A 2EZ
dataprotection@hellofresh.co.uk
3 Why and on what legal basis do we process personal data?
If you are a HelloFresh customer, create an account with us, participate in competitions or promotions or otherwise contact us, we will receive your personal data.
We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Security of Your Personal Information
HelloFresh ensures that all information collected will be safely and securely stored.

We protect your personal information by:

- Restricting access to personal information
- Maintaining technology products to prevent unauthorised computer access
- Securely destroying your personal information when it's no longer needed for our record retention purposes
HelloFresh uses 128-BITbit SSL (secure sockets layer) encryption technology when processing your financial details. 128-bit SSL encryption is approximated to take at least one trillion years to break, and is the industry standard.
Identity Data
may include first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data
may include billing address, delivery address, email address and telephone numbers.
Financial Data
may include bank account and payment card details.
Transaction Data
may include details about payments to and from you and other details of products and services you have purchased from us.
Technical Data
may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Profile Data
may include your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data
may include information about how you use our website, products and services.
Marketing and Communications Data
may include your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
We generally process data on the following legal bases:

- 6.1a GDPR, if you give us your explicit consent for data processing, e.g. if you are a prospective customer we may need your consent to send you marketing emails;
- 6.1b GDPR, if we are acting to fulfil our contractual obligations, e.g. if we use your email address to confirm the delivery date for your next cooking box;
- 6.1c GDPR, if we are acting to fulfil legal obligations, e.g. if we check your age and your identity before the conclusion of a contract, to prevent fraud, if you purchase alcohol as part of an order with us, or if you are to receive a free alcohol sample as part of a promotion;
- 6.1f GDPR, if we process your data due to a legitimate interest of ours or a third party’s, e.g. if we use your email address to send you our newsletter for direct advertising purposes, where we provide your data to third parties (as outlined below) or for optimizing our website’s advertising design.
3.1 Data processing by HelloFresh
3.1.1 Shipping your cooking boxes / customer account
We are pleased to be able to supply you with our cooking boxes and recipe kits. To enable you to order from us, we will create a customer account for you after your registration. In order to protect your customer account from access by third parties, we store your user name and password. In order to be able to deliver the cooking boxes to you as desired, we store your contact data, order and delivery time and payment information. You can voluntarily provide your phone number so that we can contact you in case of delays or problems delivering your cooking box. Please note that you may deactivate your account at any time.
3.1.2 Paying for the HelloFresh Box
Your payment details will be sent to the appropriate payment service provider depending on the payment method you choose. The payment service provider is responsible for your payment data. Information, particularly about the authority responsible for the respective payment service provider, the contact information for the data protection officers of the payment service providers and the categories of personal data that are processed by the payment service providers, can be obtained from the following addresses:

- PayPal (Europe) S.à.r.l. et Cie., Luxembourg, Data protection declaration: paypal.com/de/webapps/mpp/ua/privacy-full

- Adyen B.V. Netherlands, Data protection declaration: adyen.com/policies-and-disclaimer/privacy-policy

- American Express Services Europe Ltd., United Kingdom, Data protection declaration:americanexpress.com/uk/legal/european-implementing-principles.html

You authorise us to charge each payment to the payment card you use to make your initial payment. You will be able to view, amend, update and delete your payment card details when logged into your HelloFresh account using our virtual wallet service. You will be able to store multiple payment cards in your virtual wallet and choose which payment card to use for payment. If we are unable to complete a charge using your chosen payment card, you authorise us to charge a payment to any other payment card stored in your virtual wallet.
3.1.3 Customer Care
You can contact us via email, phone, chat or facebook message to ask us questions, send us messages or make complaints. We only process your personal data in this context in order to get in contact with you the way you wish and to answer or fulfil your request or complaint.

