Privacy Policy for Greggs Digital and Customer Services

United Kingdom

Last updated September 2024

This Privacy Policy explains what happens to the personal information we collect from you during visits to our shops, via the Greggs App, online via our website, by telephone, post, email, our digital marketing and advertising, social media, third parties or any other ways you might engage with us. This Privacy Policy also explains your legal rights over your personal data and how you can exercise them.

We may update this Privacy Policy from time to time and we will endeavour to update you of any significant changes if we hold a valid email address for you provided via the Greggs App or online. We recommend you also review this page occasionally to ensure that you’re happy with any changes. If we do change it, we will post the revised version here and change the “last updated date” (the date it applies from) at the top of the statement.

Please take time to read this Privacy Policy carefully so you understand how we treat and use your personal information and get in touch with us via our Contact page if you have any concerns.

Who are we?

We are Greggs plc, one of the UK’s leading food-on-the-go retailers ("we" or "us"). Greggs plc is registered at Companies House under company number 00502851 and our registered office is at Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.

We are also registered with the Information Commissioner’s Office under registration number Z7225689.

If you have a question regarding how we use your personal information, please address your communication to the "Data Protection Analyst" using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

We take data protection very seriously and respect the privacy of our customers. We are committed to protecting and respecting your privacy, in accordance with the UK General Data Protection Regulation ("UK GDPR").

What information do we collect from you?

We may collect the following personal information from you:

• Your name and contact details (emails address, mobile telephone number, postal and billing address, social media handle);

• Your mobile telephone ID (i.e. your unique address that identifies your mobile device);

• Your date of birth;

• Your gender (if you choose to provide this);

• Your marketing preferences;

• Any information you include in correspondence or feedback you send to us, in forms, competitions, promotions or surveys you submit to us, when using our website, Greggs App (including in-app chat), email or via our social media pages;

• Any information you provide in customer research or customer satisfaction surveys we may conduct to evaluate and improve our products and services;

• Your image on CCTV in our shops, and your image and audio when body cameras are in use by security staff at select shops;

• Your payment card and, in relation to certain goodwill payments, your bank account number and sort code, items purchased, the date and time of your transaction, amount purchased, whether you used a particular coupon or deal, and payment information, such as your credit/debit card or gift card or loyalty program details, when you make an in-store or online purchase;

• Your mobile device information (or information about the device you use to access our website or services, including your Internet Protocol (IP) address (i.e. your unique address that identifies your device on the internet), your Internet service provider, device type, model and manufacturer, device operating system and platform, date and time stamps, IDs that allows us to uniquely identify your browser, mobile device and information in relation to your account and advertising you might have interacted with; and

• Your browsing history on our Greggs App, Website or information from when you visit and engage with content or targeted advertising on third party platforms or social media networks.

We may also collect information about how you use any of our digital services including:

• Which products you purchase from us;

• How frequently you purchase them;

• When you visit our shops;

• How much you spend with us;

• Which of our shops you frequently use; and

• How you’ve arrived at registering or using our digital services.

Location Data

Where you have enabled location tracking services on your mobile device, we may also collect location information from you so that you can use your Greggs App to find your nearest Greggs shop and we can understand more about your shopping habits with us in order for us to send you more personalised offers on our products and services.

Aggregated Data

We collect, use and share aggregated data such as statistical or demographic data. We could derive this aggregated data from your personal information where you’ve given us permission to do so. For example, to understand differences in usage of users accessing a specific Greggs product or service in different parts of the U.K.

Nevertheless, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which we will use in accordance with this Privacy Policy.

How is your information held?

Once collected, your personal information will either be held on the secure systems of our third party suppliers involved in the operation of a Greggs Account or held on our customer database on our own secure systems within the United Kingdom (for further details, please see the “Who has access to your information” section below).

When you speak to us by phone you will be notified that your call will be recorded. This recording is held within the United Kingdom.

How will we use your information?

We will only use your personal information when the law allows us to do so, which may be:

• To fulfil a contract we have with you; or

• When it is our legal duty; or

• When it is in our legitimate interests (or those of a third party); or

• When you consent to it.

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interests, we will tell you what that is.

