Privacy policy

October 2021

Costa Limited ("Costa", "We", "Us") may collect your personal data. Your personal data. We respect your data and your privacy is important to us.

This Privacy Notice explains what personal data we collect and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.

You have the right to object to some of the processing which Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

Costa Limited’s registered office is Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, United Kingdom.

  1. Summary of how we use your data and your rights

  2. Information we collect from you

  3. Information we receive from third parties

  4. How we use information and the legal basis

  5. Data sharing

  6. International transfers

  7. Cookies and similar technologies

  8. Data retention

  9. Your rights

  10. Contact details

  11. Which Costa entity is collecting your data?

  12. Security Practices

1. Summary of how we use your data and your rights

We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes.

We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.

You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

When you give consent, you are able to withdraw that consent at any time, for instance by emailing us, details in the contacts section at the end.  You can also exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more information.

Our websites and app (where available) use cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings. Please see our  Cookie Notice for more information.

Where available, if you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store and Costa Express to your location.

Costa is part of the Coca Cola group of companies, for details of how personal data is shared with the Coca Cola group, please see the “Data Sharing” section below.


2. Information we collect from you

We collect information when you purchase something or use our services This includes store visits, using our websites or app, or corresponding with us.

In particular:

  • We keep information you give us directly such as contact details (including name, email, address and telephone number), comments, region, frequency of visits, feedback and marketing opinions.

  • here applicable, we record and analyse store, web and app visits, details of your purchases, including where you take advantage of our promotions. If there is an incident, we log information about it.

  • If you engage with us online via our website or app, our cookies and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.

  • If you post information online about us or provide feedback, we keep a record.

  • If you contact us directly and complain or give feedback, receive compensation, we will record details and all related information (including that you provide to us) such as emails, letters, phone calls, date of birth to our product customer information helplines, including
    those operated by third parties as detailed in Section 5 below. If you complain about a third party’s food, beverage or other product which we sell then we might pass your details to those third parties as part of the process followed to seek to resolve your complaint.

3. Information we receive from third parties

We receive your information from other people in certain circumstances. This can happen when:

  • You participate in market research, such as focus groups or surveys.

  • Members of the Coca-Cola group may help us operate some of our customer information centre services for Costa branded products and provide us with information that you supply to them – see section 5 for more details.

4. How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as:

  • When you consent to it; or

  • To comply with the law.

We have set out below how and why we use your personal information.

When you buy something from us we use your information to fulfil our contract with you.

We take information to communicate with you, check your identity, take payment, and provide products and services.

We use your information to run our business.

This includes keeping our records up to date, fulfilling our legal, compliance and contractual duties, working out which of our products and services may interest you, improving our site and apps, and services, developing new products and services, and telling you about them and conducting market research.

To run and promote our business, we use your information:

  • To provide and improve our products and services, including in-store WIFI and to respond to you if you contact us.

  • To record communications, including incoming and outgoing calls and emails, for staff training, quality improvement purposes and establishing facts and to deal with concerns or complaints that you may raise.

  • When we monitor Costa websites, social media platforms such as Facebook and Twitter and online services including our mobile app and responses to email marketing. If you post comments online or in other media, we capture this information, use it to contact you, and use it to improve our products and services.

  • To understand you better as a customer by analysing your transactions and other information you provide to us or which we learn through your interactions with us.

  • To contact you where you provide us with market research feedback or pass this data to a third-party business partner of ours for panel market research analysis.

  • To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law, we:

  • Monitor and review CCTV, record communications and emails.

  • Use other organisations to check the validity of the credit or debit card details you use to pay (for further details see “Data sharing” below).

To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:

  • We monitor and record communications, including incoming and outgoing calls and emails.

  • We verify your identity in certain circumstances.

  • We keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.

  • We will process information in connection with any complaint that you make in relation to the products which you purchase from us or the service which you receive.

If you give us consent, we:

  • Use cookies or similar technologies on the website, app and in marketing emails, including analytic cookies. For more details on our use of such technologies, click here to see our Cookie Notice.

  • Show you targeted advertisements within your social media networks if your consent is required by law

  • Through the settings on your device, send you push notifications through the app.

