Data Protection

Welcome to the website of HelloFresh. In our capacity as controller within the meaning of the General Data Protection Regulation, we are obliged to comply with statutory provisions on data protection. As a matter of course, we greatly value the protection of your personal data along with fair and transparent data processing. We have provided you below with all the information you need to verify and exercise your data protection rights.

1    Who is responsible for data processing?

The responsible party is:

Grocery Delivery E-Services UK LTD

The Fresh Farm, 60 Worship Street, London

United Kingdom, EC2A 2EZ

hello@hellofresh.co.uk

 

2    How can I contact the data protection officer?

You can contact our data protection officer at:

Grocery Delivery E-Services UK LTD
The Fresh Farm, 60 Worship Street, London
United Kingdom, EC2A 2EZ
dataprotection@hellofresh.co.uk

3    Why and on what legal basis do we process personal data?

If you are a HelloFresh customer, create an account with us, participate in competitions or promotions or otherwise contact us, we will receive your personal data.

We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data may include first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data may include billing address, delivery address, email address and telephone numbers.
  • Financial Data may include bank account and payment card details.
  • Transaction Data may include details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data may include your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data may include information about how you use our website, products and services.
  • Marketing and Communications Data may include your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

We generally process data on the following legal bases:

 

  • 6.1a GDPR, if you give us your explicit consent for data processing, e.g. if we contact you by telephone for advertising purposes or for customer satisfaction inquiries;
  • 6.1b GDPR, if we are acting to fulfill our contractual obligations, e.g. if we use your email address to confirm the delivery date for your next cooking box;
  • 6.1c GDPR, if we are acting to fulfill legal obligations, e.g. if we check your age and your identity before the conclusion of a contract;
  • 6.1f GDPR, if we process your data due to justified interest from us or third parties, e.g. if we use your email address to send you our newsletter for direct advertising purposes, or for optimizing our website’s advertising design.

3.1     Data processing on our website

3.1.1      Shipping your cooking boxes / customer account

We are pleased to be able to supply you with our cooking boxes and recipes kits. To enable you to order from us, we will create a customer account for you after your registration. In order to protect your customer account from access by third parties, we store your user name and password. In order to be able to deliver the cooking boxes to you as desired, we store your contact data, order and delivery time and payment information. You can voluntarily provide your phone number so that we can contact you in case of delays or problems delivering your cooking box. Please note that you may revoke your consent at any time.

3.1.2      Paying for the HelloFresh Box

Your payment details will be sent to the appropriate payment service provider depending on the payment method you choose. The payment service provider is responsible for your payment data. Information, particularly about the authority responsible for the respective payment service provider, the contact information for the data protection officers of the payment service providers and the categories of personal data that are processed by the payment service providers, can be obtained from the following addresses:

 

3.1.3      Contacting HelloFresh

You can use the contact form, our email address, phone number or our chat to ask questions and send us messages. We only process your data in this context in order to get in contact with you the way you wish and to answer your inquiry.

3.1.4      Participation in competitions

If you take part in one of our competitions, we collect data that is necessary to carry out the competition. This usually includes an individual competition entry (e.g. a comment or a photo), as well as your name and your contact details. It is possible that we transmit this data to our competition partners, e.g. to send you the prize. The processing and transfer of data may vary depending on the competition and is therefore specifically described in the respective conditions of participation. Participation in the competition and the associated data collection is, of course, voluntary.

3.1.5      Comments on our blog

You have the option of leaving comments on our blog. Your comment, details at the time of writing the comment, email address and - if you do not post anonymously - username will be stored for the comment function on our web pages. Your IP address is also stored. Storage is necessary for us to be able to defend ourselves against liability claims in cases of possible publication of illegal content.

3.1.6      User images of Gravatar

We have integrated the Gravatar avatar service from the operator Automattic, Inc, San Francisco, USA, on our website. If you are registered with Gravatar, the company will send us your profile picture, which will be displayed next to your comment. Using this function means that your email address is transmitted encrypted to Gravatar and compared with the email address stored there. By displaying the images, Gravatar can store user IP addresses. For more information on Gravatar’s collection and use of data, please refer to Gravatar’s privacy policy (https://automattic.com/privacy/). If you do not want your Gravatar image to be displayed, please use an email address that you have not provided for the Gravatar avatar service.