We may use your personal information for the reasons and in accordance with the legal basis below:

Purpose of Processing Your Personal Information

Legal Basis

Account administration - Account administration purposes for any registered account(s) you hold with us.

This is both:

• Necessary for the performance of a contract with you for the operation of any account; and

• Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Free rewards

To provide you with free rewards based on:

• Your birthday.;

• Your purchasing habits.

• Your location and / or the shops that you visit.

• Products that we think you might be interested in.

• The rewards set out in our Terms and Conditions, in which case we shall notify you by email when these are applied to your Greggs Account and may provide further notice if a reward is expiring.

This is both:

• Necessary for the performance of the contract with you for the operation of your Greggs account; and

• Necessary for our legitimate interests to ensure that our customers receive rewards that are tailored to them and are in line with their expectations.

To send notifications or account information to you by email, SMS text or app push notifications. We may select products that we believe you may be interested in based upon the information that we collect about how you use your Greggs account.

This is both:

• Necessary for the performance of the contract between you and us for the operation of your Greggs account; and

• Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Personalised Marketing

To better tailor offers and services to your needs, including:

• To send you marketing about Greggs’ products, to provide personalised content and information.

• To provide personalised content and information that may be of interest to you.

• This will include targeted content and advertising where we identify you across our platforms and third parties, identifying when, if, and where you use multiple devices to access our services

On the basis of consent, specifically where you have opted to receive direct marketing via the preference settings in any Greggs account, where you have opted to receive our email communications or indicated you consent to being tracked using the first and third party cookies as detailed in our Cookie Policy.

Profiling

• To help us build up a picture of the things you are interested in or you’ll find most useful from us to make advertising tailored to you whenever possible.

• We will build and develop a customer profile for you based on the products and services you use and/or buy to target and develop content, advertisements or marketing materials which are most likely to be of interest to you.

• We may also use these profiles to "match" your data and these could also appear as advertising on third party websites or social media platforms that you visit after you have used our services such as this site or the Greggs App.

On the basis of consent, specifically where you have opted to receive direct marketing via the preference settings in any Greggs account, where you have opted to receive our email communications or indicated you consent to being tracked using the first and third party cookies as detailed in our Cookie Policy.

Data analytics

To conduct data analytics and analysis studies to review and better understand trends and improve our business, use of our website, Greggs App and social media which relates to us as well as to help us measure traffic and usage trends for the services we provide and to understand more about the demographics and behaviours of our users.

This is necessary for our legitimate interests to improve our service to our customers. We may also have legal obligations or be exercising a legal right to do this.

Location data

Location services so that you can use your Greggs App and account to find your nearest Greggs’ shop.

On the basis of consent, specifically where you have enabled location tracking services on your mobile device.

Customer record

To create and maintain a record to identify where you have been in touch with us in the past, including the reason for that previous contact and how it was resolved.

This is necessary for our legitimate interests in order to ensure that we have a good record of customer contacts so that we can:

• Monitor complaints regarding our business and any on-going or recurring issues that you may have. This will help us to make sure you receive proper assistance when you contact us and where relevant, that we understand the background to any issues you may have.

• Identify any potentially fraudulent complaints or series of complaints.

• Review and assess the quality of our responses to complaints for training and development purposes.

Responding to you

To respond to your question or comment and to evaluate and improve our products and services. Where you have previously been in touch we will use this data to help you more quickly.

This is necessary for our legitimate interests to improve our service to our customers.

Monitoring use

To monitor any use you make of our website, Greggs App and information and communication systems and social media accounts, to remember information so that you will not have to re-enter it during your visit or the next time you visit our website.

This is necessary for our legitimate interests so we can:

• Ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.

• Protect your personal information.

• Improve our service to our customers.

Vouchers and gift cards

To send gift vouchers or voucher codes to you.

This is either (depending on the circumstances):

• Necessary for the performance of a contract to which you are a party, for example if your contact relates to the operation of your Greggs account. Processing is necessary so that we resolve the issue and ensure that we have properly provided our services to you; or

• Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service and to investigate and resolve the reasons why that may not be the case; or

• On the basis of consent, specifically where we ask your consent to be able to use your data to send gift vouchers or voucher codes to you.

