Privacy & Cookies Policy
Choosing to shop with the Ocado Group means you've placed a great deal of trust in us.
You share and let us use personal information in order to enjoy a more streamlined and convenient shopping experience. Naturally, you want that personal information to be kept private as well as secure.
To reassure you that we take our responsibility very seriously, this Privacy & Cookies Policy explains how we will use the personal information you give us. It explains your data protection rights, including how you can opt-out of some uses of your personal information. For more information on your rights and how to exercise them, head straight to the Your choices and rights section.
This Privacy & Cookies Policy applies if you use any of our products and services. This includes shopping on any of the Ocado Group websites (such as ocado.com, fetch.co.uk, fabled.com or sizzle.co.uk), on our apps, or using voice-controlled services (such as Amazon’s Alexa or Apple’s Siri). This policy also applies if you contact us or we contact you about our services, whether by telephone, email, SMS, post, push notifications or via third party digital platforms (including websites or social media platforms).
Policy last updated on 7th August 2018.
Who we are and what we collect
This section details what types of personal data we collect and who we are. The Ocado Group is made up of a number of separate legal entities, so when we say "us", "our" or "we" in this policy we are generally referring to Ocado Retail Ltd, Specialty Stores Ltd and Marie-Claire Beauty Ltd.
We collect information from you when you visit and browse our websites, register for our services, use our apps, make purchases using our services, participate in prize draws and competitions, and when you communicate with us.
At times we also receive information from third parties to help us better understand our customers. However, this Privacy & Cookies Policy does not cover any third-party websites, apps or services you use or access from our websites, apps or services.
Who we are
The Ocado Group
When you shop with ocado.com you submit your personal information to Ocado Retail Ltd. When you shop with fetch.co.uk and sizzle.co.uk you submit your personal information to Speciality Stores Ltd. When you shop with fabled.com you submit your personal information to Marie-Claire Beauty Ltd. These companies are known as the data controllers, and all are 100% owned subsidiaries of Ocado Group plc, which is listed on the London Stock Exchange.
We will treat all information submitted by you in accordance with the terms of this Privacy & Cookies Policy (as updated and amended from time to time) and in strict compliance with UK and EU data protection legislation. We respect your privacy and will always work to keep your data safe and private.
Third-party apps, websites and services
What we collect
Improving our services
The information we gather from customers through our websites, apps, products and services, or receive in any other way, helps us to continually improve the goods and services we offer. This includes tailoring the information we share with you to help ensure that it’s relevant, useful and timely.
We gather useful information in several key ways:
1. When you register with us, we ask for information such as your title, name, email address, delivery address, telephone number, and account login details (such as your username and password). We store this information to make your experience easier, so you do not need to re-enter your details each time you shop. In fact, we offer the facility to use the same password and login details across all of our websites including ocado.com, fetch.co.uk, sizzle.co.uk and fabled.com in order to make your login experience even smoother. We have also entered into a partnership with Dobbies Garden Centres to provide their online fulfilment services and you can use these same login details to shop online with them.
2. If you place an order, we hold information on the timing and location of your delivery to help us effectively manage resources to fulfil your order and plan the best delivery route. We will also ask you for your debit or credit card details in order to process your payment. We never store your payment details in full, we only store an encrypted token that represents your payment card.
3. We keep a record of electronic communications you receive from us. We also record interactions you have with our electronic communications. For example, whether an email has been opened and if you have clicked on any links within that email.
4. When we contact you or you take part in competitions, surveys or questionnaires about our products and services, we may collect your feedback and contributions. This includes direct messages you may send us through social media channels.
5. We keep a record of your purchases with us (for example, what you bought and when) and how you browse and engage with our websites and apps. This helps us decide which products, services and promotions may be relevant for you. It also helps us to improve your experience, assist you more efficiently if you have any questions or concerns about your order, and promote certain products, services and offers.
