HelloFresh Privacy Notice
This Privacy Notice (“Privacy Notice”) sets out how HelloFresh processes your personal data in connection with our website at https://www.hellofresh.co.uk/ and app (together, the “Site”) and the services we offer to our customers, including creating the HelloFresh boxes you can order through our Site ("Services").
In our capacity as controller within the meaning of the UK General Data Protection Regulation, we are obliged to comply with statutory provisions on data protection. We value the protection of your personal data along with fair and transparent data processing. In this Privacy Notice, we provide you with the information you need to understand and exercise your data protection rights, as well as explain our approach to any personal data that we might collect from you or which we have obtained about you from a third party, and the purposes for which we process your personal data.
When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.
1. Who is responsible for data processing?
The responsible party (referred to in this Privacy Notice as to "HelloFresh", "we", "us", "our") is:
Grocery Delivery E-Services UK LTD
The Fresh Farm, 60 Worship Street, London
United Kingdom, EC2A 2EZ
dataprotection@hellofresh.co.uk
2. How to contact us
You can contact us:
| On our Site | www.hellofresh.co.uk/contact-us |
| By email | dataprotection@hellofresh.co.uk |
| By post | Grocery Delivery E-Services UK LTD The Fresh Farm, 60 Worship Street, London United Kingdom, EC2A 2EZ |
3. What personal data do we collect?
In providing our Site and Services, we may collect and process different types of personal data about you for different processing purposes. The types of personal data we collect depends on who you are and how you use our Site and Services and includes the following:
| Identity Data | first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender. |
| Contact Data | billing address, delivery address, email address and telephone numbers. |
| Registration Data | first name; last name; email address; country; password; contact preferences; any other personal data that you may provide when you register an account with us (such as company name or job title). |
| Financial Data | bank account and payment card details |
| Transaction Data | details about payments to and from you and other details of products and services you have purchased from us. |
| Technical Data | iinternet protocol (IP) address, your login data, browser type and version, time zone setting and geolocation, browser plug-in types and versions, operating system and platform and other unique identifiers on the devices you use to access the Site. |
| Profile Data | your username and password, details of purchases or orders made by you, your interests, preferences, whether you have participated in any promotions or competitions, feedback, survey responses, your email address connected with your Facebook account if you register through Facebook, and any other personal data that you may provide in the content of any messaging you send or using any enquiry form or chat function on the Site. |
| Usage Data | information about how you use our Site, products and services, including data relating to your browsing activity or interaction with our emails, obtained through the use of cookies, pixel tags and other similar technologies; information about when your current or previous sessions started; and details about any Services you viewed or purchased through the Site |
| Marketing and Communications Data | your marketing preferences and your communication preferences. |
4. How do we collect and receive personal data?
We collect and receive personal data using different methods, as follows:
| Personal data you provide to us | You may give us your personal data directly, for example, when you purchase our Services on our Site, contact us with enquiries, complete forms on our Site, subscribe to receive our marketing communications or provide feedback to us. |
| Personal data we collect using cookies and other similar technologies | When you access and use our Site, we will collect certain Behavioural Data and Technical Data. We collect this personal data by using cookies and other similar technologies. |
| Personal data received from third parties | We may receive personal data about you from third parties. Such third parties may include analytics providers, data brokers, third party directories and third parties that provide technical services to us so that we can provide our Site and our Services. |
| Publicly available personal data | From time to time, we may collect personal data about you (Identity Data, Contact Data or Profile Data) that is contained in publicly-available sources (including open source data sets or media reports) or that you or a third party may otherwise make publicly available (for example through posts on social media platforms). |
5. Who do we collect personal data about?
We collect and process personal data about the following people:
We also collect, use and share Aggregated Data such as statistical or demographic data for many different purposes. Aggregated Data may be derived from your personal data but is not considered personal data in law, as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Site feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. However, if you voluntarily provide such special category data (for example, if you tell us you have a food allergy if you contact us to ask about allergen information), we will delete such data as soon as possible after we have dealt with your query.
