Privacy Policy

February 2024

Costa Limited ("Costa", "We", "Us") is a controller of your personal data. We respect your data and your privacy is important to us.

This Privacy Policy explains what personal data we collect and how it is used. This policy also explains what rights you have over your personal data and how you can use those rights.

You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

An overview of how we use your data is here.

Costa Limited’s registered office is Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, High Wycombe, Buckinghamshire, HP10 9QR.

1. Summary of how we use your data and your rights

We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes. We also use your data when you enter competitions or awards that we organise.

We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.

Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time. To exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data Please see “Your rights” for more information.

You can unsubscribe from marketing communications at any time. To opt out of direct marketing, including profiling for direct marketing purposes, you can either adjust the preference settings in your Costa Club account, or select “unsubscribe” in emails. By choosing not to receive marketing emails, you will miss out on our great offers, but will still be able to collect beans.

If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section at the end of this policy.

Our websites and app use cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings. Please see our Cookie Policy for more information.

If you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store and Costa Express to your location.

Costa is part of the Coca Cola group of companies, for details of how personal data is shared with the Coca Cola group, please see the “Data Sharing” section below.

2. Information we collect from you

We collect information when you purchase something or use our services or enter our competitions or awards. This includes store visits, using our websites or app, joining our Costa Club, or corresponding with us.

In particular:

  • We keep information you give us directly such as contact details (including name, email, address and telephone number), comments, date of birth, gender, region, frequency of visits, feedback, marketing opinions and competition entries.

  • We record and analyse store, web and app visits, details of your purchases, including when you purchase or use e-Gifts, and where you take advantage of our promotions.

  • We record your car registration for our Click & Serve service to bring you your order.

  • When you sign up to in-store WiFi the provider will use your details for access and security purposes.

  • If there is an incident, we log information about it.

  • If you engage with us online via our websites or app, our cookies and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.

  • If you post information online about us or provide feedback, we keep a record.

  • If you contact us directly and complain or give feedback, receive compensation, or enter a competition, we will record details and all related information (including that you provide to us) such as emails, letters, phone calls, date of birth to our product customer information helplines including those operated by third parties as detailed in Section 5 below.

  • We use CCTV in our premises for the prevention and detection of crime and for safety and security reasons.

3. Information we receive from third parties

We receive your information from other people in certain circumstances. This can happen when:

  • Someone buys you a Gift card or eGift. They give your name and email address, so we can send you the Gift card or eGift. Occasionally they may give us your birthday information (day and month) as well, so that we send the Gift card or eGift to you on your birthday.

  • You participate in market research, such as focus groups or surveys.

  • Members of the Coca-Cola group may help us operate some of our customer information centre services for Costa branded products and provide us with information that you supply to them – see section 5 for more details.

  • We may also indirectly collect from our social media partners the fact that you are using their social networks and your associated advertising identifiers.

  • We use AppsFlyer's attribution and marketing analytics services that enable us to: (i) measure and analyse the effectiveness of our marketing campaigns by understanding which marketing campaigns contributed to the download/installation of our mobile applications or such other conversion metric (e.g. relaunch of Application); and (ii) measure and analyse certain events and actions within their app, such as in-app purchases. The services also help us identify and protect against fraudulent behaviour related to marketing campaigns. End User Data does not contain any information that directly identifies an individual, such as names, addresses, or other similarly regulated financial information, health information, or any other type of sensitive personal information (“PII“),

We currently track 5 events with AppsFlyer that relate to our marketing to App activity.

  • Download

  • Registration

  • Open

  • Removal of App

  • Re-install.

You can see full details of AppsFlyer’s privacy policy here: https://www.appsflyer.com/legal/services-privacy-policy/

4. How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as:

  • To fulfil a contract we have with you;

  • When it is in our legitimate interest;

  • When you consent to it; or

  • To comply with the law.

A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. For more information on this assessment please contact our Data Privacy team, the details are in the “Contact Us” section at the end of this notice.

We have set out below how and why we use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.

When you buy something from us, join our Costa Club, or enter a competition we run, we use your information to fulfil our contract with you.

We take information to communicate with you, check your identity, take payment, and provide products and services, including awarding loyalty beans if you are a Costa Club member.