6. If Ocado Reserved or Ocado Smart Pass are available and you choose to subscribe, we record information about the choices you make in relation to such services, like the delivery slots you choose and the price you paid on purchasing your Ocado Smart Pass. This helps us better plan delivery slot availability and service fulfilment requirements.
7. 7. We will keep a record of any email correspondence you send us. This helps us provide you with better customer service, and to improve the experience of our customers overall. Telephone calls made to and from the Ocado Contact Centre will be recorded for quality and monitoring purposes.
Special categories of personal data
We do not intentionally collect or store data that could reveal your racial or ethnic origin, physical or mental health or religious beliefs. However, if you choose to provide this information to us (such as in a conversation with a Contact Centre advisor) then we do retain this information.
Information from third-party data sources
We receive information from third parties that may relate to you. This includes:
• Information providers that specialise in consumer profiling, such as Experian. These organisations provide demographic or other data to help better understand customers' demographics, lifestyles or shopping behaviours, usually linked to where people live.
• Voice controlled services, such as Amazon's Alexa or Apple’s Siri, provide us with details of the voice requests you have made in connection with your account. This is so we can fulfil the orders you place with us, understand your shopping experience and improve our related services.
How we use your personal information
Here we explain in detail how your personal data is used to benefit your online experience. Rest assured, we only ever use personal information as is necessary, to provide you with the quality services you request and expect, or to prevent the misuse of our services. We also use your personal information for our own legitimate interests. This allows us to improve our products, better understand customer preferences, and to market products or services you may like. With your consent, we may send you certain promotional communications we feel are relevant. We may also use your personal data to comply with law when required.
In more detail
All the information we collect through our websites, apps, products, services, and through correspondence with you, is used by members of the Ocado Group to operate and improve the services we offer you. We will only use your personal information for:
Purposes necessary for the performance of a contract with you
• To deliver our services, including dealing with orders and accounts for the supply of our goods, products and services and to help you shop with us.
• Enabling third parties to carry out technical, logistical or other functions on our behalf.
• Enabling a debt collection agency to collect payment from you should that be necessary.
• Preventing and detecting fraud or abuses of our website or services. For example, making sure first-time customer promotions can only be used by first-time customers.
• Responding to and resolving complaints.
Our legitimate interests
•To personalise and improve your experience.
•To develop new products and services.
•To inform you about products and services that may interest you.
•To inform you about products and services that may interest you.
Purposes for which you have provided us with your consent.
• To send you electronic marketing (except where we rely on legitimate interests for this). By 'electronic marketing' we mean marketing by email, telephone, SMS, push notifications and web advertising to inform you about the products and services we offer. This includes events, prize draws, competitions, gifts, vouchers, coupons, surveys, special offers and promotions (from specially selected partners and the Ocado Group if appropriate).
• To show you web advertising. By 'web advertising' we mean digital marketing that we intentionally send or display to you on third-party online platforms or websites. For example, you may see advertising for Ocado Group products and services on other websites you visit, or social media and other platforms you use (eg, Facebook and Google). These have been shown to you because we believed it would be relevant to your interests. ‘Web advertising' does not include advertising we have not intentionally targeted to you (such as banner ads that are randomly shown to any visitor of a third-party website), or any personalisation or recommendations we show on our own websites, apps and services
• To use ‘User Generated Content. By ‘User Generated Content’ we mean content created by you, and shared publicly (on social media for example) and which may showcase our brand or products.
Fulfilling our legal obligations.
• Allowing us to comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies or authorities or pursuant to legal proceedings.
• Maintaining records to meet regulatory and tax requirements.
• To collect and recover money that is owed to us.
• To investigate fraudulent activities that may occur on a customer’s account.
• To help us defend legal claims or to exercise legal rights.
• Contacting affected customers in connection with product recalls or other similar product quality issues.
• To comply with our legal obligations in connection with the sale of age restricted products.