3.1.7      Sending our newsletter

At HelloFresh, you have the option of subscribing to our newsletter in different ways, e.g. when registering, on our recipe page or on our blog. 

Advertising information will only be sent to your email address as part of our newsletter if you are an existing customer or have agreed to use your email address for this purpose. Of course, you can revoke your consent to be sent newsletters at any time, e.g. by clicking the unsubscribe link in the newsletter, updating the communication setting in your customer account or by sending a message to dataprotection@hellofresh.co.uk.

For users who are not already existing HelloFresh customers, we use the double opt-in procedure for subscribing to our newsletter. This means that after your registration we will send you an email to the email address provided asking you to confirm that you would like to receive the newsletter. We also store your IP address and the time of your registration and confirmation. This enables us to prove your registration and, if necessary, clarify any possible misuse of your personal data.

3.1.8      Other advertising by HelloFresh

HelloFresh uses the email address and postal address provided by the customer to inform on similar product and service offers by email and mail. If you do not wish to receive any further advertising information by email or mail, you can object to the use of your contact data for advertising purposes at any time without incurring any costs other than for transmission according to the basic rates.

You can submit your revocation by phone (020 7138 9055), in writing (The Fresh Farm, 60 Worship Street, London, United Kingdom, EC2A 2EZ) or with our contact form at www.hellofresh.co.uk/contact. It is also possible to change communication preferences at any time in the customer account area when subscribing to the newsletter with an existing customer account.

If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this.

We work with Epsilon Abacus (registered as Epsilon International UK Ltd), a company that manages the Abacus Alliance on behalf of UK retailers. The participating retailers are active in the clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors categories. They share information on what their customers buy. Epsilon Abacus analyses this pooled information to help the retailers understand consumers’ wider buying patterns. From this information, retailers can tailor their communications, sending people suitable offers that should be of interest to them, based on what they like to buy.

We also work with XCM (registered as‘X Channel Marketing Ltd’), a companythat provides database hosting and theprocessing of our customers relateddata to support Retailers manageinformation and the rights ofconsumers.XCM provide services thatsupport the integration of customerrelated data to ensure information canbe processed and analysedfor the benefit of relevantcommunications. Thus; presentingappropriate offers that should be ofinterest to our customers andconsumers based on what they buy orwould like to buy.Where you have told us that you do notwish to receive communications fromother trusted retailers andorganisations we will not share yourpersonal data with Abacus or XCM.

3.1.9      Recruiting friends

If you are already a HelloFresh customer, you can also invite your friends to order our boxes. As we do not want to bother anyone, it is important that your friend wants to receive information about our services. Therefore, please only use our “Refer-a-Friend” function if you are convinced of your friend’s interest beforehand.

3.1.10   Customer feedback and support

HelloFresh uses the tool Usabilla, a service of Usabilla B.V., Netherlands. The tool enables you to give us feedback on our offers. The use of the tool is anonymous, i.e. we cannot associate your feedback with your identity.

For customer support, we use the cloud-based platform PureCloud, a service of Genesys. All data that you enter on the support platform is stored and processed in order to provide customer support. The data is stored in the EU, USA and Australia. After termination of the contract with PureCloud, the data will be deleted.

3.1.11   Social media

Registration with Facebook Connect

We offer you the opportunity to register with us through Facebook Connect (Facebook Inc., USA, Data protection declaration: www.facebook.com/policy.php). An additional registration is not necessary in this case. You will be redirected to the Facebook page where you can log in with your user data. This will link your Facebook profile and our service. The link automatically provides us with the following information from Facebook: Facebook name, Facebook profile and cover picture, email address stored on Facebook, Facebook friends lists, Facebook likes, birthday, gender, country, language.

Data is used to set up, provide and personalize your customer account.

Social media plugins

On our blog or in our recipe suggestions, we have included social media plugins that you can use to share certain content over social networks. To protect your privacy, we offer you these social plugins as so-called “2-click buttons.” The “2-click solution” prevents data (e.g. your IP address) from being transmitted to social networks such as Facebook or Twitter as soon as you open our website. For this purpose, the buttons are deactivated by default and are only activated by clicking the social plugins for the first time.

After activation, the plugins also collect personal data such as your IP address and send it to the servers of the respective provider where it is stored. In addition, activated social plugins set a cookie with a unique identifier when loading the relevant website. This also allows providers to create profiles of your usage behavior. The data will be used to show you personalized advertising, as well as for market and opinion research purposes.