| Site visitors | If you browse our Site or register an account on our Site, we will collect and process your personal data in connection with your interaction with us and our Site. |
| Customers | If you buy our Services, we will collect and process your personal data in connection with the supply of goods or services to you. |
| Participants in competitions or promotions | If you participate in competitions or promotions, we will collect and process your personal data in connection with such competition or promotion. |
| People who contact us with enquiries | If you contact us with an enquiry through our Site, submit a complaint through our Site or provide any feedback to us in our surveys and feedback forms, we will collect and process your personal data in connection with your interaction with us and our Site. |
| People who work for our customers and suppliers | If you work for one of our customers or suppliers and have responsibility for placing orders with us, administering your organisation’s account with us or handling our orders or our account with your organisation, we will process your personal data in connection with your organisation’s relationship with us. |
| Visitors to our physical locations | If you attend one of our physical offices or other locations, we may process personal data that you volunteer in connection with your visit and any enquiries you make. CCTV footage may also be collected for security purposes. |
| Event attendees | If you attend one of our events, we will process personal data about you in connection with your attendance at the event. For example, we may ask you to complete a registration or feedback form, or other document relating to the event. |
| Job applicants | If you apply for a job with us, whether through the Site or otherwise, we will collect and process your personal data in connection with your application. |
6. How we use your personal data
We process your personal data for the following purposes:
Use of our Site.
| If you browse our Site | When you browse our Site, we collect and process Behavioural Data and Technical Data to help us understand how you are using and navigating our Site. We do this so that we can better understand which parts of our Site are more or less popular and improve the structure and navigation of our Site. Lawful basis It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you for the Services, or it is in our legitimate interest to use personal data in such a way to ensure that we provide access to our Site in a secure and effective way and so that we can make improvements to our Site. |
| If you register and access an account on our Site | You may be required to register an account with us in order to gain access to certain features and functionality of our Site and/or to receive certain offers and benefits. Account applicants will need to complete the registration form, providing all required Registration Data. We will use this data in order to process your registration. Once the account is registered, we will process your Registration Data to identify you when you log in to your account and access secure areas of our Site. We will also process certain Technical Data and Marketing and Communications Data so that we can administer your account and contact you about your account. We will also collect and process Behavioural Data and Technical Data when you use certain features and functionality on our Site. This data helps us understand how you use our Site so that we can improve it. Lawful basis It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you, or it is in our legitimate interest to use personal data in such a way to ensure that we provide access to the Site and our Services in a secure and effective way and so that we can make improvements to our Site. |
| If you purchase Services through our Site | We collect and maintain personal data that you submit to us for the purpose of supplying our Services that you have requested from us via our Site. We may collect and process your personal data whether you are interacting with us on your own behalf or on behalf of any organisation you represent. The personal data we process may include your Identity Data, Contact Data, Registration Data, Profile Data, Financial Data and Transaction Data (where applicable). We process this information so that we can fulfil the supply of Services, maintain our user databases and to keep a record of how our Services are being used. Lawful basis It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you for the Services, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide our Services in an effective, safe and efficient way. |
| If you purchase alcohol as part of an order with us | If you purchase alcohol as part of an order with us, or if you are to receive a free alcohol sample as part of a promotion, we may process your personal data to verify your age. Lawful basis It is necessary for us to use your personal data to fulfil our legal obligations. |
| If you use the interactive features on our Site | We will collect and use personal data about you when you use certain features on our Site. For example, depending on the nature of your enquiry, we may process your Identity Data, Contact Data, Registration Data, Profile Data and certain Behavioural Data and Technical Data when you use our chat function to get in touch with us. Lawful basis It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you for the Services, or it is in our legitimate interest to use personal data in such a way to ensure that we can respond to your enquiries, provide access to our Site in a secure and effective way and make improvements to our Site. |
| If you contribute to our Site or post content on our Site. | You have the option of leaving comments on our blog. Your Identity Data and Contact Details (such as your comment, email address, IP address, and - if you do not post anonymously - username, as well as anything else you voluntarily provide) will be stored for the comment function on our Site. If you submit any other content to us, including via our Site, such as photographs, quotes or testimonials, we may process any personal data included within that content for the purposes of making available particular Services via our Site and promoting our Site and our Services. We may also allow third parties to use the comments/content that you contribute. If the use of such content would involve the use of your personal data, we may use your Contact Details to ask your permission to use the relevant content, unless we are satisfied that we have a lawful right to use the content without your permission. Lawful basis Where we use your content in connection with Services that we provide via our Site, it is in our legitimate interest to use any personal data that you provide to us to ensure that we provide the relevant Services in an effective way. Processing your personal data may be necessary for us to be able to defend ourselves against liability claims in cases of possible publication of illegal content. Where we permit a third party to use your personal data contained within content that you submit, we will do so without your permission if we are satisfied that it is within our or the third party’s legitimate interest to use your personal data, including to promote our Services or services offered by the third party. If it is not within our legitimate interest, we will contact you to ask your permission, in which case our processing of such personal data will be based on your consent. |
| If you link to social media sites and interact with our social media pages | If you click on one of the social media links on our Site or otherwise interact with our social media pages such as on Facebook or Instagram (including interacting with any ‘like’ or similar embedded features on our Site or social media accounts), we and the relevant social media platform may receive information relating to such interaction and may share your personal data in connection with this purpose, such as certain Behavioural Data and Technical Data. The relevant social media platform may also be a controller in respect of the personal data that is collected via your use of our social media pages and may use that personal data for additional purposes. For details of how the relevant social media platform uses your personal data, please see the privacy policy of the relevant social media platform on its website. Lawful basis It is in our legitimate interest to use personal data in the ways described above to ensure that we provide the Site in an effective way and to promote our Site via social media. |
Customer service.