When we share your personal information
Understand how and why we share personal data with other companies within the Ocado Group, third-party service providers and other organisations. We only share your personal data as required for the purposes set out in this Privacy & Cookies Policy, to third parties who assist us with the provision of our services, to send related promotional communications to you, and to assist us in preventing the fraudulent use of our services.
Information about our customers is an important part of our business. However, there are circumstances where it is necessary for us to share personal information, for example, in order for us to provide our customers with our superior delivery service. Whenever we use or disclose your information, we put in place measures to keep it secure. We make sure it is protected as far as reasonably possible.
The circumstances where we share some of your information with others are:
1. Other Ocado Group companies
We share personal data with other companies within the Ocado Group:
• In connection with legal claims, compliance, regulatory and audit functions.
• For disclosures in connection with the acquisition, merger or sale of a business.
• To support and better understand customers that use our services, websites and apps.
• To send you relevant advertising from other Ocado Group companies where permitted.
2. Third-party service providers
We employ other companies or individuals and may work in partnership with selected third parties to perform any of the functions listed above (under the ‘How we use your Personal Information’ section) on our behalf. We only share information that allows them to provide their services to us or to facilitate them providing their services to you.
• Companies to analyse customer information to help us better understand how you use our services. Also to tailor products, services and offers that may be relevant for you.
• Companies to provide marketing and advertising assistance (including management of email marketing operations, mobile messaging services such as SMS, and services that deploy advertising on the internet or social media platforms, such as Facebook and Google) as well as analysis of the effectiveness of our advertising campaigns.
• Payment card processors to process credit and debit card payments.
• External companies to provide post or courier delivery services when selected by customers.
• General service companies such as printers and mailing houses that distribute direct mail marketing.
• Companies that help us track and record the way you navigate our websites and use our apps, so that we can understand your online experience and use it to improve our services and offer a personalised experience.
• Companies that help us to run surveys and get your feedback on our products and services.
• Other companies that help us provide our websites and apps, improving functionality so that we can provide you with a high-quality experience whenever you shop with us.
3. Promotional communications from specially selected partners
Sometimes we send communications (including offers) on behalf of, or in partnership with, specially selected partners when we have identified offers that we believe will be of interest to you. We will only do this if you have previously agreed to receive these marketing communications. We will not permit other businesses to contact you separately, and all such promotional communications will come via us. We do not share any personal data with these partners for their independent advertising purposes, but we may share aggregate statistics, such as the number of people that opened an email containing a promotion. If you wish to withdraw your consent from receiving these communications you can do so at any time by logging in to your relevant account and amending your marketing preferences page online.
4. Business transfer
If any Ocado Group company is ever sold or its assets are purchased by another company it would typically be part of such a transaction for customer information to form part of the business assets being transferred. However, the information will remain subject to the obligations as outlined in this Privacy & Cookies Policy.
5. Research companies
We may share personal details in a secure way to allow research companies and feedback providers to contact you directly on our behalf, in order to capture your opinions on our products and services, our websites and apps. We may ask these research companies to analyse the results so that we can better understand your online experience, which will help us to improve our services. We provide them with only the information they need to perform their function. This may take the form of a survey, where you may be asked to review a product or service you’ve bought. You will always have the choice about whether to take part in our market research or surveys.
We release account and other personal information when we believe release is appropriate to comply with the law, to enforce the Terms & Conditions and other agreements for each Ocado Group company, or to protect the rights, property or safety of the Ocado Group, our employees or customers, our business partners or others. For example, we may engage agents including debt collection agencies to assist us to process elements of the orders you place with us, or who assist us in the service we provide to you. In these instances, we provide them with only the information they need to perform their function.
7. Fraud Prevention
Where we have reason to suspect fraud or the commission of any other criminal offence, we may share your data (such as your name, household information, details of failed payments and your orders placed with us) with crime prevention agencies and certain third parties for the purpose of detecting and preventing crime. Such third parties may include business partners, law enforcement bodies, providers of fraud prevention and detection services, and recipients of fraud prevention and detection services. If we think there is a risk of fraud, we may suspend activity on your account or refuse access to your account and/or cancel an order.
