This Privacy Notice was last updated on 3 November 2020.
Planet Organic Ltd (“Planet Organic”, “we”, “us” or “our”) is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. Our Information Commissioner’s Office registration number is Z206010X.
We are a company registered in England and Wales under company registration number 03826282. Our registered office address is at 42 Westbourne Grove, London, W2 5SH. You can contact us by writing to us at that address. Alternatively, you can email us at email@example.com.
This privacy notice describes how we collect and use personal information about you or that you provide:
(i) when you purchase goods from us either in store or from our website at https://www.planetorganic.com/ (the “Website”);
(ii) when you use any of the services that we provide, including our “food to go” ordering service for delivery or collection (the “Services”);
(iii) When you join any of our member groups (“Member Groups”);
(iv) when you subscribe to or submit content to, our blogs, forums and social media pages (“Social Media Pages”);
(v) when you register for and attend our events (“Events”);
(vi) when you visit the Website;
(vii) when you visit any of our stores; and
(viii) when you contact us (by email or telephone or in person).
It is important that you read and retain this notice, together with any other privacy notice we may provide, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
Data protection principles
Data protection law says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The type of information we collect from you will depend upon the type of interaction you have with us. We have grouped the information together as follows:
- Identity Data includes your first name, last name, username or similar identifier, title, date of birth and gender;
- Contact Data includes your delivery address, billing address, email address and telephone number;
- Financial Data includes your payment card and payment account details;
- Transaction Data includes details about your orders and the products you have bought from us, the services you have used, and the payments to and from you;
- Technical Data includes your internet protocol (IP) address, your login data, browser type and version, time zone settings and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use, your unique device identifiers and other diagnostic data;
- Profile Data includes your username and password, purchases and orders placed by you, your interests, preferences, requirements, feedback and survey responses;
- CCTV Data is images of you captured by our in-store CCTV systems;
- Usage Data includes information about how you use our Website, the pages you visit, the time and date of your visit, the time spent on the pages you visit, and information about how you use our products and services;
- Marketing and Communications Data includes your preferences to receive marketing communications from us and information contained in communications you send to us; and
- Social Media Data includes your social media account username or handle and the information, messages, images and content you post on our Social Media Pages.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
How is your personal information collected?
We collect personal information about you:
- through your use of the Website such as when you place your order via the Website;
- through visiting our stores such as when you purchase goods from us in store;
- through your use of the Services;
- when you join our Member Groups;
- through your use of, and interaction with, our Social Media Pages;
- through you registering for, and attending, our Events; and
- when you otherwise provide us with your personal information.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
1. Where we have your consent.
2. Where we need to perform the contract we have with you.
3. Where we need to comply with a legal obligation.
4. Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. Our legitimate interests will include:
Situations in which we will use your personal information
We need all the categories of information in the list above primarily to allow us to fulfil your orders and to enable us to provide our services to you. We may also use your personal information to pursue legitimate interests, provided your interests and fundamental rights do not override those interests and to comply with the law. The situations in which we will process your personal information are listed below.
We may process personal data in the following ways:
- To register you as a customer and to set up your customer and user accounts with us and to set your preferences.
- To allow you to make purchases in store and via the Website, to apply discounts and promotional offers, to fulfil your orders, and to process refunds due to you.
- To allow you to make use of the Services and to join and participate in Member Groups.
- To allow you to subscribe to, interact with, and receive content from, our Social Media Pages and to display content from our Social Media Pages on our Website.
- To store data within our data warehouse and use data analytics and analysis to review and better understand customer behaviour and trends and to improve our Website, products/services, marketing, customer relationships and experiences.
- To ensure that content on the Website is presented in the most effective and relevant manner for you and for your device and to tailor the Website’s experience and content based on the way that you use the Website.
- To provide our “abandoned basket” service to inform you if you have an incomplete order and to ask if you want to complete the order.
- To manage our relationship with you which includes notifying you about changes to our terms of business and privacy notices and asking you to leave a review, participate in customer research or take a survey.
- To enable you to take part in promotions and competitions.
- To administer and protect our business, Website (including troubleshooting, data analysis, testing, system maintenance, security, support, reporting and hosting of data).
- To deal with your enquiries, requests, complaints and claims.
- To prevent fraud and criminal activity.
- To carry out product recalls.
- To notify you about changes to our Website and Services.
- To keep our stores safe and secure through the use of CCTV and to allow you to use our in-store WIFI.
- To provide you with marketing content in line with your preferences and to measure the effectiveness of the marketing communications we send you.
