Costa Club Privacy policy

October 2022

Costa Limited ("Costa", "We", "Us") may collect your personal data. We
respect your data, and your privacy is important to us. This Privacy Policy
explains what personal data we collect and how it is used. This policy also
explains what rights you have over your personal data and how you can use
those rights.

You have the right to object to some of the processing which Costa carries
out. More information about your rights and how to exercise these is set out
in the “Your rights” section of this notice.

Costa Limited’s registered office is Costa House, 6 Porz Avenue, Houghton
Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, United
Kingdom

  1. Summary of how we use your data and your rights

  2. Information we collect from you

  3. Information we receive from third parties

  4. How we use information and the legal basis

  5. Data sharing

  6. International transfers

  7. Cookies and similar technologies

  8. Data retention

  9. Your rights

  10. Contact details

  11. Which Costa entity is collecting your data?

  12. Security Practices

1. Summary of how we use your data and your rights

We use your data to manage our Costa Club loyalty scheme, provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes.

We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.

You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

When you give consent, you are able to withdraw that consent at any time via the app or by emailing us, details in the contacts section at the end. You can also exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more information.

You can unsubscribe from marketing communications at any time. To opt out of direct marketing, you can either adjust the preference settings in your Costa Club account on the app, select “unsubscribe” in emails, or email us, details in contacts at the end of this notice. For opting out of profiling for direct marketing purposes, you will need to email us at the same address. By choosing not to receive marketing emails, you will miss out on our great
offers, but will still be able to collect beans.

Our website and app use cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings. Please see our Cookie Policy for more information.

Where available, if you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store to your location.


2. Information we collect from you

We collect information when you join our Costa Club and purchase something or use our services. This includes store visits, using our websites or loyalty app and corresponding with us. In particular:

  • We keep information you give us directly such as contact details (including name, email, address and telephone number), comments, region, frequency of visits, feedback and marketing opinions.

  • Where applicable, we record and analyse store, web and app visits, details of your purchases, including where you take advantage of our promotions.

  • If you engage with us online via our website or app, our cookies and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.

  • If you post information online about us or provide feedback, we keep a record.

  • If you contact us directly and complain or give feedback, receive compensation, we will record details and all related information (including that you provide to us) such as emails, letters, phone calls, date of birth to our product customer information helplines, including those operated by third parties as detailed in Section 5 below.

3. Information we receive from third parties

We receive your information from other people in certain circumstances. This can happen when:

  • We obtain your in-store transaction details from your local store operator
    Devyani International Ltd so you can get your Costa Club rewards. For
    information as to how they handle your in-store data please refer to their
    privacy notice at https://dil-rjcorp.com/privacy-policy/

  • You participate in market research, such as focus groups or surveys.

  • We may also indirectly collect from our social media partners the fact that
    you are using their social networks and your associated advertising
    identifiers

4. How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as:

  • When you consent to it; or

  • To comply with the law.

We have set out below how and why we use your personal information.

  • When you join our Costa Club to fulfil our contract with you.

  • To communicate with you, check your identity and provide products
    and services including awarding loyalty points if you are a Costa
    Club member.

We use your information to run our loyalty scheme. This includes:

  • Keeping our records up to date,

  • Fulfilling our legal, compliance and contractual duties,

  • Working out which of our products and services may interest you, improving
    our site and apps, and services, developing new products and services, and
    telling you about them and conducting market research.

  • To provide and improve our products and services in relation to Costa Club
    and to respond to you if you contact us.

  • To record communications, including incoming and outgoing calls and
    emails, for staff training, quality improvement purposes and establishing
    facts and to deal with concerns or complaints that you may raise.

  • When we monitor Costa websites, social media platforms such as Facebook
    and Twitter and online services including our mobile app and responses to
    email marketing. If you post comments online or in other media, we capture
    this information, use it to contact you, and use it to improve our products and
    services.

  • Show targeted advertisements within your social networks and to other
    people like you

  • To run competitions and promotions and track which offers seem of interest
    to you

  • To understand you better as a customer by analysing your transactions and
    other information you provide to us or which we learn through your
    interactions with us.

  • To send you emails and SMS messages including offers tailored to your
    perceived preferences where you are a Costa Club member and your
    preference settings permit this. We record which emails seem to be of
    interest to you. Based on your purchase history and membership card usage,
    some Costa Club members may be offered additional beans.

  • To contact you where you provide us with market research feedback or pass
    this data to a third-party business partner of ours for panel market research
    analysis.

We also process the insight data for our legitimate interests to understand how you interact with our Facebook page and its contents and to help us improve our services and contents
To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law, we monitor Costa Club accounts and record communications and emails.

To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:

  • We monitor and record communications, including incoming and outgoing
    calls and emails.

  • We verify your identity in certain circumstances.

  • We will process information in connection with any complaint that you make
    in relation to the service which you receive.

If you give us consent, we:

  • Send you electronic marketing, including promotions and offers, in relation
    to our products and services. Costa Club members can subscribe or
    unsubscribe from our marketing communications at any time through the
    app.

  • Use cookies or similar technologies on the website, app and in marketing
    emails, including analytic cookies. For more details on our use of such
    technologies, see our Cookie Policy.

  • Through the settings on your device, send you push notifications through the
    app.

  • If you use the store locator in the app or site and enable location services, it
    will notify you of the nearest Costa.

  • Use data for other purposes where we explain that purpose when we ask for
    your consent.