Security, data retention and international data transfers
We know how important it is to protect and manage your personal data. This section sets out some of the measures we have in place.
We take the security of your personal information seriously and employ technical and organisational measures to protect the integrity and privacy of your personal information. We only retain your personal information for clearly established periods.
Our websites use Secure Socket Layer (SSL) encryption technology to ensure that your information is protected. Our web pages will start with https and a padlock will be displayed in front of the web page name to show that we always encrypt the information that you send us.
We maintain and enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information. However, whilst we take appropriate technical and organisational measures to safeguard your personal data, please note that we cannot guarantee the security of any personal data that you transfer over the internet to us.
Our security procedures mean that we may need to request proof of identity before we disclose personal information to you, including in relation to a subject access request.
We are committed to ensuring the protection of your payment card details and are compliant with the Payment Card Industry's Data Security Standard (PCI-DSS). Payments made via our sites are processed and managed by specialist payment card companies which are not part of the Ocado Group. We only store and display the first six and last four digits of your payment card number, the card type and the card expiry date. The full payment card number is never stored on any of our systems and is only stored and processed by one of our payment card processing companies.
We keep an encrypted token to represent your card and this token is transmitted to the relevant payment card processing company during the order processing.
We use 3D Secure to provide additional fraud protection and to protect your payment card from unauthorised use. During the checkout process, you may be asked by 3D Secure to provide your Verified by Visa or Mastercard Secure Code password.
It is important to keep your password secure to prevent fraudulent use of your account. Never disclose your password to anyone else, and especially to anyone who requests it from you by telephone or email – we will never do this (more information below). You should avoid using the same password for other websites, because if their systems are hacked, the hackers will also be able to access your account.
Avoid using common terms for your password such as “password" or “123456"; hackers know the most popular passwords and will try to access accounts using these. Instead, try to use a combination of letters and numbers that means something to you so it’s easy to remember but difficult to guess.
Personal security and identity fraud
Using public wifi networks can be risky, and hackers may try to capture your online transactions and personal details. You should only connect to networks that you trust. If you use a shared computer, make sure that you log out once you have finished using the website.
Criminals and fraudsters create authentic looking but false or "spoof" websites and send phishing emails to steal confidential information. These emails pretend to be from a legitimate company and try to trick a person into giving away their personal details (such as user names and passwords) so that security details can be updated or passwords changed.
We will never ask you to provide your personal details via email. If you receive an email like this that claims to be from us and contains an embedded link and a request for you to enter any personal details, treat it as suspicious and do not enter any personal information, even if the page appears legitimate. If you suspect that your account details are subject to such fraudulent activities, please let us know by emailing firstname.lastname@example.org
We retain your personal information for as long as you are a customer and we need it in order to fulfil the purposes described above. After you stop being a customer, we may keep your data for a certain period of time, after which we take steps to delete your personal information or hold it in a form which no longer identifies you (as we may still need to use your data in an anonymised format for research and other business purposes).
We may keep your personal information for a number of reasons after you have stopped being a customer. This includes: to respond to any questions or complaints, for legal, regulatory or technical reasons, for research and analytics, to investigate fraudulent activities, and to show that we treated you fairly.
Keeping your information
We will keep your personal information for as long as you are a customer of the Ocado Group, which includes ocado.com, fetch.co.uk, sizzle.co.uk and fabled.com, and for a period of time afterwards if you stop doing so.
Here are our time periods for retaining customer personal information:
• Customers that have registered but never shopped: we keep your personal information for eight years after the date of first registration.
• Customers that have not shopped for an extended period of time: we keep your personal information for seven years after the date of your last shop.
• Customers who have asked for their accounts to be closed: we keep your personal information for seven years after the date your account was closed.