To run our business and pursue our legitimate interests, we use your information.

Our legitimate interests include keeping our records up to date, fulfilling our legal, compliance and contractual duties, working out which of our products and services may interest you, improving our site and apps, and services, developing new products and services, and telling you about them and conducting market research.

Further details of our legitimate interests:

To run and promote our business, we use your information:

  • To provide and improve our products and services, including in-store Wifi, Costa Club and Costa eGift, and to respond to you if you contact us.

  • To record call centre communications, including incoming and outgoing calls and emails, for staff training, quality improvement purposes and establishing facts and to deal with concerns or complaints that you may raise.

  • When we monitor Costa websites, social media platforms such as Facebook and Twitter and online services including our mobile app and responses to email marketing. If you post comments online or in other media, we capture this information, use it to contact you, and use it to improve our products and services.

  • Show targeted advertisements within your social networks and to other people like you.

  • To run competitions and promotions and track which offers seem of interest to you.

  • To understand you better as a customer by analysing your transactions and other information you provide to us or which we learn through your interactions with us.

  • To send you emails including offers tailored to your perceived preferences where you are a Costa Club member and your preference settings permit this. We record which emails seem to be of interest to you. Based on your purchase history and membership card usage, some Costa Club members may be offered additional loyalty beans.

  • To contact you where you provide us with market research feedback or pass this data to a third-party business partner of ours for panel market research analysis.

  • To administer and run our organised awards.

We also process the insight data for our legitimate interests to understand how you interact with our Facebook page and its contents and to help us improve our services and contents.

To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law, we:

  • Monitor Costa Club accounts and Gift card and eGift usage and review CCTV, record call centre communications and emails.

  • Use other organisations to check the validity of the credit or debit card details you use to pay (for further details see “Data sharing” below).

To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:

  • We monitor, and record call centre communications, including incoming and outgoing calls and emails.

  • We verify your identity in certain circumstances.

  • We keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.

If you give us consent, we:

  • Send you electronic marketing, including promotions and offers, in relation to our products and services if you are a member of our Costa Club and inform you of other outlets that award Costa Club beans. Costa Club members can subscribe or unsubscribe from our marketing communications at any time.

  • Use cookies or similar technologies on the website, app and in marketing emails, including analytic cookies. For more details on our use of such technologies, see our Cookie Policy.

  • Show you targeted advertisements within your social media networks if your consent is required by law (e.g. in Germany).

  • Through the settings on your device, send you push notifications through the app.

  • If you use the store locator in the app or site and enable location services, it will notify you of the nearest Costa or Costa Express.

  • Use data for other purposes where we explain that purpose when we ask for your consent.

When you give consent, you are able to withdraw that consent at any time by contacting us using the details in the “Contact Us” at the end of this policy. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.

Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time. You can opt out of marketing by selecting “unsubscribe” in emails, changing your preference settings on your Costa Club account in the app, logging into your account on the website or by using the details in the “Contact Us” section at the end of this notice.

When the law requires us to process your data we will do so. This can include:

  • Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.

  • When you exercise your rights under data protection legislation, including when you ask to unsubscribe from our marketing

communications.

5.  Data Sharing

Costa is part of the Coca-Cola group of companies. Coca-Cola group companies may process your personal data in the course of assisting us with customer information services, for instance SA Coca-Cola Services NV operates the Costa 'Ready To Drink' product customer care line and will handle enquiries and concerns regarding that product as its manufacturer. Details of such enquiries and concerns will be shared with Costa if there is a specific complaint relating to Costa that Coca Cola is unable to handle.

For some activities Costa uses third party service providers, for instance Expo-E to provide Wi-Fi in our stores. When these service providers need customer data from you, we share information with them.

In addition to using the companies as described above, we use third party providers for the following services:

  • Wi-Fi

  • Sending promotional offers

  • Customer feedback surveys

  • Customer service queries and complaints

  • Gift card and eGift services

  • Data analysis to enable us to optimise our services (including locations and products) Gift cards (including eGifts)

  • Loyalty scheme platform

  • Insurance

  • IT development, support, maintenance and hosting, including the provision of applications and website hosting

  • Payments’ processing to enable you to pay by credit or debit card

  • CCTV system provision and maintenance

  • Administration of our competitions and awards.

