INTEGRITY POLICY

My Espresso House

Last updated: 2021-03-12

—————————————————————

My Espresso House Privacy Highlights

  • This Privacy Policy explains how we use your personal data when providing you with personal offers and discounts on selected products, as part of our loyalty program My Espresso House via our mobile application, or the member’s chosen payment method (”Service”).
  • The Service is operated by Espresso House Group AB, a company incorporated under Swedish law whose principal place of business is at Södergatan 24,211 34, Malmö, Sweden.
  • The personalised offers you receive are based on your purchase history and the preferences you make when using offers at our coffee shops.
  • Certain functions of the Service, such as location-based offers, require that you share certain additional information about yourself, such as the location data of your position. This function is deactivated as a default when installing the app and you may active the function by providing express consent. You may at any time withdraw your consent and deactivate the location-based offers.
  • Our loyalty program is available for any person who is at least 13 years of age. However, if you are below the age of 18 you need the permission of your parent or legal guardian to use the Service.
  • As we are part of an international group of companies and share administrative systems, we may share your personal data with affiliates for the purposes described in this Policy.
  • The personal data you agree to provide us with when you register to become a member is required for us to be able to provide the Service. If you do not wish to provide us with the personal data mentioned in this Privacy Policy, you will not be able to join our loyalty program My Espresso House, and you will not be able to use the Service.

—————————————————————

Privacy Policy Full Text

Table of Contents

  1. Introduction
  2. Our principles
  3. Personal data that we collect
  4. How and why we use your personal data
  5. When and how we share information with others
  6. Data subject rights
  7. Security of your information
  8. Data storage and retention
  9. Exclusions
  10. Changes and updates to the Privacy Policy
  11. Questions, concerns or complaints
  12. Additional optional services

—————————————————————

1. Introduction

The My Espresso House app and the Service is operated by Espresso House Group AB, reg. no.: 559014-3748, e-mail: info@espressohouse.se (”Espresso House”), a company incorporated under Swedish law whose principal place of business is at Södergatan 24, 211 34, Malmö, Sweden.

This Privacy Policy describes Espresso House’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Policy as we undertake new personal data practices or adopt new privacy policies.

2. Our principles

We do our best to protect your privacy by using security technology appropriately. This means that:

  • We make sure that we have appropriate security measures to protect your information; and
  • We make sure that when we ask another organisation to provide a service for us, they have appropriate security measures.
  • We will respect your privacy. You should receive marketing (whether by email, post, SMS, telephone or social media platforms) only from us and, if you agree, from other organisations we have carefully chosen.
  • We will make sure it is clear when you can make these choices, for example, we have boxes you need to tick if you want to receive marketing and you can change your preferences if you no longer want to receive it. However, we may email you, or send you an SMS, occasionally with information or questions about your account or postings, for example, with reminders, warnings or copyright requests.
  • We will collect and use individual user details only if we have your permission or we have sensible business reasons for doing so, such as collecting enough information to manage subscriptions.
  • We will be clear in our dealings with you as to what information about you we will collect and how we will use it.
  • We will use personal information only for the purposes for which it was originally collected and we will make sure we delete it securely.

If we or our service providers transfer any information out of the European Union and European Economic Area (EEA), it will only be done with the relevant protection (stated under applicable data protection legislation) being in place.

3. Personal data that we collect

Collection of personal data

Espresso House collects personal data about the My Espresso House members who use the Services. This data consists of the information you actively provide us with, and the information which becomes available to us when you use the Service.

We do not sell personal information to anyone and only share it with affiliates and third parties who are facilitating the delivery of our services. For more on this, see Section 5.

The only personal information you are required to provide us with, when signing up for our loyalty program to use the Service, is your phone number. You may also provide us with your email address, name and profile picture in the mobile application if you wish to do so.

We also obtain data by recording your use of the Service. This means that when you pay for your purchase in one of our coffee shops while identifying as a member of our loyalty program, we will store information about your purchase in a database. This database is accessible only to employees at Espresso House, our affiliates, or our third-party partners, who maintain the databases and analyse the data for the purposes described in Section 4. This information consists of:

  • the products you buy at our coffee shops,
  • the amount you are buying for,
  • the specific coffee shop you complete your purchase in,
  • time of purchase,
  • offers used or claimed.

When using the Service you will also have the option of activation location-based offers. You will find more information about this in Section 12.

Your correspondence with Espresso House

If you correspond with us by email, the postal service, or other form of communication, we may retain such correspondence and the information contained in it (such as name, email, contact information and any personal identifiable information you provide in free text form) and use it to respond to your inquiry; to notify you of publications or other services; or to keep a record of your complaint, question, request, and the like. As always, if you wish to have Espresso House “erase” your personal information or otherwise refrain from communicating with you, please contact us at privacy@espressohouse.se.