| If you have a general question or need help with any issue concerning our Site or our Services | There are various ways in which you are able to contact us (see section 2 “How to contact us” above). In particular, our Site features a “Contact Us” page, which invites you to submit general enquiries about our Site by email or via our chat function. From time to time, you may also be able to submit specific enquiries on other pages of our Site, including in secure account areas. When you make an enquiry, we will collect and process your Identity Data, Contact Data and, if applicable, certain Profile Data and Transaction Data, as well as any other personal data you volunteer that is relevant to your enquiry. If you have a technical issue concerning our Site, we may also collect and process Behavioural Data and Technical Data to help us diagnose the technical issues you are experiencing and to help us resolve them in an efficient way. We use this information to manage and respond to your enquiry. We also record (including voice recordings of telephone conversations) and use the information referred to above to train our personnel so that they can effectively deal with enquiries. Lawful basis It is in our legitimate interest to use your personal data in the ways described above to ensure that we are able to help you with your enquiry, provide a good standard of service and improve our customer services. |
Surveys and feedback.
| If you complete our surveys or provide feedback on your experience of our Site and/or our Services | From time to time, we will invite you to provide feedback about us, our Site and Services in the form of online surveys. We will collect and process your Identity Data, Contact Data and, if applicable, certain Profile Data and Transaction Data, as well as any other personal data you choose to volunteer in your survey response or other feedback. We use this information to help us to monitor and improve our Site and our Services, to assist with the selection of future service lines and to train our personnel. Lawful basis It is in our legitimate interest to use the personal data provided by you so that we can improve our Site and Services and provide them in an effective way. |
Hosting and managing events
| If you sign up for and/or attend one of our events | From time to time, we may organise and host events for the purpose of promoting our business or for other reasons. We may process your Identity Data and Contact Data to communicate with you about such events where you have specifically requested information about such events or where we have another lawful basis for sending that information to you. If you attend one of our events, we may use your Identity Data, Contact Data and certain Profile Data to record your attendance at the event and for related record-keeping purposes and, if relevant, we may collect and process any dietary requirements you may have. You may also feature in photographs taken at our events and such photographs may appear in publications that we make available. Lawful basis It is necessary for us to use your personal data in this way to perform our obligations in accordance with any contract that we may have with you where you have signed up to attend an event, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that the event is operated in an effective way. We may specifically ask your permission to use your photographs, quotes, testimonials, or other content that you make available or publish at the event. Where this is the case, our processing of your such personal data will be based on consent. |
Prize draws, prize competitions and other promotions.
| If you participate in one of our promotions | From time to time, we may run prize draws, prize competitions and other promotions on our Site and/or on our social media accounts. For the purposes of administering such promotions, we may process your Identity Data, Contact Data, Registration Data, Transaction Data, Profile Data, Behavioural Data and/or Technical Data and any other personal data volunteered by you in relation to your promotion entry. Our promotions are subject to separate terms and conditions, which you may be required to accept as a condition of entry. Lawful basis It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you (e.g. the promotion terms and conditions) or it is in our legitimate interest to use your personal data to enable us to administer our promotion fairly and effectively and to ensure that we comply with self-regulatory codes governing the operation of promotions. |
Insight, analysis and retargeting through Cookies.
| If we use cookies to help us understand more about you and your use of our Site and our Services | We and our third-party partners use cookies, web beacons, pixel tags and other similar technologies (which we generically refer to as “Cookies”) to collect data from the devices that you use to access our Site and Services and any emails that you receive from us. The data that is collected includes Behavioural Data and Technical Data, and certain Profile Data.