We may also share data with Social Networks (e.g. Facebook).

If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers. Your information could also be passed to the new owners (you will be notified if this happens).

Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.

6. International transfers

Sometimes we send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA’). For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.

If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some countries have been deemed adequate by the EU.

  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.

  • Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.

For our service provider in the US, who helps us with our customer feedback surveys, we rely on contractual measures. For our service provider in India, who has restricted access to some data to provide us with IT support and maintenance services, we rely on contractual measures. For further details on the mechanisms used please contact our Data Privacy team, the details are in the “Contact Us” section at the end of this policy.

7. Cookies and similar technologies

Our website, apps and marketing emails use cookies and similar technology. Full information is in our Cookie Policy. This includes information on how to adjust your browser settings to accept or reject cookies.

8. Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site, app or Costa Club, to administer and promote our awards and competitions or where required by law or to protect legal rights.

We always look to keep your data for the minimum time in line with data protection principles and our processes. For example:

  • If you register for Costa Club but do not use your account or collect any beans using your card or app within 12 months, your registration beans will expire, and we will delete your Costa Club account information.

  • If you register for Costa Club and use your account to collect and/or use beans but are inactive for 2 years, your beans will expire and we will delete your Costa Club account information.

  • Personal information related to products and services purchased historically in our online shop, including Gift cards and eGifts, for as long as the personal data is required in order for us to fulfil our contract with you, as long as required to service any related warranty and for 6 years from performance of our contract with you.

  • Records of payment information in line with tax law and audit requirements.

  • Customer feedback and correspondence with our customer services teams for up to 2 years afterwards, depending on the nature of the interaction and any applicable law, such as health and safety. This enables us to respond to any questions or complaints.

  • We may show advertisements on your social network newsfeed and to other people like you for 2 years after our last contact from you.

  • Information to maintain records according to rules that apply to us.

If you unsubscribe from marketing communications, we keep a record of this request indefinitely to ensure we do not send you direct marketing again.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.

9.  Your rights

You have rights over your personal data, and you can:

  • ask for a copy of your information;

  • ask for information to be corrected;

  • ask for information to be erased or deleted;

  • ask for us to limit or restrict processing;

  • object to us processing your data, in particular, where we do not have to process the data to meet a contractual or other legal requirement and in relation to processing for direct marketing purposes, including profiling for direct marketing purposes;

  • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep information. We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data. On occasion there may be a compelling legitimate interest to keep processing data.

If you want to exercise your data subject rights, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data, this helps us to protect the personal information belonging to our customers against fraudulent requests.

You have a right to complain to an EU data protection authority. This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office (the “ICO”).

10. Contact details

To delete your Costa Club account or change your account details, including preference settings, you can do this through the app, under Settings and Contact Preferences, on the website, log into ‘My Account’ and go to Account details and Contact Preferences or contact customer services here.

To exercise any of your rights, including CCTV requests, to withdraw consent or for any general data protection queries, please contact Costa’s Data Privacy Team at:

Email: costadpo@costacoffee.com.

Address: Data Protection Officer, Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, High Wycombe, Buckinghamshire, HP10 9QR.

We may change or update this policy from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively telling you about the changes.

11. Which Costa entity is the controller?

The controller for your information is Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, High Wycombe, Buckinghamshire, HP10 9QR.

Costa Limited runs the Costa Club within Great Britain and operates equity retail stores. Other stores are operated by Franchise Partners. Franchise Partners are independent and separate data controllers.

When you visit our Facebook page, Facebook Ireland will collect certain personal data from you and they will give us anonymous analytics data about you. This is called insight data and you can find more information about how Facebook processes it here. Facebook and Costa are joint controllers over the insight data. For any other processing we are separate controllers, please refer to Facebook's Data Policy to understand how they process your personal data. If you would like to exercise your data subject rights over this insight data please contact us or Facebook.

Please remember that when you click a link to go from our website to another website, our Privacy Policy no longer applies. Any browsing and interaction on another website, is subject to that websites’ or third-party notices and policies which we recommend you read. This policy applies solely to data collected and processed by Costa Coffee.