Note: if you ask Espresso House not to contact you by email at a certain email address, Espresso House will retain a copy of that email address on its “master do not send” list in order to comply with your no-contact request.

4. How and why we use your personal data

We use the information we collect about our customers and users for four main reasons:

  • to conduct our business and provide (including improving and adapting) the services and products we offer,
  • to provide personalised services and offers tailored to individual users,
  • to send communication, including promotions to our users, as well as
  • to promote our services.

For these reasons, we combine data we collect to provide you with a smoother, more consistent and personalised experience. To improve the protection of your privacy, we have built in technical and organisational protection designed to prevent certain combinations of data.

Espresso House uses your personal data for the main purpose of providing you with the Service. Below you will find a list of sub-purposes, to give you a better and more clear idea of why we process information about you.

Purchases in a coffee shop or through pre-order: If you make the cashier in one of our coffee shops aware that you are a member of MY Espresso House, your purchase will be registered as a member purchase, which means it will be part of your purchase history. If you make any exchange or return, you will be asked to provide the name and phone number on the receipt of the purchase.

If you pay by card, Swish or the payment method selected in the My Espresso House App, the payment will be processed by our payment service provider Adyen. When placing your order, money will be drawn from your account and Adyen will communicate with your bank regarding the transaction.

Verifying your account: We ask that you provide us with your mobile phone number to connect your membership account to your mobile phone. This information is stored to make sure that your personal offers, as well as your punch card and the 10 % discount with every purchase using your digital Coffee Card, are available to you personally, on your personal mobile phone. When signing up for a membership with My Espresso House you also have the option to provide us with your email address. By registering your email address, you will be able to verify your membership via your email, which means that you can access your membership account if you happen to get a new phone.

Activating functions based on your personal number, student ID, date of birth: To activate student offers you have to provide us with your [personal number/student ID]. We will use this information to communicate with Mecenat, to confirm that you are a registered student. The [personal number/student ID] will not be stored on our servers – we will simply forward it, with encryption, to Mecenat, so they can verify or deny that you are a student.

Via the Service you may also choose to provide us with your date of birth, to receive a gift from us on your birthday.

Invite a friend: You may send an invite to a someone you know, who is not a member, and receive a gift as a thank you for inviting more people into the My Espresso House family! You do this by entering the mobile phone number of the person who you wish to invite. This person will then receive an SMS with an invite. If the person joins via this invite, your membership account will receive a gift. Note that the mobile phone number of the person you send an invite to will be deleted if the invited person declines the invite, or after three (3) days, if the invited person has not responded to the invite.

Providing you with personalised offers: When you use the Service to purchase products in one of our coffee shops, information about your purchase (specifically the points mentioned in Section 3 above) is stored in one of our databases. This information is analysed and evaluated to help us understand what kind of products you might be interested in. With the help of this data, your My Espresso House profile is placed into a certain segment that fits your purchase behaviour; we will then be able to offer you personalised discounts based on what segment you are in, meaning based on what products you like. We also use this information for other marketing purposes. If you have removed the app from your phone we mayat a later occasion contact you and ask if you would like to download it again. If you do not wish to receive any correspondence with us after you have deleted the app you need to withdraw your membership. Please contact our guest support for this service, at support@espressohouse.se

Statistics and Service improvementThe purchase history mentioned in Section 3 above also helps us improve the Service. The data from your purchases help us review what kind of products are popular, what time of the day our coffee shops usually run out of certain products, what type of offers are most appreciated and used by our members, etc. We will also use this information about you to improve and develop our existing products; for example if we are aware that a large number of our members enjoy our different kinds of overnight oats, we might add a new flavour to enhance the customer experience in our coffee shops.

Communicating with you – marketing and information: By providing us with your phone number we can contact you if there are any issues with the Service, or with your membership. In your account, you have the option to add your email address. This will help us send you marketing, newsletters and information about the Service, so you never miss out on deals. Adding your email address is optional, and you may at any time withdraw this information from your account. Once it has been withdrawn, it will be deleted from our systems, and you will not receive any additional emails from us. You may also opt-out of receiving marketing and news from us which is not strictly necessary for your use of the Service. As mentioned above in Section 3, when you correspond with us through any kind of communication, we may retain such correspondence and the information contained in it (such as name, email, contact information and any personal identifiable information you provide in free text form) and use it to respond to your inquiry. Your email may also be used to send you your digital receipt, if you activate this function in your account.

Security: We use data to protect the security of our products, services and customers, to detect and prevent fraud and to resolve disputes and to enforce our agreements. We can also block delivery of a message or remove content if it violates our terms.