Complaints

To contact you to discuss any complaint that you have made and to update you on how it is being resolved.

This is either (depending on the circumstances):

• Necessary for the performance of a contract to which you are a party, for example if your contact relates to the operation of your Greggs account. Processing is necessary so that we can investigate the issue and ensure that we have properly provided our services to you; or

• Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service and to investigate and resolve the reasons why that may not be the case.

Order fulfilment

To fulfil your order, complete your transaction and update aspects of your Greggs account such as your rewards information.

Order fulfilment

To fulfil your order, complete your transaction and update aspects of your Greggs account such as your rewards information. This is both:

• Necessary for the performance of a contract with you to fulfil your order; and

• Necessary for our legitimate interests to ensure that our customers receive an appropriate level of service.

Custom Audiences 

To help Social Media networks target you with tailored adverts. In some cases we will send encrypted customer emails to social media networks so that they can build custom audiences of our customers, which we can then target with tailored adverts. Social media networks will only be able to use customer emails to identify a user profile where this email data already exists on their network.

This is necessary for our legitimate interests to ensure that we can better understand the type of customer holding an account.

Group Wide and Partner Marketing

To send you marketing about activities carried out by any Greggs group company which may also include the Greggs Foundation.

On the basis of consent, specifically where you have opted to receive direct marketing via the preference settings in any Greggs account, where you have opted to receive our email communications or indicated you consent to being tracked using the first and third party cookies as detailed in our Cookie Policy.

Competitions

To administer and manage your participation in any competition that you choose to enter.

This is necessary for the performance of our contract with you so that we can contact you and send you a prize if you are a winner.

Security and crime prevention

To assist in crime prevention and detection, and to protect our customers, employees and premises from crime, we operate CCTV systems in our stores and security staff wear body cameras.

This is necessary for our legitimate interests to ensure that we are providing a safe environment.

We also need to compile reports detailing the number and nature of customer contacts received within certain periods of time, which we will use within the business for management purposes. We use reasonable efforts to remove all personal information from these reports, but sometimes (for example, where personal information is contained in the message box of the "Contact" page), it may not be practical for this personal information to be removed or anonymised.

We always aim to use your personal information in an ethical and non-intrusive way. We will not use your personal data to target, segment, or profile individuals based on their health, negative financial status or condition, political affiliation or beliefs, racial or ethnic origin, religious or philosophical affiliation or beliefs, sex life or sexual orientation, data relating to an alleged or actual commission of a crime, for any unlawful or discriminatory purpose or in any other manner that would be inconsistent with your reasonable expectation of privacy.

How long will we hold your information for?

We will only hold your personal information for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. 

In general, this means we will hold your personal information for as long as you are an active customer of Greggs. While this will vary for each customer, this data will typically cover up to a 10-year period of your activity with us, but may be longer depending on how long you have used our Digital Services.

How we consider you to be an active customer of Greggs:

We consider you an ‘active’ customer of Greggs, and therefore retained on the database, if within the previous 24 month period you have: 

a) Made a digital transaction with us – such as placing a click and collect order via the Greggs App, making a purchase on greggs.co.uk, or scanning/using the Greggs App at a Greggs shop; or

b) Received 1 or more stamps, or rewards, in any of the six product categories in the last 24 months; or 

c) Had a financial account/wallet balance of any size that has topped up within this period (auto or manual); or 

d) Not otherwise already contacted our Customer Care Team to request that your personal information or Greggs Account is removed from our system.

If you cease to be an active customer of Greggs by not engaging in any of the above interactions with us, we will delete your Greggs account and your personal information.

Circumstances where we may retain your personal data:

If you make a complaint we also may need to hold your personal details for a longer period. We may also retain your transaction history for analysis purposes.

In some circumstances you may continue to receive marketing communications from Greggs after your Greggs Account is deleted if you do not opt out.

Notice of deletion

If your contact details are still valid, in most cases we will aim to notify you in advance of our intention to close your Greggs account after 24 months of inactivity, we may, at our discretion, proceed to close your Greggs account sooner if we deem you to no longer be an active customer of Greggs.