We and our third-party partners use this data:
|
Advertising and marketing activities.
| If we send you marketing communications by email/SMS/phone call/post | HelloFresh uses your Identity Data, Contact Data and Marketing and Communications Data to send you (or the organisation you represent), including your email address, telephone number and postal address, marketing communications by email, SMS, telephone call and mail. Our marketing will include press releases and information about us, our Site, and our Services, any events we may hold and the offers and promotions we offer from time to time. If you do not wish to receive any further advertising information by email, SMS, telephone call or mail, you can contact us using the details in section 2 "How to contact us?" above. It is also possible to change communication preferences at any time in your customer account area. We also send postal marketing messages from time to time via trusted third parties, including to prospective customers as well as reactivation offers to customers who have left HelloFresh in the previous two years. You can opt out of postal mail marketing by contacting us at www.hellofresh.co.uk/contact-us. Our marketing communications will include personalised and non-personalised marketing. Personalised marketing has been specifically tailored to you and will include content that we think is most relevant to you, based on what we know about you. Non-personalised marketing is marketing that is not tailored to you. Where we are sending you personalised marketing, we may also use Profile Data, Transaction Data and Behavioural Data to help us decide what sort of personalised marketing to send you (please see the “Insight, analysis and retargeting through Cookies” section above for more details). Lawful basis It is in our legitimate interest to use your personal data for marketing purposes, for example to decide what marketing content we think may appeal to you. It is in our legitimate interest to use your personal data to send our marketing to you by post. However, we will only send marketing communications to you by email where you have consented to receive such content by email, or where we have another lawful right to send marketing to you using email. For example, in certain circumstances we may rely on our legitimate interest to send marketing by email to consumers who have purchased our Services. We may also rely on our legitimate interest to send marketing by email to certain business users of our Site and our Services. |
| If we carry out any online personalised advertising | We and our third party partners may use your Profile Data, Behavioural Data and Technical Data and other data that is collected through your interactions with third party websites and services to provide you with, and analyse the effectiveness of, personalised ads when you visit other websites and/or use other services (including the social media and other platforms described in the “If we advertise to you on social media and other platforms” section below). By “personalised ads”, we mean advertisements for services that you have shown an interest in when you have used our Site or which you otherwise might be interested in based on your browsing habits, although our third party partners may use the data that is collected to show personalised ads for products and services offered by third parties. Lawful basis Please see the “Insight, analysis and retargeting through Cookies” section above to learn about the legal basis that we rely on to collect data via the use of Cookies. Where we use your personal data to display online personal advertising to you, we rely on the consent that you have provided in respect of the collection of such data, or it is otherwise in our legitimate interests to promote our Site and our Services to you. Our third party partners may rely on a different lawful basis in respect of their use of your personal data. Please see section 8 "Third-party cookies" below for further details |
| If we advertise to you on social media and other platforms | We share your email address (usually in an encrypted or ‘hashed’ form) with third party providers of social media platforms and other services (“Platforms”), so that they can: try and “match” your data with the data of their registered users. Where there is a successful match, we will display our advertising to you when you use the relevant Platform (e.g. on your Facebook newsfeed). This is known as “custom audience” advertising, because we “customise” the audience that we want to reach on the relevant service. As such, some of the advertising that you see on these Platforms may be personalised to you. This activity is also subject to the privacy choices you have elected to make on such Platforms and our Site; and use your email address (along with other details about you) to create an audience of individuals who look like you. This is known as 'look-alike' audience advertising as it enables the Platform to find and show adverts to other registered users who have similar interests to you. Lawful basis It is in our legitimate interests to process your personal data so that we can advertise our Services to you when you use the Platforms. |
Security.
| If we need to use your personal data in | We have security measures in place at our premises, including CCTV and building access controls. There are signs in place showing that |
| connection with the administration of our security measures | CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We may require visitors to our premises to sign in on arrival and where that is the case we will keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need-to-know basis (e.g. to look into an incident). Lawful basis It is in our legitimate interests to process your personal data so that we can keep our premises secure and provide a safe environment for our personnel and visitors to our premises. |
Business administration and legal compliance.
| If we need to use your personal data to comply with our legal obligations or in connection with the administration of our business | We may use your personal data: (i) to comply with our legal obligations; (ii) to enforce our legal rights; (iii) to protect the rights of third parties; and (iv) in connection with a business transition such as a merger, reorganisation, acquisition by another company, or sale of any of our assets. Lawful basis Where we use your personal data in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, we have a legal obligation to use your personal data to comply with any legal obligations imposed upon us, such as a court order. We will not process any special (or sensitive) categories of personal data or personal data relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent. |
7. Will my data be shared with third parties?
We only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data shared and to comply with our data protection, confidentiality and security standards and obligations. We may need to share your personal data with third parties (including other entities within our group of companies) for the reasons set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data for other reasons or with other third parties.