Providing you with location-based offers – optional: You can decide for yourself if you want to activate offers based on your location. By activating this additional service, you allow us to see and register where your mobile phone is located. With this information, we will be able to offer you discounts specific to your current location. Please read Section 12 below to find out more about this additional service and how you can provide your consent to active this function.

Other Purposes: If we intend to use any personal data in any manner that is not consistent with this Privacy Policy, you will be informed of such anticipated use prior to or at the time the Personal Data is collected or we will obtain your permission subsequent to such collection but prior to such use.

5. When and how we share information with others

We share your personal data with your consent or as necessary to complete any transaction or provide you with any offers you have claimed.

When you provide payment data to your digital Coffee Card we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction.

For the purpose of providing you with the Service, we may disclose your personal information to our affiliates as well as our service partners (i.e. companies we’ve hired to provide customer support or assist in protecting and securing our systems) that are entrusted to process your information on our behalf and in accordance with our instructions, this Privacy Policy and other appropriate measures for privacy and security.

For the purpose of analyzing the service and your usage, and to be able to offer you more personal offers and marketing; we may share your personal Information with Facebook and Google.
Your personal data may be transferred to USA. We have entered Into Standard Contractual Clauses (SCC) with Facebook and Google. We have also Implemented addition safety guards such as hashing and pseudonymisation to ensure that your personal data Is highly protected. A copy of these SCC Is available here:  [https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en].

We may also disclose your personal information to third parties if we have good reasons to believe that access, use, retention or disclosure of such information is reasonably necessary to:

  • comply with any court order or other legal obligation;
  • enforce or apply our General Terms and Conditions and other agreements; and
  • protect the rights, property, or safety of Espresso House, its franchisees, or others.

6. Data subject rights

General information

Espresso House complies with current data protection laws in the European Union, which, when applicable, include the following rights:

  • You are free to request access to a record of your processing (as defined in the law), and you have the right to access to a copy of your personal data, request a correction and, in certain circumstances, deletion of your personal data,
  • You are entitled to request restriction, and object to the processing, of your personal information which has as its basis our legitimate interests,
  • You have the right to file a complaint with a data protection authority. ‘Datainspektionen’ is the authority in Sweden that oversees how we as a company comply with relevant data protection legislation,
  • If processing of personal data is based on your consent, you are entitled to withdraw your consent for future processing of your personal information at any time.
  • You are entitled to request that we provide your personal information to another organisation responsible for processing your personal data (controller) in cases where our right to process your personal data is based either on your consent or performance of an agreement with you.

 

You will have reasonable access to your personal information at no extra cost, if you request this via privacy@espressohouse.se. If we cannot provide you with this within a reasonable time frame, we will provide you with a date for when the information can be provided. If such access is denied, we will explain to you why access has been denied.

When processing your personal information, we will do so in cooperation with our affiliates in order to offer you the products and services you use and have ordered, operate our business, meet our contractual and legal obligations, protect our systems and customers, or meet the legitimate interests as described in detail in the sections ”How and why we use your personal data” and ”When and how we share information with others” above. When we transfer personal data from the European Union, we make it based on a number of legal mechanisms, as described in the section ”Data storage and retention”.

To what extent do we use automated individual decision-making (including profiling)?

As a rule, we do not make decisions based on automated processing and profiling that will have legal effect for you as defined in Article 22 GDPR. If, in the future, we were to use such procedures on a case-by-case basis, we will inform you separately and request your consent before such new use of your personal data, to the extent required by law.

Information on your right to object under article 21 of the EU General Data Protection Regulation (GDPR)

  1. Right to object to processing which based on our legitimate interests.
    You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on article 6 (1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 (4) GDPR. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.
  2. Right to object to the processing of data for marketing purposes.
    In certain cases, we process your personal data for marketing purposes. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes. There are no formal requirements for lodging an objection; where possible it should be made by [insert relevant email].

Note: if you ask Espresso House not to contact you by email at a certain email address, Espresso House will retain a copy of that email address on its “master do not send” list in order to comply with your no-contact request.

7. Security of your information

To help protect the privacy of data and personally identifiable information you transmit through use of the Service, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis.

We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.

8. Data storage and retention

Personal data handled by Espresso House is stored and processed in the region in which you live, in Sweden or in other countries where Espresso House, its affiliates, subsidiaries, partners or suppliers are active. We take steps to ensure that the information we collect in accordance with this Privacy Policy is dealt with in accordance with the provisions of this Policy and in accordance with applicable laws where the information is available.

If we were to transfer your personal data to third countries, i.e. Countries outside the EU / EEA, we will enter into agreements and take other measures in accordance with applicable legal requirements.

