Privacy Policy

IMPORTANT: PLEASE READ THIS PRIVACY POLICY AS IT APPLIES TO ANY PERSONAL DATA YOU PROVIDE US OR THAT WE COLLECT ABOUT YOU, FOR EXAMPLE, IF YOU ACCESS THE WEBSITE AT HTTPS://WWW.OREE.CO.UK OR ANY OTHER WEBSITE OWNED, OPERATED, OR PROVIDED BY ORÉE BOULANGERIES (‘WEBSITE’, ‘ORÉE’, ‘US’, ‘WE’ RESPECTIVELY) OR IF YOU ENQUIRE ABOUT OR USE ANY OF OUR PRODUCTS OR SERVICES (‘SERVICES’).

We do not market to or enter into contracts with children, nor do we collect personal data from any person under 18 years of age. Please do not access or use the Website or Services if you are under 18 years of age.

This Policy

This policy outlines what personal data we may collect, how we process and protect that data, the lawful grounds for processing, and your rights concerning your data. We always strive to comply with the relevant data protection laws applicable to our processing of personal data. For example, the EU General Data Protection Regulation 2016/679 (‘EU GDPR’) may apply, and as a UK-based company, we also adhere to the UK Data Protection Act 2018, the UK e-Privacy Regulations (‘PECR’), and the UK GDPR, a version of the EU GDPR adopted into UK law.

For simplicity, we refer to both the EU and UK versions as ‘GDPR’ since they are largely similar. The GDPR sets the global standard for data protection laws and has influenced regulations worldwide.

‘Personal data’ is a term defined in both EU and UK law. We also use it here to refer to ‘personally identifiable information,’ as defined in US law, and other comparable legal terms. In essence, ‘personal data’ refers to any information about an identified or identifiable natural person, meaning one who can be identified, either directly or indirectly, using the information alone or combined with other information.

In most cases, our lawful basis for processing your data is because it is necessary: (i) for our legitimate interests in running our business, including improving and marketing our products and services (where these interests are not overridden by your rights), (ii) to fulfil a contract with you, or (iii) to comply with our legal obligations. If our processing is based on your consent, we will clearly state the purpose and ensure you are fully informed when giving your consent.

As data protection laws evolve, this policy may be updated from time to time. Any changes will be posted on the Website, and the updated policy will take effect from the date specified. It is your responsibility to review the Website periodically for any changes.

How Do We Obtain Personal Data?

We collect personal data in the usual course of business. For example:

  • You may provide us with your details when you become a customer, such as your name, email, and employer (when purchasing on behalf of a business) (‘Account Data’),
  • You may provide your details when signing up for our Loyalty App, including your name, email, and optionally your date of birth and postcode (‘Loyalty Account Data’),
  • We may collect personal data from customers when they use our Services, such as names of team members or other data entered into the Services (‘Service Data’),
  • You may provide your contact details when inquiring about our products or services (via our Website, email, or otherwise). We may also obtain contact information for marketing purposes from publicly available sources or business websites (‘Marketing Data’),
  • When visiting our Website or using our Loyalty App, we may collect information such as your IP address or details about your visit, and we may track how you use our Services (‘Improvement Data’)
  • You may provide personal data, including a CV, when applying for a job with us (‘Recruitment Data’).

We are the ‘controller’ of Account Data, Marketing Data, Improvement Data, and Recruitment Data, meaning we determine how and why this data is collected and processed. We are a ‘processor’ of Service Data, meaning the customer remains the ‘controller’ and we process this data to fulfil our contract with the customer.

Your Provision of Personal Data

When you provide us with personal data about yourself or someone else (such as a colleague or contact), you confirm that you have obtained consent or authorisation to share that data. You also confirm that the personal data provided is accurate and up-to-date.

While providing personal data to us is optional, please note that we may not be able to fulfil certain requests or provide services if we do not have the necessary information.

Special Categories & Crime

Given the nature of our business, we do not request ‘special categories of personal data’ (such as political opinions, racial origins, or sexual life) or personal data related to criminal convictions or offences. We ask that you refrain from sending such data to us.

We may request details related to allergies or health conditions for safety purposes. If you choose to submit special categories of personal data via our Website or Services, you must ensure you have the necessary consent, and you agree that this data will be handled in accordance with this policy, including potential transfers within or outside the UK or EEA as described.

How Do We Use Personal Data?

We use personal data in the normal course of business, including to:

  • Respond to inquiries, provide the Website, Loyalty App, and Services, and offer customer support. Lawful basis: Legitimate Interests or Contract.
  • Analyse and improve the Website and Loyalty App, including for security or technical purposes. Lawful basis: Legitimate Interests. For certain cookies, we may require your Consent.
  • Market our Services, ensuring you can easily opt out of future communications. Lawful basis: Legitimate Interests or Consent.
  • Operate CCTV in some locations for crime prevention and health & safety reasons. Lawful basis: Legitimate Interests.
  • Share data with third parties in specific circumstances, such as for operational or legal reasons. Lawful basis: Legitimate Interests, Contract, or Consent.

Sharing Data & International Transfers

We do not sell or rent your personal data to third parties for marketing. However, we may share data with third parties for operational purposes, including with contractors or advisors who help us run our business. Lawful basis: Legitimate Interests or Contract.

In some cases, we may be legally required to share your personal data with authorities or regulatory bodies. Lawful basis: Legal Obligation.

If we engage in a business transaction (such as the sale of part of the company), we may share personal data related to that transaction under strict confidentiality. Lawful basis: Legitimate Interests.

Where possible, we store personal data within the UK or EEA. If data must be transferred outside these areas, we ensure appropriate security measures are in place and that a valid legal basis exists for the transfer.

Cookies

Our Website uses cookies. For more information, please review our Cookie Policy, which includes how to manage or opt out of cookie usage.

Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or to comply with statutory retention periods.

Security

We take the security of your data seriously, employing technical and organisational measures to protect personal data in our systems. However, please note that the internet is inherently not a secure environment.

Anonymised Data

We may anonymise personal data in compliance with applicable laws and guidelines, making it impossible to identify individuals from the anonymised data. This data is no longer considered personal data and is not subject to this policy.

Third-Party Services

If you access third-party services via our Website or Services, your use of those services is governed by the privacy policies of the third-party providers, not this policy. Please review their privacy policies before use.

Your Rights

Under the GDPR, you have the right to:

  • Know if we process your personal data and obtain a copy,
  • Correct or remove inaccurate data,
  • Object to certain data processing,
  • Withdraw consent for data processing,
  • Restrict certain processing of your data,
  • Request the deletion of your data,
  • Request data portability.

You may also object to the processing of your data for direct marketing at any time.

This privacy policy applies to ORÉE Boulangeries, and we are committed to ensuring your personal data is handled responsibly and securely.