| Delivery/transport companies | To ship and deliver your recipe box. |
| Customer service providers | To (a) provide our customers with customer service, (b) request feedback from our customers, or (c) send you reminders via SMS when one of your payment cards is close to expiry, your payment failed or in relation to other transactional matters. |
| Third-party suppliers who provide applications/functionality, data processing or IT services | To support us in providing our Site and running and managing our internal IT systems. Such third parties may also include, for example,providers of information technology, cloud-based software-as-a-service providers, identity management, website design, hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them. We also share your personal data with third-party service providers to assist us with insight analytics. |
| Payment providers and banks | To assist us with the processing of payments and refunds |
| Debt collectors | To assist us with outstanding debts on accounts. |
| Advertising partners | To provide you with, and enable us to measure the effectiveness of, online personalised advertising and other advertising related activities. We work with our ad tech partner, Rokt, to deliver personalised advertising and offers that we think might be relevant to you on the HelloFresh website and app. Where you provide your consent, we will share your email address, first name, zip code, payment type and country of residence with Rokt, who will use this data (on our behalf) to source relevant offers and discounts from third-party advertisers and show you these on the HelloFresh website and app. You have the right to withdraw your consent at any time by contacting us at dataprotection@hellofresh.co.uk . |
| Age verification companies | To verify your age if you purchase alcohol from us, or if you are to receive a free alcohol sample as part of a promotion. |
| Third-party post/email/telephone/SMS marketing and CRM specialists | To assist us with our marketing activities, including managing our marketing database, planning and organising direct marketing campaigns, sending out our marketing communications and account-related communications (including printing materials), contacting you after you have deactivated your customer account so that we can find out if you would like to re-activate it (or change how you have used HelloFresh’s services in the past), and asking you for feedback. |
| Social media companies | To allow social media providers to carry out advertising, including "custom audience” or "look-alike" advertising (as detailed in the section "If we advertise to you on social media and other platforms"). |
| Third-party suppliers who assist us in administering our promotions | To assist us in administering our prize draws, prize competitions and other promotions. |
| Event partners and suppliers | To operate and administrate events. If we are running an event in partnership with other organisations, we will share your personal data with such organisations for use in relation to the event. |
| Auditors, lawyers, accountants and other professional advisers | To advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we may become involved in. |
| Law enforcement or other government and regulatory agencies and bodies | As required by, and in accordance with, applicable law or regulation, including to (i) prevent illegal uses of our sites and apps or violations of our sites’ and the apps’ terms of use and our policies; (ii) defend ourselves against third party claims; and (iii) assist in fraud prevention or investigation (e.g., counterfeiting) |
| Another corporate entity in connection with a business transition | If we are involved in a business transition such as a merger, reorganisation, acquisition by another company, or sale of any of our assets, we may share or transfer personal data to a third party. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Notice. |
| Other third parties | Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation. |
8. Third-party cookies
Most browsers automatically accept cookies. If you want to prevent cookies from being saved, select “do not accept cookies” in the browser settings. You can find out how this works in detail from your browser provider’s instructions. You can delete non-essential cookies that are already stored on your computer at any time. Alternatively, you can prevent the collection and forwarding of your data (particularly your IP address) and the processing of this data by deactivating the execution of Java Script in your browser or by installing a tool such as “NoScript.”
You can also disable the use of cookies by third parties by using the Network Advertising Initiative’s disabling tool. However, we and the providers will continue to receive statistical information on how many users visited our Site and when.
We would like to explain some of the services in more detail below:
<div class="uc-embed" uc-data="all" uc-embedding-type="category" uc-styling="true"><div>
9. Will my data be processed outside the UK/EEA and how is data protection ensured?
Where necessary in order to provide our Site and our Services, we may use third party suppliers located outside the UK and the EEA. In addition, HelloFresh is a global company with subsidiaries worldwide. In certain cases, it may be necessary for us to transfer your data to our Group parent company, HelloFresh SE, Berlin, or other HelloFresh affiliates, to perform certain tasks for the Group.
Non-EEA countries do not have the same data protection laws as the UK and the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.