We may also use your personal data, such as your name, email address, phone number and product information to identify and call you to find out more about your experience with HelloFresh and how you think it could be improved. We may also call you or contact you via SMS after you have deactivated your customer account so that we can find out if you would like to re-activate it (or change how you have used HelloFresh’s services in the past). We may also send you reminders via SMS when one of your payment cards is close to expiry, your payment failed or in relation to other transactional matters. All of our calls will be recorded for training and monitoring purposes and you will have the right to opt out from receiving these calls or SMS at any time by contacting us at dataprotection@hellofresh.co.uk or by informing the agent on the call. We use the following third party service providers to assist us with our customer care or outbound calls to our customers: RSVP, Linea Directa d.o.o (part of the M+ Group) and CityConnect.
3.1.4 Participation in competitions
If you take part in one of our competitions, we collect data that is necessary to carry out the competition. This usually includes an individual competition entry (e.g. a comment or a photo), as well as your name and your contact details. It is possible that we transmit this data to our competition partners, e.g. to send you the prize. The processing and transfer of data may vary depending on the competition and is therefore specifically described in the respective conditions of participation. Participation in the competition and the associated data collection is, of course, voluntary.
3.1.5 Comments on our blog
You have the option of leaving comments on our blog. Your comment, details at the time of writing the comment, email address and - if you do not post anonymously - username will be stored for the comment function on our web pages. Your IP address is also stored. Storage is necessary for us to be able to defend ourselves against liability claims in cases of possible publication of illegal content.
3.1.6 User images of Gravatar
We have integrated the Gravatar avatar service from the operator Automattic, Inc, San Francisco, USA, on our website. If you are registered with Gravatar, the company will send us your profile picture, which will be displayed next to your comment. Using this function means that your email address is transmitted encrypted to Gravatar and compared with the email address stored there. By displaying the images, Gravatar can store user IP addresses. For more information on Gravatar’s collection and use of data, please refer to Gravatar’s privacy policy (https://automattic.com/privacy/). If you do not want your Gravatar image to be displayed, please use an email address that you have not provided for the Gravatar avatar service.
3.1.7 Sending our newsletter
At HelloFresh, you have the option of subscribing to our newsletter in different ways, e.g. when registering, on our recipe page or on our blog.

Advertising information will only be sent to your email address as part of our newsletter if you are an existing customer or have agreed to use your email address for this purpose. Of course, you can revoke your consent to be sent newsletters at any time, e.g. by clicking the unsubscribe link in the newsletter, updating the communication setting in your customer account or by sending a message to dataprotection@hellofresh.co.uk.

For users who are not already existing HelloFresh customers, we use the double opt-in procedure for subscribing to our newsletter. This means that after your registration we will send you an email to the email address provided asking you to confirm that you would like to receive the newsletter. We also store your IP address and the time of your registration and confirmation. This enables us to prove your registration and, if necessary, clarify any possible misuse of your personal data.
3.1.8 Other advertising by HelloFresh
HelloFresh uses the email address, telephone number and postal address provided by the customer to inform on similar product and service offers by email, SMS and mail. If you do not wish to receive any further advertising information by email, SMS or mail, you can object to the use of your contact data for advertising purposes at any time without incurring any costs other than for transmission according to the basic rates.

You can submit your revocation for electronic marketing by phone (020 7138 9055), in writing (The Fresh Farm, 60 Worship Street, London, United Kingdom, EC2A 2EZ) or through our contact channels at www.hellofresh.co.uk/contact-us. It is also possible to change communication preferences at any time in the customer account area when subscribing to the newsletter with an existing customer account.

We also send postal marketing messages from time to time via trusted third parties. We rely on legitimate interest to send postal marketing to prospective customers and reactivation offers to customers who have left HelloFresh in the previous two years. You can opt out of postal mail marketing via the methods outlined on the specific postal promotional material you receive. Please note, individuals are not able to opt out of postal marketing on our website or app.

If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by post only if you have consented to this.

We also work with Experian, who help us with a number of different marketing initiatives.
Here’s a list of the current activities carried out by Experian:
HelloFresh provide Experian with customer records, which Experian analyse and segment in order to build prospect audiences and customer modelling for direct marketing campaigns.
Experian combine our customer records with their own data in order to identify an actionable audience within Facebook for targeted advertising.
These activities are carried out on the legal basis that marketing HelloFresh is a legitimate interest of our business and you have the right to object to this activity as outlined above.
3.1.9 Recruiting friends
If you are already a HelloFresh customer, you can also invite your friends to order our boxes. As we do not want to bother anyone, it is important that your friend wants to receive information about our services. Therefore, please only use our “Refer-a-Friend” function if you are convinced of your friend’s interest beforehand.
3.1.10 Customer feedback and support
HelloFresh uses the tool Usabilla, a service of Usabilla B.V., Netherlands. The tool enables you to give us feedback on our offers. The use of the tool is anonymous, i.e. we cannot associate your feedback with your identity. We also use a service provider, called FlavorWiki, which collects personal data from you (for example, your email address) so that we can find our more about what recipes and food you enjoy as a HelloFresh customer.

For customer support, we use the cloud-based platform PureCloud, a service of Genesys. All data that you enter on the support platform is stored and processed in order to provide customer support. The data is stored in the EU, USA and Australia. After termination of the contract with PureCloud, the data will be deleted.