Espresso House retains personal data for as long as necessary to be able to provide you with our services, and to fulfil the purposes set out in section 4 above. Different types of data may be stored different amounts of time, due to certain criteria.

The criteria that determines how long we store your personal data may be:

How long is the personal data needed for us to be able to provide you with our services? This includes, among other things, maintaining and improving the performance of the Service, protecting our systems, and administering necessary business and accounting information. This is the general rule underlying the calculation of most storage periods.

Is the personal data considered sensitive? In these cases, the storage period is usually shorter.

Have you, as a data subject, consented to a longer storage period? In these cases, we store the information longer, with your consent.

Do we have legal, contractual or other similar obligations to store the data? Examples of this may include mandatory legislation on retention of information, such as for accounting reasons, government orders to store data which is relevant for surveys or data that must be retained for resolving a possible dispute.

The personalised offers we provide to you will be based on your purchase history dating back to a maximum of 12 months.

We process customer data about our customers for a period of 24 months after our customer relationship has expired, or up and until the earlier time when the customer chooses to terminate its account at Espresso House and / or requests to have its personal data deleted.

For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the Espresso House data protection officer at dpo@espressohouse.com.

  1. Exclusions

Aggregated data: Aggregated data is collected and processed to monitor and evaluate user trends concerning the Service. This means that information about your purchase history is collected and then anonymised in a way that means we cannot link the information back to you any longer. We use this anonymous information about how our users use our services for statistics, service improvement and product development of the Service. This data will be completely anonymous and does not constitute personal data. It may therefore be stored a longer time than your personal information.

Anonymisation means that data which was once personal information is stripped away of anything that may connect it to an individual, as well as being severed from anything that in the future might make it possible to reconnect this data to an individual. This de-personalisation treatment of data is one step further than the process of pseudonymisation, which means keeping certain information apart, to make it harder to identify an individual using this data.

Third Party Links: This Privacy Policy does not apply to any personal data that you provide to another user through the Services or through any other means.

Children: Espresso House do not knowingly collect personal data from children under the age of thirteen (13). If you are under the age of thirteen (13), please do not submit any personal data through the Services. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide personal data through the Services without their permission. If you have reason to believe that a child under the age of 13 has provided personal data to us through the Services, please email us at [insert email], and we will endeavour to delete that information from our databases.

10. Changes and updates to the Privacy Policy

We will update our Privacy Policy when needed to reflect customer feedback, and changes to the Service. When the Policy is updated, the latest update date is shown at the top of the Policy and the changes are described on the Change History page. If there are major changes in the policy or how Espresso House uses your personal information, you will be notified via web or email before the changes come into force to the extent required by law. Please read this Privacy Policy from time to time to keep you informed about how Espresso House protects your personal information and privacy.

11. Questions, concerns or complaints

To ask questions or comment about our Policy and our privacy practices, please contact our privacy department at:

privacy@espressohouse.com.
Espresso House Group
Drottninggatan 29, 111 51 Stockholm, Sweden
privacy@espressohouse.com
+46105101000

12. Additional optional services

Location-based offers

As mentioned in Section 4, you can decide for yourself if you want to activate offers based on your location. By activating this additional service, you hereby provide us with your consent that allow us to see and register where your mobile phone is located. With this information, we will be able to offer you discounts specific to your current location, for example if you are located close to a coffee shop with discounts limited to that specific coffee shop.

This additional service will be deactivated as a default when you create a membership account at My Espresso House. This means that Espresso House will not be able to locate where your phone is until you actively choose to activate this service and provide us with your consent.

If activated, your location history will be stored in our systems for a maximum of thirty (30) days, so that we can provide you with relevant offers based on your current location.

You may at any time go to your Settings and deactivate the location-based offers service. When you deactivate the service, Espresso House will immediately delete your current location information as well as any location history that may be stored in our database at the point of deactivation. We will not be able to access your location information again, until you choose to activate the additional service once more.

Pre-Order

By using the Pre-Order function to order food and drinks, you are aware that we process your location data when searching a coffee shop near you, your payment information or access your Swish account. We process this additional information about you to, upon your request, provide the Pre-Order function allowing you to collect food and drinks from chosen coffee shops.

For more information regarding the Pre-Order function, please see our general terms of use for My Espresso House.

Coffee subscriptions

By using the coffee subscription function, you are aware that we process your payment information in order to offer you the service.

Change history

May 2018: New version of the policy to comply with the new general data protection regulation ”GDPR” that was enforced 25th of May 2018. The policy has been changed to me clear and concise and easy to understand and read.

April 2019: Updates in regards to the new launch of pre-order.

Mars 2021: Uppdatering kring analyscookies och ny funktionalitet, kaffeabonnemang.