When you give consent, you are able to withdraw that consent at any time
by contacting us at the email address at the end of this notice. If you do so
we can only continue to use your data if another legal basis applies, such
as when we’re required to do something by law.

When the law requires us to process your data we will do so. This can
include:

  • Legal, compliance, regulatory and investigative purposes, including for
    government agencies and law enforcement.

  • When you exercise your rights under data protection legislation.

5. Data Sharing

We will share your data with Devyani who operate Costa stores in India for
any queries or complaints relating to in store experiences and administering
the loyalty scheme. Where applicable, we also use third party providers for
the following services:

  • Providing consumer service support for our loyalty scheme

  • Sending promotional offers

  • Customer feedback surveys

  • Data analysis to enable us to optimise our services (including locations and
    products)

  • IT development, support, maintenance and hosting, including the provision
    of applications and website hosting

We may also share data with Social Networks (e.g. Facebook).

If our business is to be integrated with another business or sold, your details
would be shared with our advisers and any prospective purchaser’s advisers.
Your information could be passed to the new owners. (You will be notified if
this happens).

Personal data may be shared with government authorities and/or law
enforcement officials for the prevention or detection of crime, if required by
law or if required for a legal or contractual claim.

6. International transfers

Sometimes we send or store your data outside of India. For example, to
follow your instructions, comply with a legal duty or to work with or receive
services from our service providers who we use to help run your accounts
and our services.

If we do transfer information outside India, we will make sure that it is
protected by transferring it only to such a non-Indian entity that ensures the
same level of data protection that is adhered to by us under Indian law. The
transfer will be done only if is necessary for the performance of our lawful
contract with you, or where you have consented to the transfer.

7. Cookies and similar technologies

Our website, apps and marketing emails use cookies and similar technology.
Full information is in our Cookie Policy. This includes information on how to
adjust your browser settings to accept or reject cookies.

8. Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site or app or where required by law or to protect legal rights. We do not retain your personal data for longer than is required for the purposes stated in this Privacy notice as detailed in Section 4 above.

We always look to keep your data for the minimum time in line with data
protection principles and our processes. For example, we keep information
on Costa Club members as follows.

  • If you register but do not collect and/or use any beans using your card or
    app within 12 months, your registration beans will expire, and we will delete
    your Costa Club account information at that point.

  • If you do not collect and/or use your beans for 2 years, we will delete your
    Costa Club account information.

  • Customer feedback and correspondence with our customer services teams
    depending on the nature of the interaction and any applicable law. This
    enables us to respond to any questions or complaints.

  • We may show advertisements on your social network newsfeed and to
    other people like you for 2 years after our last contact from you.

  • Information to maintain records according to rules that apply to us.

If you unsubscribe from marketing communications, we keep a record of this
request indefinitely to ensure we do not send you direct marketing again

We may keep your data for longer if we cannot delete it for legal or regulatory
reasons.

9. Your rights

You have rights over your personal data.You can:

  • ask for a copy of your information;

  • ask for information to be corrected;

  • ask for information to be erased or deleted;

  • ask for us to limit or restrict processing;

  • object to us processing your data, in particular, where we do not have
    to process the data to meet a contractual or other legal requirement
    and in relation to processing for direct marketing purposes, including
    profiling for direct marketing purposes; and

  • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep information. We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.

10. Contact details

To discuss or change your Costa Club account details, including
preference settings, you can log into ‘My Account’ on the app and go to
(account details) and Contact Preferences or contact consumer general
enquiries at customercare@costaconnect.in

For consumer general enquiries relating to your loyalty account please
contact: customercare@costaconnect.in or Tel No: 9029002363

To exercise any of your rights or to withdraw consent (where you provided
it) please use the app or contact customercare@costaconnect.in or Tel No:
9029002363

For complaints relating to your loyalty account, please email the Grievance
Officer: IndiaGrievanceOfficer@costacoffee.com

For any queries relating to data protection, please contact Costa's Data
Protection Officer by email at costadpo@costacoffee.com or write to them at
Data Privacy Team, Costa Limited, Costa House, 6 Porz Avenue, Houghton
Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, United
Kingdom

We may change or update this policy from time to time. We will communicate
these as appropriate – for example, by updating our website or, where legally
required, by actively telling you about the changes.

11. Which Costa entity is the collecting your data?

We are Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, United Kingdom. Costa Limited runs the Costa Coffee Club within India.

When you visit our Facebook page, Facebook Ireland will collect certain personal data from you, and they will give us anonymous analytics data about you. This is called insight data and you can find more information about how Facebook processes it here. Facebook and Costa are joint controllers over the insight data. For any other processing we are separate controllers, please refer to Facebook's Data Policy to understand how they
process your personal data.

If you would like to exercise your data subject rights over this insight data
please contact us or Facebook.

Please remember that when you click a link to go from our website to another
website, our Privacy Policy no longer applies. Any browsing and interaction
on another website, is subject to that website or third-party notices and
policies which we recommend you read. This policy applies solely to data
collected and processed by Costa Coffee.

Some stores using the Costa brand are franchisees. Franchisees are all
committed to protecting your privacy but please be advised that each Costa
franchisee is an independent business and is responsible for the operation
of its own stores and compliance with data protection law.

12. Security Practices

Costa implements data security practices and standards that are
commensurate with the nature of our business. Our information security
policy is available on request, please email: customercare@costaconnect.in