Data Retained by our Customer Care Team

In all other cases and where you contact our Customer Care Team we hold your information for 3 years from the date of your contact or if you contact us again within that period of time, for a period of 3 years from the date of your last contact with us. Information held relating to an injury complaint involving a minor will be retained for 3 years following the minor turning 18.

We will hold your personal information for this length of time because:

• In the case of a Greggs Account it will ensure that your account is kept available for your use for a reasonable period of time before closure;

• It will help us to handle any Greggs Account queries you may have within this period of time;

• It will identify any trends in the nature of your contact with us; and

• It will allow us to investigate a complaint.

After expiry of retention periods your data may be anonymised for market insight purposes and to measure the performance of our business.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.

We will from time to time review our retention periods but we will only ever hold your personal information for as long as we believe is necessary for reasons set out above.

Only processing the personal information that we need to

Your personal information will only be processed to the extent that it is necessary for the specific purposes we tell you about.

Who has access to your information?

We reserve the right to pass any or all of your personal information to the police, or any other law enforcement agency for the purposes of:

• Compliance with any of our legal obligations;

• Crime detection or prevention;

• Your misuse, or suspected misuse, of our website or any Greggs account.

Where your contact relates to any legal proceedings or prospective legal proceedings against us, we may need to pass your personal information onto our insurers and legal advisers for the purposes of assessing any such proceedings. We may also be required to share your personal information if we are under a duty to do so in order to comply with any legal obligation or to protect our rights, property or the safety of our business, customers, suppliers or employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We will also share your personal information with the following categories of third parties:

• Service providers acting as processors who provide insight services, delivery of marketing and communications services, customer services, competition administrators and IT and system administration services.

• Where you need to send something to us (for example, a sample of a product you have purchased from us) or where we need to send something to you (for example a gift), your personal information may need to be passed onto our third party suppliers to help us to achieve this.

• Where your contact involves one of our third party partners (for example Just Eat, Iceland and franchise partners) if necessary we will pass on your information (unless you ask us not to) in order to resolve your complaint or query.

• Where you have used our click and collect service or top up functionality via the Greggs App, your payment has been processed by our payment provider Adyen. For more information on how your information has been processed by our payment provider please go to: Adyen Privacy Policy.

• When you contact us via networks such as Twitter, Instagram and Facebook we will occasionally use this data for internal analysis purposes. Please refer to the below links for their individual privacy policies and how your data is used:

Twitter Privacy Policy

Instagram Privacy Centre

Facebook Privacy Centre

• When you use our shop Wi-Fi service, which is provided by Sky Wi-Fi, we do receive summaries of your behaviour and usage statistics which we’ll use for internal analysis purposes. Please refer to Sky Privacy and Cookie policy for more information how your personal data is used.

• If you have any queries on how we work with these 3rd party providers, please contact data.protection@greggs.co.uk

Apart from the circumstances set out above, we will not disclose your personal information to any third parties without your consent, unless we are satisfied that they are legally entitled to the information. Where we disclose your personal information to a third party, we will have regard to the data protection principles.

We will not:

• Sell your personal information to third parties; or

• Share your personal information with third parties for marketing purposes (unless you have given your consent for us to do so).

• Permit any decisions to be taken about you using automated decision-making means.

Automated processing for personalised communications

We use automated processing so that we can show you personalised advertisements whilst browsing our website or those of other companies, and to build a customer profile for you. Any advertisements you see may relate to your browsing activity on our website from your computer or other devices. These advertisements are provided by us via external specialist providers using techniques such as pixels, web beacons, ad tags, mobile identifiers and ‘cookies’ placed on your computer or other devices. For further information on the use of cookies, or for details of how you can remove or disable cookies at any time - see our Cookie Policy.

We may analyse your activity online and your responses to marketing communications. The results of this analysis, together with other demographic data, allows us to decide what advertisements are suitable for you and to ensure that we draw to your attention products, services, events and offers that are tailored and relevant to you. To do so, we use software and other technology for automated processing. This allows us to provide a more personalised services and experience. We may review personal information held about you by external social media platform providers, such as the personal information available on social media platforms including Twitter, Instagram, YouTube, Twitter and Facebook. We aim to update you about products and services which are of interest and relevance to you as an individual. To help us do this, we process personal data by profiling and segmenting, identifying what our customers like and ensuring advertisements we show you are more relevant based on demographics, interests, purchase behaviour, online web browsing activity and engagement with previous communications.

