Welcome to the website of Closy. In our capacity as controller within the meaning of the General Data Protection Regulation, we are obliged to comply with statutory provisions on data protection. As a matter of course, we greatly value the protection of your personal data along with fair and transparent data processing. We have provided you below with all the information you need to verify and exercise your data protection rights.
1 Who is responsible for data processing?
The responsible party is:
Closy Online Limited
Berkeley Square House, Berkeley Square
London W1J 6BD
2 How can I contact the data protection officer?
You can contact our data protection officer at:
Closy Online Limited
Berkeley Square House, Berkeley Square
London W1J 6BD
3 Why and on what legal basis do we process personal data?
If you are a Closy customer, create an account with us, participate in competitions or promotions or otherwise contact us, we will receive your personal data.
We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Security of Your Personal Information
Closy ensures that all information collected will be safely and securely stored.
We protect your personal information by:
- Restricting access to personal information
- Maintaining technology products to prevent unauthorised computer access
- Securely destroying your personal information when it's no longer needed for our record retention purposes
Closy uses 128-BITbit SSL (secure sockets layer) encryption technology when processing your financial details. 128-bit SSL encryption is approximated to take at least one trillion years to break, and is the industry standard.
May include first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
May include billing address, delivery address, email address and telephone numbers.
May include bank account and payment card details.
may include details about payments to and from you and other details of products and services you have purchased from us.
may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
may include your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
May include information about how you use our website, products and services.
Marketing and Communications Data
may include your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
We generally process data on the following legal bases:
- 6.1a GDPR, if you give us your explicit consent for data processing, e.g. if you are a prospective customer we may need your consent to send you marketing emails;
- 6.1b GDPR, if we are acting to fulfil our contractual obligations, e.g. if we use your email address to confirm the delivery date for your next cooking box;
- 6.1c GDPR, if we are acting to fulfil legal obligations, e.g. if we check your age and your identity before the conclusion of a contract, to prevent fraud, if you purchase alcohol as part of an order with us, or if you are to receive a free alcohol sample as part of a promotion;
- 6.1f GDPR, if we process your data due to a legitimate interest of ours or a third party’s, e.g. if we use your email address to send you our newsletter for direct advertising purposes, where we provide your data to third parties (as outlined below) or for optimizing our website’s advertising design.
3.1 Data processing by Closy
3.1.1 Shipping your items / customer account
We are pleased to be able to supply you with our goods. To enable you to order from us, we will create a customer account for you after your registration. In order to protect your customer account from access by third parties, we store your user name and password. In order to be able to deliver the goods to you as desired, we store your contact data, order and delivery time and payment information. You can voluntarily provide your phone number so that we can contact you in case of delays or problems delivering your goods. Please note that you may deactivate your account at any time.
3.1.2 Paying for your goods
Your payment details will be sent to the appropriate payment service provider depending on the payment method you choose. The payment service provider is responsible for your payment data. Information, particularly about the authority responsible for the respective payment service provider, the contact information for the data protection officers of the payment service providers and the categories of personal data that are processed by the payment service providers, can be obtained from the following addresses:
Stripe Payments UK Limited
9th Floor, 107 Cheapside
You authorise us to charge each payment to the payment card you use to make your initial payment. You will be able to view, amend, update and delete your payment card details when logged into your Closy account. You will be able to store multiple payment cards and choose which payment card to use for payment. If we are unable to complete a charge using your chosen payment card, you authorise us to charge a payment to any other payment card stored.
3.1.3 Customer Care
You can contact us via email, phone, chat or social media message to ask us questions, send us messages or make complaints. We only process your personal data in this context in order to get in contact with you the way you wish and to answer or fulfil your request or complaint.
We may also use your personal data, such as your name, email address, phone number and product information to identify and call you to find out more about your experience with Closy and how you think it could be improved. We may also call you or contact you via SMS after you have deactivated your customer account so that we can find out if you would like to re-activate it (or change how you have used Closy’s services in the past). We may also send you reminders via SMS when one of your payment cards is close to expiry, your payment failed or in relation to other transactional matters. All of our calls will be recorded for training and monitoring purposes and you will have the right to opt out from receiving these calls or SMS at any time by contacting us at info@closymarket.