Where required by applicable law, we will only transfer your personal data outside the UK or the EEA on the basis of (a) an adequacy decision (which means a country has been deemed to provide an adequate level of protection for personal data by the UK government); (b) the UK Extension to the EU-US Data Privacy Framework (commonly referred to as the "UK-US Data Bridge"); or (c) the UK International Data Transfer Addendum to the EEA Standard Contractual Clauses, or the UK International Data Transfer Agreement, each as issued by the UK's Information Commissioner's Office ("ICO") and as may be updated from time to time. For more information, please visit the ICO's website at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/.
10. How long will my data be stored?
In respect of personal data that we process in connection with the supply of our Services, we may retain your personal data for up to six years from the date of supply of the relevant Services and in compliance with our data protection obligations. We may then destroy such files without further notice or liability.
Where we process personal data in connection with the registration and use of an account on our Site, we may retain your personal data for up to six years from the date that the relevant account is terminated (and in compliance with our data protection obligations). We may then destroy such files without further notice or liability.
If you use the chat function on our Site, we retain the information collected through the chat function for no longer than 18 months.
If you have opted out of receiving marketing communications from us, we will need to retain certain personal data on a suppression list indefinitely so that we know not to send you further marketing communications in the future. However, we will not use this personal data to send you further marketing unless you subsequently opt back in to receive such marketing.
We delete job applicant data no later than six months after receipt of your application.
11. Data Security
HelloFresh ensures that all information collected will be safely and securely stored.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed, including by:
- Maintaining technology products to prevent unauthorised computer access
- Securely destroying your personal data when it's no longer needed for our record retention purposes
- Using 128-BITbit SSL (secure sockets layer) encryption technology when processing your financial details. 128-bit SSL encryption is approximated to take at least one trillion years to break, and is the industry standard.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
12. What rights do I have and how can I assert them?
Your rights include the right of access, the right of correction, the right to deletion, the right to restrict processing , the right of data transferability, and the right to object, each of which is set out in more detail in the table below. You can exercise your rights by contacting us using our contact details in section 2 "How to contact us" above.
You will not have to pay a fee to exercise any of your rights, unless your request is manifestly unfounded or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You can ask us or third parties to stop sending you marketing messages by contacting us using the details set out in section 2 "How to contact us" above, or by adjusting your communication preferences via Account Settings on our Site. If you no longer wish to receive our email marketing communications, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each email.
| Your right of access | You have the right to ask us for copies of your personal data. There are some exemptions, which means you may not always receive all the information we process. |
| Your right to rectification | You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. |
| Your right to erasure | You have the right to ask us to erase your personal data in certain circumstances. |
| Your right to restrict processing | You can ask us to “block” or suppress the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal data or you object to us processing it for a particular purpose. This may not mean that we will stop storing your personal data but, where we do keep it, we will tell you if we remove any restriction that we have placed on your personal data to stop us processing it further. |
| Your right to data portability | This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you |
| Your right to object | You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. |
| Your rights in relation to automated decision-making and profiling | You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for the entering into, or the performance of, a contract between you and us. |
| Your right to withdraw consent | If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time. You can exercise your right of withdrawal by contacting us using our contact details in section 2 "How to contact us" above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email. |
| Your right to lodge a complaint with the supervisory authority | If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, please contact us using our contact details in section 2 "How to contact us" above, or report any issues or concerns to the UK regulatory authority, the Information Commissioner’s Office (“ICO”). Contact details for the ICO can be found on its website at https://ico.org.uk. |
13. If you fail to provide your personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
14. Personal data of minors
Neither our Site nor our Services are intended for, or targeted at, minors (individuals under the age of 18) and we do not knowingly collect personal data of minors. However, this does not prevent minors from providing personal data to us. If we do collect personal data of minors, we will comply with all applicable laws and regulations relating to the processing of personal data of minors.
If you are under the age of 18, you must not use our Site or purchase Services from us and you must not provide us with any personal data. If we discover that we are holding the personal data of a minor, we will delete that information as soon as possible. Please contact us if you have reason to beli
15. Recruiting friends
If you are already a HelloFresh customer, you can also invite your friends to order our boxes. As we do not want to bother anyone, it is important that your friend wants to receive information about our services. Therefore, please only use our “Refer-a-Friend” function if you are convinced of your friend’s interest beforehand.
16. Changes to our Privacy Notice
Applicable law and HelloFresh’s practices change over time. If we decide to update our Privacy Notice, we will post the changes on our Site. If we materially change the way in which we process your personal data, we will provide you with prior notice, or where legally required, request your consent prior to implementing such changes. We strongly encourage you to read our Privacy Notice and keep yourself informed of our practices. This Privacy Notice was last modified in May 2024