PRIVACY POLICY

PRIVACY STATEMENT

Privacy Statement, 200 Degrees Holdings Ltd

Last Updated 23/02/2024

We take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us. We will never sell, share, or use your personal information other than as described here.

ABOUT THIS PRIVACY POLICY:

This policy sets out how we will use and share the information that you give us or allow us to obtain from third parties. This policy describes your relationship with 200 Degrees Holdings Ltd (“us”, "we" or "our"), and in no way represents any agreement between you and us other than as described here.

WHO WE ARE AND HOW TO CONTACT US:

200 Degrees Holdings Ltd is the parent company of 200 Degrees Coffee Shops Ltd and 200 Degrees Coffee Roasters Ltd, and is registered in England and is registered with the Information Commissioner’s Office under the Data Protection Act 1998. The Data Controller is: Tom Vincent. You can get in touch with us in any of the following ways:

By email: privacy@200degs.com; by phone: 0115 837 4849 (office hours); by post: Tom Vincent, 200 Degrees, Heston House, Meadow Lane, Nottingham, NG2 3HN

HOW TO CHANGE YOUR PREFERENCES:

You can contact us at any time to change your preferences. This includes requests to object to processing, to be forgotten (right to be deleted), for your data to be corrected, or to transfer your data to another platform. We take your rights seriously and will always reply promptly and professionally.

HOW WE OPERATE:

We operate in line with the EU GDPR (May 2018) Data Protection guidelines. We are committed to maintaining your personal rights and allow all users to change or withdraw their consent options at any time. We will also advise you on how to complain to the relevant authorities, namely the Information Commissioner's Office.

HOW WE USE YOUR DATA:

- When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.

- When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.

- Email marketing (if applicable): With your permission, we may send you emails about our business, new products, offers and other updates.

THIRD PARTY SERVICES:

We use recognised third parties to take payment, manage our company accounts, and provide banking services. In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.

However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

Where valid, appropriate, verified, and subject to legal obligations, third parties are also expected to complete rectification or erasure requests within 72 hours of receipt.

HOW WE STORE YOUR DATA:

We will store transaction, payment, and order data for up to 7 years or for as long as required by UK financial and company regulations. These third parties may operate outside the EU.

Our email database is hosted by Klaviyo. They provide us with the platform that allows us to send out our newsletters and general updates via email. Your data is stored securely on Klaviyo’s servers. For more insight, you may also want to read Klaviyo’s Privacy Statement (https://www.klaviyo.com/legal/privacy/privacy-notice)

Our store and subscription service is hosted on Shopify. They provide us with the online e-commerce platform that allows us to sell our products and services to you. For more insight, you may also want to read Shopify’s Privacy Statement (https://www.shopify.com/uk/legal/privacy/visitors).

200 DEGREES APP

The 200 Degrees mobile application is owned and operated by 200 Degrees, who are the controlled of all stored data.

Pepper HQ Ltd operate as a processor of data for the 200 Degrees App.

>

This policy, together with our MOBILE APP TERMS OF USE, explains how we may use information we collect about you, as well as your rights over any personal information we hold about you. Please read this and our MOBILE TERMS OF USE carefully.

INFORMATION WE COLLECT ABOUT YOU THROUGH THE 200 DEGREES APP

We collect information about you when you:

- Register to use the 200 Degrees App;

-Attempt to check in to one of our stores;

- Register your debit or credit card details;

- Upload a profile photo, and

- Use the payments facility in the 200 Degrees App to pay for your purchase.

- This information, stored and proceeded under Article 6(1)(b) of the GDPR, "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" i.e we need this data for you to be able to use the App for it's primary purposes.

The 200 Degrees App captures your geographic location when you attempt 'check in' to one of our stores. We do this to identify which store you are in or near to allow you to pay using the 200 Degrees App, and to provide an enhanced visitor experience (for example, through digital loyalty cards.) We will only capture this information with your consent. The 200 Degrees App also captures basic usage metrics to help us identify any problems and to make improvements in the future. These metrics also help us understand how people use the 200 Degrees App and how many people use the different functions within the 200 Degrees App.

Your contact details and personal information may be used to send direct marketing messages to you via your contact details provided. This is done only with your explicit consent, which can be withdrawn an any time from the 'My Account' options within the app. You may refuse consent for marketing messages without the detriment to any other areas of functionality within the app.

INFORMATION WE CAPTURE

GEOGRAPHIC LOCATIONS

We provide enhanced store visit experiences when you choose to 'check in' to one of our stores and allow you to pay using the 200 Degrees App. You may prevent 200 Degrees App from accessing your devices location services of your Mobile Device. Doing so will impact the capability of the 200 Degrees App and prevent you from enjoying an enhanced experience.

Data you store with us; (including information you give us when signing up, and information is shared automatically, such as Device ID, and IP address).

We use this data to log you in to the 200 Degrees App and it helps us understand our customers better and present you with appropriate offers and promotions. Your data is stored in an encrypted database and transferred over a secure network connection. You decide which data you do and do not share with us. If you ask us to, we will update, correct or delete any data which you give to us.