• Call recordings: we delete call recordings after three months unless we need the data to investigate fraud, to respond to questions or complaints or for legal reasons.
• Customer account notes: after two years we delete notes made on your account by our Contact Centre advisors, unless we need the data to investigate fraud, to respond to questions and complaints, or for legal reasons.
Sending information outside the European Economic Area
Our operations are based in the UK and the personal data that we collect from you is mainly processed, stored and used within the UK and other countries in the European Economic Area (EEA). However, in order to offer you the best service we can provide, we also work with service providers from other parts of the world. This means that the data we collect sometimes needs to be transferred, stored and used by companies operating outside the EEA who work for us or one of our service providers. We want you to know that we have taken steps to ensure there is an appropriate level of security for the processing carried out in these countries, such that data is protected in the same way as if it was being used within the EEA.
This includes using one of these safeguards:
• The use of European Commission-approved standard contractual clauses in contracts for the transfer of personal data to third countries.
• The transfer to organisations that are part of the EU-US Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.
• Binding Corporate Rules (BCRs). These rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
• Transfers to a non-EEA country with privacy laws that give the same protection as the EEA.
You can find out more about the above data protection safeguards on the European Commission Justice website.
Your choice and rights
This section explains the choices you have when it comes to receiving marketing communications and how you can exercise your individual rights in relation to your personal data.
You have certain rights in the information we hold about you, including the right to:
• Object to our use of your personal information.
• Request a copy of it, update it or to have it deleted.
These rights may be limited in some circumstances.
Requesting access to your personal data
You have the right to access a copy of the personal information we hold about you. You have the right to request that this information is provided in a machine readable format in the event that you wish it to be transferred to yourself.
What if you want us to stop using your personal information?
You can also object to certain processing activities which use your personal information, in particular where the processing is based on our legitimate interests. You can ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. You can also ask us to restrict the use of your personal information in certain circumstances. These rights are known as the ‘right to erasure’ and the ‘right to restrict processing’. We will keep a note of your name if you ask for your personal data to be erased. You will also need to use a different email address if you decide to re-register as a customer with us as your old email address will no longer be valid.
There may be reasons why the above rights may be limited in some circumstances. For example, we can refuse to provide information if fulfilling your request would reveal personal information about another person, if you ask us to delete information which we are required to have by law, have compelling legitimate interests to keep, or need to access in order to exercise our legal obligations. In such situations, we would only use your information for these purposes and not use or share your information in other ways. We will always ensure your privacy is protected and data will always be retained in accordance with the Data retention section of this policy.
You may be unable to continue using our services if you require us to stop using your personal information, since this information is necessary for us to accurately fulfil and provide our services.
How to withdraw your consent
Where we have asked for your consent, you may withdraw consent at any time, but this will not affect any processing that has already taken place. If you would like to see what consent preferences we hold for you, we would suggest that you first visit your marketing preferences page on the relevant Ocado Group website.
You’re in control of your data – unsubscribing from our marketing communications
You can ask us to stop sending you marketing messages by contacting us at any time. You may limit the types of marketing you receive, or you can opt out of receiving our marketing communications. This is an option when you first open your account or at any time after that simply by doing one of the following:
1. Going to the marketing preferences page on the relevant website and ticking or unticking the appropriate boxes.
2. Clicking on the unsubscribe link contained in marketing emails.
3. Emailing us at email@example.com if you wish to opt out of any postal marketing or other electronic marketing.
If you decide to opt out or unsubscribe it could take up to 72 hours to process the update through our systems. Whatever you choose, you will still receive messages and other important service information such as changes to your existing products and services, our Low Price Promise emails, the cut-off time to edit your order, as well as “rate your first shop” and “rate your driver” surveys. You can always unsubscribe from these emails by clicking on the unsubscribe link in each email (except this does not apply to first registration emails and order confirmation and receipt emails).
