Costa Limited is a controller of your personal data. We respect your data and your privacy is important to us.
This Privacy Notice explains what personal data we collect and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.
You have the right to object to some of the processing which Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.
An overview of how we use your data is here.
Costa Limited’s registered office is Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.
1. Summary of how we use your data and your rights
2. Information we collect from you
3. Information we receive from third parties
4. How we use information and the legal basis
5. Data sharing
6. International transfers
7. Cookies and similar technologies
8. Data retention
9. Your rights
10. Contact details
11. Which Costa entity is the controller?
We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes.
We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.
You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.
When you give consent, you are able to withdraw that consent at any time, for instance by emailing email@example.com. You can also email firstname.lastname@example.org to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more information.
You can unsubscribe from marketing communications at any time. To opt out of direct marketing, including profiling for direct marketing purposes, you can either adjust the preference settings in your Costa Club account, or select “unsubscribe” in emails, or email email@example.com.
If you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store and Costa Express to your location.
Costa used to be part of the Whitbread group of companies. It has now separated, but for a limited period, Whitbread Group PLC will provide certain transitional services to Costa. For details of how personal data is shared with Whitbread Group PLC, please see the “Data Sharing” section below.
We collect information when you purchase something or use our services. This includes store visits, using our websites or app, joining our Costa Coffee Club, or corresponding with us.
We receive your information from other people in certain circumstances. This can happen when:
We are allowed to use your data only if we have a proper reason to do so such as:
A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. For more information on this assessment please contact firstname.lastname@example.org.
We have set out below how and why we use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.
When you buy something from us, join our Costa Coffee Club, or enter a competition we run, we use your information to fulfil our contract with you.
We take information to communicate with you, check your identity, take payment, and provide products and services, including awarding loyalty points if you are a Coffee Club member.
To run our business and pursue our legitimate interests, we use your information.
Our legitimate interests include keeping our records up to date, fulfilling our legal, compliance and contractual duties, working out which of our products and services may interest you, improving our site and apps, and services, developing new products and services, and telling you about them and conducting market research.
Further details of our legitimate interests:
To run and promote our business, we use your information:
To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law, we:
To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:
If you give us consent, we:
When you give consent, you are able to withdraw that consent at any time by contacting us, for instance by emailing email@example.com. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.
Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time. You can opt out of marketing by selecting “unsubscribe” in emails or by adjusting the preference settings on your Costa Coffee Club account or by emailing firstname.lastname@example.org.
When the law requires us to process your data we will do so. This can include:
Costa used to be part of the Whitbread group of companies. It has now separated, but for a limited period, Whitbread Group PLC will provide certain transitional services to Costa. Costa Limited shares data with Whitbread Group PLC when they provide us with IT and infrastructure services and security services, including CCTV.
For some activities Costa uses third party service providers, for instance O2 provide WiFi in our stores. When these service providers need customer data from you, we share information with them, such as whether a correct Costa Coffee Club member number has been entered to access WiFi, or our online order fulfilment partner needs information such as your name, contact details, address, and the items you have purchased to manage any complaints, comments or queries you submit to us regarding your online purchase.
In addition to using Whitbread Group PLC as described above, we use third party providers for the following services:
If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers. Your information could be passed to the new owners. (You will be notified if this happens).
Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.
Sometimes we send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA’). For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.
If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:
For our service provider in the US, who helps us with our customer feedback surveys, we rely on Privacy Shield. For our service provider in India, who has restricted access to some data to provide us with IT support and maintenance services, we rely on contractual measures. For further details on the mechanisms used please contact email@example.com.
We keep your data to enable us to fulfil our contract with you or to provide services, to enable us to facilitate the provision of products and services purchased from our online shop ,whilst you are an active user of our site, app or Costa Coffee Club, where required by law or to protect legal rights.
We always look to keep your data for the minimum time in line with data protection principles and our processes. For example, we keep:
If you unsubscribe from marketing communications we keep a record of this request indefinitely to ensure we do not send you direct marketing again.
We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.
You have rights over your personal data.
Some rights, however, may be limited. We may be obliged by law or regulation to keep information. We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data. On occasion there may be a compelling legitimate interest to keep processing data.
If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.
You have a right to complain to an EU data protection authority. This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office (the “ICO”).
To exercise any of your rights or to withdraw consent you can email: firstname.lastname@example.org.
To discuss or change your Costa Coffee Club account details, including preference settings, you can log into ‘My Account’ and go to (account details) and Contact Preferences or contact customer services at email@example.com.
For any queries relating to data protection, please contact Costa's Data Protection Officer by email at firstname.lastname@example.org or write to them at Data Protection Officer, Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.
We may change or update this notice from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively telling you about the changes.
The controller for your information is Costa Limited, Costa House, 6 Porz Avenue, Houghton Hall Business Park, Houghton Regis, Dunstable, Beds, LU5 5YG.Costa Limited runs the Costa Coffee Club within Great Britain.
Some stores using the Costa brand are franchisees. Franchisees are all committed to protecting your privacy but, just to be clear, each Costa franchisee is an independent business and is responsible for the operation of its own stores and compliance with data protection law.