YOUR CARD DETAILS

Your card details are not stored on the 200 Degrees App and they are only used in accordance with your top-up instructions. Your card details are stored with our payment gateway partner - Braintree by Paypal - who are a Level 1 certified PCI-DSS Service Provider. You do not have to use the payments facility within the 200 Degrees App to pay for your purchase.

YOUR PROFILE PHOTO

Your profile photo is used in store to verify your identity if you ask us to, we will update, correct or delete you profile photo. However, you must have a profile photo if you wish to use the 200 Degrees App to pay for your purchase in-store.

YOUR PURCHASE HISTORY

We use your purchase history to provide personalised offers and analyse which products and rewards are most likely to interest you.

DATA STORAGE, PROTECTION AND YOUR RIGHT TO ACCESS AND ERASURE

Your data is stored in an encrypted database and transferred over a secure network connections. We will store your information for as long as your account exists in the 200 Degrees App. If your user account is entirely inactive for a period of 12 months or more, we will delete your account. If you ask us to, or if you delete your account, we will delete the information linked to your account which can identify your personality, including your profile photo and personal details.

You may ask us, at any time to provide to you confirmation that your data is being processed and access to your personal data. This will generally be provided within 7-21 working days.

MARKETING AND RESEARCH

If you agree, we may contact you:

- With offers and information about 200 Degrees products or services.

- For customer research, e.g. to help improve our service

You can ask us to stop contacting you for marketing and/or research purposes by following the instructions in any such communication or by emailing us at app@200degs.com

DISCLOSING YOUR INFORMATION

We will never disclose your information to anyone outside of 200 Degrees except:

- Where we have your consent

- Where we are required or permitted to do so by law

- To other companies who provide a service to us as a processor under the terms of this privacy policy

To any successors in title to our business.

If we ever transfer your personal information to countries outside the European Economic Area we will ensure that appropriate security measures are taken.

ACCESSING YOUR INFORMATION

To obtain a copy of the information we hold about you, email us at app@200degs.com . Please confirm any details to help us identify and locate your information. If any of the details are incorrect, let us know and we will amend them.

CHANGES TO OUR POLICY

This policy replaces all previous versions and is correct as of February 2024. We reserve the right to change this policy at any time.

CONTACTING US

If you have any queries, get in touch with us at app@200degs.com

PAYMENT:

If you choose a direct payment gateway to complete your purchase, then Stripe stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.

All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.

PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

CHANGING YOUR PREFERENCES AND OPTING OUT AT A LATER DATE:

Once you have given your data and/or explicit consent, you can however still control whether or not you continue to receive communications or see such advertisements from us. The simplest way to remove amend your preferences and withdraw consent is to contact us directly, however you can also unsubscribe from receiving e-mail communications from us by using the instructions in any email communication we send you (usually an 'unsubscribe' or 'STOP' link).

You can opt out at any time from communications by e-mailing us at: privacy@200degs.com

Social media: You can configure your advertising preferences on social media by accessing your settings or preference options on the relevant platform.

OUR OBLIGATIONS:

We are a data controller in relation to the information that you provide us with. As a result, we are legally responsible for how that information is handled.

We will always endeavor to comply with the Data Protection Act 1998, the GDPR (2018) and PECR in the way we use and share your personal data. Among other things, this means that we will only use your personal data:

- fairly and lawfully,

- as set out in the legislation and this policy,

- to the extent necessary for these purposes.

If you have any requests concerning your personal information or any queries about our privacy policy, website or service, please contact us using the details given above. We are friendly and professional and will always help.

SECURITY:
We will report any breaches or potential breaches to the appropriate authorities within 24 hours, and to anyone affected by a breach within 72 hours. If you have any queries or concerns about the data usage please contact us.
LEGITIMATE INTERESTS:

Under the Data Protection Act, we are also permitted to share some information with third parties who use such data for non-marketing purposes (including credit and risk assessment and management, identification and fraud prevention, debt collection and returning assets to you). This would include the data you provide to us today, at any time in the past and in the future.

CONTACTING US, EXERCISING YOUR INFORMATION RIGHTS, AND COMPLAINTS:

If you have any questions or comments about this Privacy Policy, wish to exercise your information rights in connection with the personal data you have shared with us or wish to complain, please contact The Data Protection Officer at 200 Degrees Holdings Ltd. Where valid, appropriate, verified, and subject to legal obligations, we will complete objection, rectification or erasure requests within 72 hours of receipt by us. We will process SARs within 20 days, SAR responses are usually free but we reserve the right to charge for excessive or unfounded requests. We fully comply with Data Protection legislation and will assist in any investigation or request made by the appropriate authorities.

This policy may be updated from time to time – where material changes occur we will contact you on the email address provided. You have the right to remove consent at any time.

USE OF COOKIES

This website uses cookies. By using this website and agreeing to this policy, you consent to 200 Degrees’ use of cookies in accordance with the terms of this policy.

There are two main kinds of cookies: session cookies and persistent cookies. Session cookies are deleted from your computer when you close your browser, whereas persistent cookies remain stored on your computer until deleted, or until they reach their expiry date.

200 Degrees uses Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users' computers. The information generated relating to our website is used to create reports about the use of the website. Google will store and use this information. Google's privacy policy is available at: http://www.google.com/privacypolicy.html.]

Most browsers allow you to refuse to accept cookies.