Data transfer is independent of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be assigned to your existing account with the plugin provider.

We have no exact information about the concrete use of the data nor about the storage period. Please read the privacy policy of the respective providers.

We have integrated the plugins of the following providers on our website:

 

3.2     Will my usage data be processed for website optimization and usage-based online advertising?

HelloFresh uses cookies to create pseudonymous user profiles in compliance with legal requirements, but also to make the use of our website as optimal as possible. We can evaluate usage profiles in order to understand the use of our website, to determine target audiences for our products and to optimize our offers. When we create pseudonymous user profiles, we do not directly associate this data with you and therefore cannot trace specific activities back to you.

Cookies are small text files that are placed on your computer when you visit our website and allow your browser to be reassigned. Cookies store information such as your language setting, the duration of your visit to our website or the information you enter there. This avoids the need to re-enter all necessary data for each use. Cookies also enable us to recognize your preferences and to tailor our website to your interests.

Most browsers automatically accept cookies. If you want to prevent cookies from being saved, select “do not accept cookies” in the browser settings. You can find out how this works in detail from your browser provider’s instructions. You can delete cookies that are already stored on your computer at any time. However, we would like to point out that our website may only be of limited use without cookies. Alternatively, you can prevent the collection and forwarding of your data (particularly your IP address) and the processing of this data by deactivating the execution of Java Script in your browser or by installing a tool such as “NoScript.”

You can also disable the use of cookies by third parties by using the Network Advertising Initiative’s disabling tool. However, we and the providers will continue to receive statistical information on how many users visited our website and when.

We would like to explain some of the services in more detail below:

3.2.1          Google Analytics

Our website uses Google Analytics, a service of Google Inc., USA (“Google”). Google Analytics enables us to evaluate your website use in order to compile analyses of website activity and make use of other services associated with website and Internet use.

We would like to point out that the code “gat.anonymizeIp();” has been added to Google Analytics to ensure anonymous collection of IP addresses (so-called IP masking). Your IP address will be anonymised by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there. The IP address transmitted by your browser with Google Analytics will not be merged with other Google data. More information on terms of use and data protection can be found at https://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/.

In addition, you can prevent Google from collecting data by downloading and installing the browser add-on. By clicking the following link, an opt-out cookie is set that will prevent the future collection of your data when you visit this website: Disabling Google Analytics.

We also use the Google Conversion Tracking service as part of Google Analytics. This enables us to record the behavior of our website visitors. For example, we are shown how often the contact form has been filled in. We also see how many clicks on advertisements from external sources (AdWords, LinkedIn, Xing, Bing) have led to our website.

3.2.2          Matomo (formerly Piwik)

This website uses Matomo (formerly Piwik), a service of InnoCraft Ltd., which enables us to evaluate your visitor behavior on our website and compile reports on website activity. The information generated by the cookie is transferred to the server of the website operator in Germany and stored there. The IP address is made anonymous immediately after processing and before it is stored, i.e. data cannot be directly associated with you.

You can disable Matomo’s data collection here.

3.2.3     Facebook Custom Audience Pixel

This website uses Custom Audience Pixel, a service of Facebook Inc., USA. Custom Audience Pixel is a Java script code that we have integrated into each of our web pages. We use custom audience pixels to collect information about the way visitors use our website. This pixel collects and reports Facebook information about the user’s browser session, a hashed version of the Facebook ID and the URL being viewed. Each Facebook user has a unique and device-independent Facebook ID that enables us to address and recognize users across multiple devices on the social network Facebook so that we can reach our visitors again for advertising purposes through Facebook ads. After 180 days, the user information will be deleted until the user returns to our website. Therefore, no personal information about the individual website visitors is disclosed to HelloFresh and website customer target audiences can only be specifically advertised to as soon as they have reached a significant mass in terms of numbers.

For more information on Facebook and its privacy settings, please see the privacy policy and terms of use of Facebook Inc.