3.1.4 Participation in competitions
If you take part in one of our competitions, we collect data that is necessary to carry out the competition. This usually includes an individual competition entry (e.g. a comment or a photo), as well as your name and your contact details. It is possible that we transmit this data to our competition partners, e.g. to send you the prize. The processing and transfer of data may vary depending on the competition and is therefore specifically described in the respective conditions of participation. Participation in the competition and the associated data collection is, of course, voluntary.
3.1.5 Comments on our blog
You have the option of leaving comments on our blog. Your comment, details at the time of writing the comment, email address and - if you do not post anonymously - username will be stored for the comment function on our web pages. Your IP address is also stored. Storage is necessary for us to be able to defend ourselves against liability claims in cases of possible publication of illegal content.
3.1.6 Advertising by Closy
Closy uses the email address, telephone number and postal address provided by the customer to inform on similar product and service offers by email, SMS and mail. If you do not wish to receive any further advertising information by email, SMS or mail, you can object to the use of your contact data for advertising purposes at any time without incurring any costs other than for transmission according to the basic rates.
You can submit your revocation through our contact channels at info@closymarket. It is also possible to change communication preferences at any time in the customer account area with an existing customer account.
If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this.
3.1.7 Social media
Registration with Facebook Connect
We offer you the opportunity to register with us through Facebook Connect (Facebook Inc., USA, Data protection declaration: www.facebook.com/policy.php). An additional registration is not necessary in this case. You will be redirected to the Facebook page where you can log in with your user data. This will link your Facebook profile and our service. The link automatically provides us with the following information from Facebook: Facebook name, Facebook profile and cover picture, email address stored on Facebook, Facebook friends lists, Facebook likes, birthday, gender, country, language.
Data is used to set up, provide and personalize your customer account.
Social media plugins
On our, we have included social media plugins that you can use to share certain content over social networks. To protect your privacy, we offer you these social plugins as so-called “2-click buttons.” The “2-click solution” prevents data (e.g. your IP address) from being transmitted to social networks such as Facebook or Twitter as soon as you open our website. For this purpose, the buttons are deactivated by default and are only activated by clicking the social plugins for the first time.
After activation, the plugins also collect personal data such as your IP address and send it to the servers of the respective provider where it is stored. In addition, activated social plugins set a cookie with a unique identifier when loading the relevant website. This also allows providers to create profiles of your usage behaviour. The data will be used to show you personalised advertising, as well as for market and opinion research purposes.
Data transfer is independent of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be assigned to your existing account with the plugin provider.
We have integrated the plugins of the following providers on our website:
- Facebook (Facebook Inc., USA, Data protection declaration: http://www.facebook.com/policy.php)
- Twitter (Twitter Inc., USA; Data protection declaration: http://twitter.com/privacy/)
- Pinterest (Pinterest Inc., USA; Data protection declaration: http://de.about.pinterest.com/privacy/)
- Google+ (Google Inc., USA; Data protection declaration https://www.google.com/policies/privacy/partners/?hl=de)
3.2 Will my usage data be processed for website optimisation and usage-based online advertising?
Cookies are small text files that are placed on your computer when you visit our website and allow your browser to be reassigned. Cookies store information such as your language setting, the duration of your visit to our website or the information you enter there. This avoids the need to re-enter all necessary data for each use. Cookies also enable us to recognize your preferences and to tailor our website to your interests.
Most browsers automatically accept cookies. If you want to prevent cookies from being saved, select “do not accept cookies” in the browser settings. You can find out how this works in detail from your browser provider’s instructions. You can delete cookies that are already stored on your computer at any time. However, we would like to point out that our website may only be of limited use without cookies. Alternatively, you can prevent the collection and forwarding of your data (particularly your IP address) and the processing of this data by deactivating the execution of Java Script in your browser or by installing a tool such as “NoScript.”