  • If you use the store locator in the app or site and enable location services, it will notify you of the nearest Costa or Costa Express.

  • Use data for other purposes where we explain that purpose when we ask for your consent.

When you give consent, you are able to withdraw that consent at any time by contacting us at the email address at the end of this notice. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.

When the law requires us to process your data we will do so. This can include:

  • Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.

  • When you exercise your rights under data protection legislation,

5. Data Sharing

Costa is part of the Coca-Cola group of companies, and any personal data collected by us may be available for access or disclosure to Coca-Cola group companies, which may process your personal data in the course of assisting us with customer information services.

Details of such enquiries and concerns will be shared with Costa if there is a specific complaint relating to Costa that Coca Cola is unable to handle.

Where applicable, we use third party providers for the following services:

  • WiFi

  • Sending promotional offers

  • Customer feedback surveys

  • Data analysis to enable us to optimise our services (including locations and products)

  • Insurance

  • IT development, support, maintenance and hosting, including the provision of applications and website hosting

  • Payments’ processing to enable you to pay by credit or debit card

If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers. Your information could be passed to the new owners. (You will be notified if this happens).

Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.

If you complain about a third party’s food, beverage or other product which you have purchased from us then we may need to pass your details to the relevant third party as part of the process followed to seek to resolve your complaint.

6. International transfers

Sometimes we send or store your data outside of India . For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.

If we do transfer information outside of India, we will make sure that it is protected by transferring it only to such a non-Indian entity that ensures the same level of data protection that is adhered to by us under the Indian law. The transfer will be done only if it is necessary for the performance of our lawful contract with you, or where you have consented to the transfer.

7. Cookies and similar technologies

Our website, apps and marketing emails use cookies and similar technology. Full information is in our Cookie Notice. This includes information on how to adjust your browser settings to accept or reject cookies.

8. Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site or app or where required by law or to protect legal rights. We do not retain your personal data for longer than is required for the purposes stated in this Privacy Policy as detailed in Section 4 above.

We always look to keep your data for the minimum time in line with data protection principles and our processes. For example, we keep:

  • Records of payment information in line with tax law and audit requirements.

  • Customer feedback and correspondence with our customer services teams depending on the nature of the interaction and any applicable law, such as health and safety. This enables us to respond to any questions or complaints.

  • Information to maintain records according to rules that apply to us.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.

9. Your rights

You have rights over your personal data.

You can:

  • ask for a copy of your information;

  • ask for information to be corrected;

  • ask for information to be erased or deleted;

  • ask for us to limit or restrict processing;

  • object to us processing your data, in particular, where we do not have to process the data to meet a contractual or other legal requirement and in relation to processing for direct marketing purposes, including profiling for direct marketing purposes;

  • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep information. We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.

10. Contact details

For business to business customer enquiries please email: customercare@costaconnect.in.

For consumer general enquiries or complaints please email the Grievance Officer: IndiaGrievanceOfficer@costacoffee.com.

To exercise any of your rights or to withdraw consent (where you provided it) you can email: IndiaGrievanceOfficer@costacoffee.com.

For any queries relating to data protection, please contact Costa's Data Protection Officer by email at costadpo@costacoffee.com or write to them at Data Privacy Team , Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG, United Kingdom.

If you are a business customer and not a consumer, our partners collect your personal data. As a business customer, if you or your staff and would like to find out more about how your personal information is used, please email customercare@costaconnect.in.

We may change or update this notice from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively
telling you about the changes.

11. Which Costa entity is collecting your data?

We are Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton
Regis, Dunstable, Beds, LU5 5YG, United Kingdom. Costa Limited runs the Costa Coffee Club within Great Britain.

Please remember that when you click a link to go from our website to another website, our
Privacy Policy no longer applies. Any browsing and interaction on another website, is subject to that website's or third-party notices and policies which we recommend you read. This policy applies solely to data collected and processed by Costa Coffee.

Some stores using the Costa brand are franchisees. Franchisees are all committed to protecting your privacy but, just to be clear, each Costa franchisee is an independent business and is responsible for the operation of its own stores and compliance with data protection law.

12. Security Practices

Costa implements data security practices and standards that are commensurate with the nature of our business. Our information security policy is available on request, please emails: customercare@costaconnect.in.