Links to other web sites and services

Greggs App and website may contain links to and from third party websites of our business partners, advertisers, and social media sites and our users may post links to third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability resulting from you following a link to these websites. Additionally, other privacy policies may apply when you engage with us through a co-branded or co-sponsored promotional or marketing activity. We strongly recommend that you read the privacy policies and terms and conditions of use of any third party website or service to understand how your information will be collected, used and shared. We are not responsible for the privacy practices or the content on the websites of third-party sites.

How can you find out about and update your information?

You have the right to ask for a copy of the personal information that we hold about you.

If you wish to do so, please contact us:

• By email at data.protection@greggs.co.uk

• By post for the attention of the Data Protection Analyst, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU.

In order to fulfil your request, we may need to first verify your identity.

Any questions regarding this Privacy Policy can be sent to us using the same contact details above.

The accuracy of your information is also important to us. If you change contact details or if you believe that any of the other personal information we hold is inaccurate, incomplete or out of date, please contact us:

• Via the Greggs App;

• Via our Contact page;

• By post for the attention of the Customer Care Team, Greggs plc, Greggs House, Quorum Business Park, Newcastle upon Tyne, NE12 8BU;

• By telephone on 0808 1473447.

You may also request an accessible format of this Privacy Policy using these contact details.

In addition to your rights set out elsewhere in this Privacy Policy, you also have the right to:

• Request details from us of the recipients of your personal information or the categories of recipients of your personal information, if it is supplied by us to any third parties;

• In certain circumstances have the processing of your personal information restricted;

• In certain circumstances be provided with the personal information that you have supplied to us, in a portable format that can be transmitted to another company;

• In certain circumstances not to be subject to a decision that is based solely on automated processing which would have a legal or significant impact on you;

• In certain circumstances object to any processing we are carrying out about you when the basis for our processing is legitimate interests.

If you wish to exercise any of the rights set out above, you must make the request in writing addressed to the "Data Protection Analyst" using one of the methods set out above.

Withdrawal of consent

If you have provided your consent for us to process your personal information, you have the right to withdraw your consent at any time. This will not affect the legality of our consent based use before you withdrew your consent.

If you wish to exercise your right to withdraw your consent, you must make the request in writing addressed to the "Data Protection Analyst " using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

The right to object and deletion

You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the “right to be forgotten”.

There may be legal or other reasons why we need to keep or use your information, but please tell us if you think that we should not be using it.

We may sometimes be able to restrict the use of your personal information (although in doing so this may affect your ability to continue using your Greggs account). This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.

If you object to our processing of any of your personal information, you must make the request in writing addressed to the “Data Protection Analyst” using one of the methods set out in the “How can you find out about and update your information?” section of this Privacy Policy.

How we keep your data secure

We and our third party suppliers use reasonable, appropriate and up to date security methods to keep your data secure and to prevent unauthorised or unlawful access to your information. We limit access to your personal information to those employees, subcontractors, consultants and other third parties who have a business need to use it. They will only process your personal information on our instructions. They are subject to obligations of confidentiality.

We have put in place procedures so that we can deal with any actual or suspected personal information breach and we will let you and the Information Commissioner's Office know of a breach where we are legally required to do so.

Transferring your personal information outside the UK

We will not transfer your personal information outside the UK unless such transfer is compliant with the UK GDPR. This means that we cannot transfer any of your personal information outside the UK unless:

• The UK Government has decided that another country or international organisation ensures an adequate level of protection for your personal information; or

• The transfer of your personal information is subject to appropriate safeguards, which may include: Binding corporate rules; or

Standard data protection clauses adopted by the UK Government; or

• One of the derogations in the UK GDPR applies (including if you explicitly consent to the proposed transfer).

Right to make a complaint

If you have any issues with our processing of your personal information and would like to make a complaint, you may contact the Information Commissioner's Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. More information can also be found at the make a complaint section of the ICO website.