We would like to explain some of the services in more detail below:
3.2.1 Google Analytics
Our website uses Google Analytics, a service of Google Inc., USA (“Google”). Google Analytics enables us to evaluate your website use in order to compile analyses of website activity and make use of other services associated with website and Internet use.
You can prevent Google from collecting data by downloading and installing the browser add-on. By clicking the following link, an opt-out cookie is set that will prevent the future collection of your data when you visit this website: Disabling Google Analytics.
We also use the Google Conversion Tracking service as part of Google Analytics. This enables us to record the behaviour of our website visitors. For example, we are shown how often the contact form has been filled in. We also see how many clicks on advertisements from external sources (AdWords, LinkedIn, Xing, Bing) have led to our website.
3.2.2 Facebook Custom Audience Pixel
This website uses Custom Audience Pixel, a service of Facebook Inc., USA. Custom Audience Pixel is a Java script code that we have integrated into each of our web pages. We use custom audience pixels to collect information about the way visitors use our website. This pixel collects and reports Facebook information about the user’s browser session, a hashed version of the Facebook ID and the URL being viewed. Each Facebook user has a unique and device-independent Facebook ID that enables us to address and recognize users across multiple devices on the social network Facebook so that we can reach our visitors again for advertising purposes through Facebook ads. After 180 days, the user information will be deleted until the user returns to our website. Therefore, no personal information about the individual website visitors is disclosed to HelloFresh and website customer target audiences can only be specifically advertised to as soon as they have reached a significant mass in terms of numbers.
4 Will my data be transmitted to third parties?
In order for Closy to process your data according to the purposes described above, it may be necessary for other recipients to also be able to view and process your data.
4.1 Other service providers, partners and third parties
Closy shares personal data with third party service providers processing personal data on Closy’s behalf in accordance with Art. 28 GDPR. This includes the following service providers, partners or third parties:
- Transport companies (for example, to ship and deliver your recipe box)
- Banks and payment service providers (for example, to process credit cards and payments)
- IT service providers (for example, to host, manage and service our data)
- Our customer care providers (for example, RSVP, CityConnect and Linea Directa); and
- Marketing companies who assist us with marketing campaigns (for example, our direct sales agencies and printers)
5 Will my data be processed outside the EU/EEA and how is data protection ensured?
It is important to us to process your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA, for example, Experian use a data sub-processor in India. In these cases, we ensure that an appropriate level of data protection is established prior to the transfer of your personal data. This means that a level of data protection comparable to the standards within the EU is achieved using EU standard contracts or an adequacy resolution such as the EU Privacy Shield. If you would like a copy of the EU standard contracts used, please contact us using the contact details above.
6 How long will my data be stored?
We delete personal data as soon as the purpose of storage no longer applies and legal retention periods do not preclude deletion.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
At Closy, we usually delete data as follows:
- Job applicant data: no later than six months after receipt of application
- Contract data: after termination of the Closy account, except where retention obligations provide otherwise
- Contact requests: after processing the request
7 Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
8 What rights do I have and how can I assert them?
Every customer or any other person affected by data processing has the right to information according to Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR, the right to restriction of processing according to Art.18 GDPR, the right to objection according to Art. 21 GDPR and the right to data transferability according to Art. 20 GDPR.
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us prior to the validity of the General Data Protection Regulation, i.e. before May 25, 2018. Please note that revocation will only take effect for the future. Processing that took place before the revocation is not affected.
You can submit your objection by email (info@closymarket), or in writing (Closy Online Limited, Berkeley Square House, Berkeley Square London W1J 6BD).
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us under www.hellofresh.co.uk/contact in the first instance.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
You can ask us or third parties to stop sending you marketing messages by contacting us at any time, or by adjusting your communication preferences via Account Settings on our website. If you no longer wish to receive our email communications, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each newsletter.