We may also ask you to confirm or update your marketing preferences, if there are changes in the law, regulation, or the structure of our business.c
If the information we hold on you is wrong or incomplete, then let us know what needs updating and we’ll correct it. This is your right. Email us at firstname.lastname@example.org
Cookies and similar technologies
When you use any of the Ocado Group websites (ocado.com, fetch.co.uk, sizzle.co.uk and fabled.com) or our related apps, we use our own and third-party cookies and similar technologies (such as pixels and tracking URLs) to identify your device. This enables us to personalise and improve your customer experience and, where appropriate, serve you relevant advertisements. All these technologies are together referred to in this policy as “cookies”.
Without certain cookies, it would be very difficult for a website to allow a visitor to fill up a shopping trolley or to remember the user's preferences or registration details for a future visit.
Here are the types of cookies we use on our websites, and the purposes for which they are used
• Strictly necessary cookies. These cookies are essential in order to enable you to move around our websites and use its features, including accessing secure areas. Without these cookies, any services on our websites you wish to access cannot be provided.
• Analytical/performance cookies. These cookies collect information about how you and other visitors use our websites. This can be anything like which pages you go to most often, and if you get error messages from web pages. We use data from these cookies to help test designs and to ensure a consistent look and feel is maintained on your visit to our websites. We also use third-party web analytics software on our websites and apps (such as Google Analytics).
• Functionality cookies. These cookies allow our websites to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember settings such as changes you have made to text size, fonts and other parts of web pages that you can customise.
• Targeting cookies. These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement, as well as help measure the effectiveness of an advertising campaign. They are usually placed by third parties (such as advertising networks or platforms) with the website operator’s permission. They remember that you have visited a website and this information is shared with the advertiser. We have enabled Google Analytics Data Collection for Advertising Features, including Remarketing and Advertising Reporting Features. These features enable us to make use of data from users who have chosen to allow Google to associate their web and app browsing history with their Google account in order to personalise the ads we may show in Google Search and Display Advertising. This helps us provide more relevant messaging to our users. This also provides us with demographic and interest information at an aggregate level that helps us to understand our users better.
• Social media extensions. These technologies allow you to share what you’ve been doing on our websites on social media, such as Facebook and Twitter. For example, by clicking the Facebook ‘Like’ icons that may appear on our product pages. Although we enable these tools to be displayed on our websites so that you may, if you wish, interact with them, they are not within our control. Please refer to the relevant third party privacy policies for how these functionalities work.
To find out more about cookies please visit: www.allaboutcookies.org or see www.youronlinechoices.eu which contains further information about behavioural advertising and online privacy.
To opt-out of Google Analytics for Display Advertising and customize Google Display Network ads please go to https://www.google.com/settings/ads or Google Analytics' currently available opt-outs for the web.
Updates and how to contact us
If you have any questions about this Privacy & Cookies Policy, would like to make a complaint, or find out how we notify you of any changes to the Privacy & Cookies Policy, further details can be found in this section.
Updates and changes to the Privacy & Cookies Policy
You may change your personal information retained by us at any time. Simply access your user profile on the relevant Ocado Group website.
We may change the terms of this Privacy & Cookies Policy from time to time and you should check it regularly. The date on which the Privacy & Cookies Policy was most recently amended will be displayed at the beginning of the policy. If we make any material changes to this Privacy & Cookies Policy we will take steps to call it to your attention.
If you have questions about your personal information and our Privacy & Cookies Policy, or wish to exercise any of your rights described in this policy, please email us at email@example.com
We have designated this as the contact point for Ocado Retail Ltd, Specialty Stores Ltd and Marie-Claire Beauty Ltd.
How to complain
If you are not satisfied in the way we have dealt with your concerns, you have the right to complain to the Information Commissioner’s Office. Please go to https://ico.org.uk/concerns/ to find out more or write to:
Information Commissioner's Office
Tel: 0303 123 1113