3.2.4      Other operators

We also use the following services for website analysis purposes and for personalized advertising. If you want to deactivate the respective service, please follow the respective opt-out link, if indicated:

Service

Operator

Opt-out

Dynamic Yield Analytics

Dynamic Yield Inc., USA

www.dynamicyield.com/platform-privacy-policy/

Hotjar

Hotjar Ltd, Malta

www.hotjar.com/opt-out

New Relic

New Relic Inc., USA

Email dataprotection@hellofresh.co.uk

AppNexus

AppNexus Inc., USA

www.appnexus.com/en/company/platform-privacy-policy#choices

Bing Ads

Microsoft Corp., USA

Deactivation of cookies in general browser settings

Cross Engage

CrossEngage GmbH, Germany

Email to optout@crossengage.io

Google AdWords and Conversion Tracking

Google Inc., USA

Deactivation of cookies in general browser settings

Google Dynamic Remarketing

Google Inc., USA

Deactivation of cookies in general browser settings

Google GA Audience

Google Inc., USA

www.google.de/settings/ads/onweb#display_optout

Double Click and Double Click Spotlight

Google Inc., USA

www.google.de/settings/ads/onweb#display_optout

Twitter Advertising

Twitter Inc., USA

https://optout.aboutads.info

Taboola

Taboola Inc., USA

www.taboola.com/privacy-policy

Crazy Egg

Crazy Egg Inc., USA

www.crazyegg.com/opt-out

Outbrain

Outbrain UK Limited, USA

www.outbrain.de/legal/privacy-713

BidSwitch

BidSwitch, USA

www.iponweb.com/privacy-policy/

Flashtalking

Flashtalking Inc., USA

http://www.flashtalking.com/privacypolicy/

VE Interactive

Ve Global UK Limited, UK

Deactivation of cookies in general browser settings

FLXONE

Mapp Digital Germany GmbH, Germany

http://flxone.com/platform/

 

4    Will my data be transmitted to third parties?

In order for HelloFresh to process your data according to the purposes described above, it may be necessary for other recipients to also be able to view and process your data.

4.1        Recipients within the HelloFresh Group

HelloFresh is a global company with subsidiaries worldwide. In special cases, it may be necessary for us to transfer your data to our Group parent company, HelloFresh SE, Berlin, such as when it performs certain central tasks for the Group. However, such a transmission shall only take place if we have a basis of authorization or as part of order processing in accordance with Art. 28 GDPR.

4.2        External service providers (contractors)

Your data will be passed on to service partners if they work on our behalf and support HelloFresh in the provision of its services. For example, we have commissioned a service partner to send our newsletter.

Processing of your personal data by commissioned service providers takes place within the scope of order processing in accordance with Art. 28 GDPR.

4.3        Other service providers, partners and third parties

HelloFresh can cooperate with other partners if it is necessary to fulfill our service offers or if we are legally obliged to release data. This includes the following partners or third parties:

  • Transport companies (for the delivery of your cooking box)
  • Banks and payment service providers
  • Disclosure of personal data to public authorities or by court order
  •  

5    Will my data be processed outside the EU/EEA and how is data protection ensured?

It is important to us to process your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an appropriate level of data protection is established prior to the transfer of your personal data. This means that a level of data protection comparable to the standards within the EU is achieved using EU standard contracts or an adequacy resolution such as the EU Privacy Shield.

6    How long will my data be stored?

We delete personal data as soon as the purpose of storage no longer applies and legal retention periods do not preclude deletion.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

At HelloFresh, we usually delete data as follows:

  • Job applicant data: no later than six months after receipt of application
  • Contract data: after termination of the HelloFresh subscription, except where retention obligations provide otherwise
  • Contact requests: after processing the request

 

7    Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

 

8    What rights do I have and how can I assert them?

Every customer or any other person affected by data processing has the right to information according to Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR, the right to restriction of processing according to Art.18 GDPR, the right to objection according to Art. 21 GDPR and the right to data transferability according to Art. 20 GDPR.

 

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us prior to the validity of the General Data Protection Regulation, i.e. before May 25, 2018. Please note that revocation will only take effect for the future. Processing that took place before the revocation is not affected.

 

You can submit your objection and/or revocation by phone (020 7138 9055), in writing (Grocery Delivery E-Services UK LTD, The Fresh Farm, 60 Worship Street, London, United Kingdom, EC2A 2EZ or with our contact form here.

 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us under www.hellofresh.co.uk/contact in the first instance.

 

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

You can ask us or third parties to stop sending you marketing messages by contacting us at any time, or by adjusting your communication preferences via Account Settings on our website. If you no longer wish to receive our email communications, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each newsletter.