- To store cookies on your device.
- To comply with legal or regulatory requirements.
- For our business management and planning, including accounting and auditing.
If you want to learn more about what lawful bases we rely upon, or the types of data we collect, in respect of each situation in which we process your personal information, you may contact us at firstname.lastname@example.org.
If you fail to provide personal information
If you fail to provide certain information when requested, you may not be able to purchase goods from us, we may not be able to provide the Services to you, we may be prevented from carrying out the tasks above for your benefit, or we may be prevented from complying with our legal obligations.
How we use particularly sensitive personal information
"Special categories" of particularly sensitive personal information, such as information about your health, racial or ethnic origin, religious beliefs, sexual orientation, trade union membership and genetic and biometric data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We do not intend to process any special category data about you, and we will not request special category data from you. If you voluntarily provide any special category data to us, it is on the basis of your explicit consent.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We do not envisage that any decisions will be taken about you using automated means under this Privacy Notice, however we will notify you in writing if this position changes.
We will share your data with third parties, including other entities in our group and our service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the United Kingdom and the European Economic Area. If we do, you can expect a similar degree of protection in respect of your personal information as it receives within the UK and the EEA.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer our relationship with you or in order for a third-party service provider to provide a service related to our relationship with you.
Which third parties process my personal information?
"Third parties" include our third-party service providers and other entities within our group.
We will share your personal information with our service providers including couriers to deliver your orders, our payment processor to facilitate your payments (see below), marketing companies to run and fulfil our marketing campaigns, event organisers to arrange and organise our events, e-commerce providers to power our Website, e-commerce tools and customer experiences, together with IT software and services providers, website hosting service providers, data analytics and analysis service providers, data warehouse providers, and administrative services providers.
Our payment processor is Worldpay. Please refer to its privacy notice for information on how Worldpay will collect and handle your personal information when you make a payment to us.
How secure is my information with third parties?
All our service providers and other entities within our group are required to take appropriate security measures to protect your personal information. They must only process your personal information for specified permitted purposes and in accordance with data protection law.
When might you share my personal information with other entities in the group?
We may share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance and support and hosting of data.
When might personal data I have provided to third parties share my personal information with Planet Organic?
Our loyalty app is powered by YoYo Wallet and our “food to go” ordering service for delivery or collection is provided by Vita Mojo. Please refer to their privacy notices for information on how they will collect and handle your personal information.
YoYo Wallet will share aggregated data with us so we can analyse customer behaviour and high-level trends in order to improve our business as set out in this privacy notice. Vita Mojo will also share your personal information with us so we can perform the Services.
What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of our business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
We may need to share your personal information with a regulator or to otherwise comply with the law.
We may need to share your personal information with our professional advisors, the authorities and the courts in certain situations (for example, to enforce our legal rights or to defend ourselves against allegations or claims made against us, to prevent or investigate wrongdoings or suspected wrongdoings or to protect and safeguard the users who use our Website and Services).
Transferring information outside the UK and the EEA
We may transfer the personal information we collect about you outside the United Kingdom and the European Economic Area.
However, to ensure that your personal information does receive an adequate level of protection we will make sure that we take steps necessary to protect your data as required by applicable laws. For instance, we may put in place the EU Commission’s approved Model Contractual Clauses and supplementary measures or equivalent levels protections to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to access your personal information. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
However, you should be aware that the transmission of information and data is never completely secure and there is a measure of risk associated with the use of any online service.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We undertake annual reviews of our retention periods and the data we are processing.
Generally, we will retain your personal information for 3 years after our last interaction with you, after which we will anonymise it so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We will only retain your personal information for longer than 3 years (up to a maximum of 6 years) in situations where that information relates to a complaint or legal claim. We would of course keep your information for longer id the law required us to do so.
Rights of access, correction, erasure, and restriction
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. You can contact us at the postal or email address set out above.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us at the postal or email address set out above.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us at the postal or email address set out above. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
The withdrawal of your consent will not affect the lawfulness of any processing carried out before your consent was withdrawn.
Links to other sites
We have no control over, and assume no responsibility for, the content, privacy policies or practices of any third-party sites or services.
If you have any questions about this privacy notice or how we handle your personal information, please contact us at the postal or email address set out above.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice
We may update this notice at any time. When we update this notice, we will post the updated version at the various data collection points so you can read and understand the new notice. If we make significant changes to the ways we use personal information we have already collected from you, we will take separate steps to notify you of the change and we will seek your consent as appropriate.
If you have any questions about this privacy notice, please contact us using the postal or email address set out above.