SpudBros Privacy Policy UK
INTRODUCTION
SpudBros Express is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how personal data is collected, used, shared and protected in connection with the SpudBros Express Loyalty Programme (the "Programme") available in the United Kingdom.
This Policy applies in addition to the SpudBros Express Loyalty Terms and should be read together with them. We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and other applicable data protection laws.
Capitalised terms used in this Privacy Policy and not otherwise defined herein shall have the meaning given to them in the SpudBros Express Loyalty Programme Terms and Conditions.
1. WHO WE ARE
The Programme is operated in the United Kingdom by:
For data protection queries, you may contact: dpo@taster.com
2. SCOPE OF THIS POLICY
This Privacy Policy applies where you:
3. INFORMATION WE COLLECT AND PROCESS
Depending on your interaction with the Programme, we may collect and process:
4. HOW AND WHY WE USE YOUR INFORMATION
We process personal data for the following purposes:
4.1. Programme Administration
We process personal data to:
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
4.2. Service Communications
We process contact and account data to send communications that are strictly necessary for the functioning of your Rewards Account, including:
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
4.3. Marketing Communications
Where you have provided your explicit consent, we may use your contact details and engagement data to send you marketing communications relating to:
You may withdraw your consent at any time through the WebApp, by using unsubscribe mechanisms included in communications, or by contacting us at dpo@taster.com.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. We maintain records of marketing consents and preferences in accordance with applicable law.
Legal basis: Consent (Article 6(1)(a) UK GDPR).
4.4. Analytics, Insights and Business Improvement
We process Rewards and Transaction Data, Technical Data and limited Identity Data to:
This processing may involve segmentation and profiling for campaign optimisation purposes. However, it does not involve automated decision-making producing legal or similarly significant effects on individuals.
We have assessed that this processing is proportionate, expected within a loyalty context, and does not override your fundamental rights and freedoms.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).
4.5. Fraud Prevention, Security and Compliance
We process personal data to:
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) and/or Legal obligation (Article 6(1)(c) UK GDPR).
5. USE OF THE HEY PONGO LOYALTY PLATFORM
The technical infrastructure supporting the Programme is operated through a third-party loyalty platform provided by Hey Pongo. Hey Pongo manages, on our behalf:
For further information regarding Hey Pongo's data protection practices in its capacity as processor, you may consult their information here: Hey Pongo Website
6. ACCOUNT DELETION
If you wish to close your Rewards Account and withdraw from the Programme you may do so by contacting us at: support@spudbrosexpress.com
Due to the technical configuration of the Programme platform, account closure and deletion requests are processed through customer support rather than through an automated in-app function.
We will process such requests in accordance with applicable data protection law and may request information necessary to verify your identity before completing the request.
Please note that certain information may be retained where required for legal, regulatory or legitimate business purposes.
7. DATA SHARING
We may share personal data, where necessary and proportionate for the purposes described in this Privacy Policy, with:
We do not sell personal data.
8. USE OF PROCESSORS AND SUB-PROCESSORS
We engage third-party service providers ("Processors") to process personal data strictly on our behalf where necessary to operate, administer and improve the Programme. Processors may provide services including, without limitation:
We enter into written data processing agreements with all Processors which, without limitation, (i) limit processing to our documented instructions, (ii) impose strict confidentiality obligations, (iii) require appropriate technical and organisational security measures, (iv) govern the appointment of any sub-processors, (v) require prompt notification of personal data breaches and (vi) provide for deletion or return of personal data upon termination of services.
Where a Processor appoints a sub-processor, this is subject to appropriate contractual safeguards to ensure compliance with applicable data protection law.
9. INTERNATIONAL TRANSFERS
Personal data is primarily hosted within the United Kingdom or the European Economic Area.
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are implemented in accordance with UK data protection law. These safeguards may include:
10. DATA RETENTION
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including satisfying legal, accounting or regulatory requirements.
In particular:
11. DATA SECURITY
We implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risks associated with processing personal data.
These measures include:
12. YOUR RIGHTS
Under applicable law, you have the following rights, subject to certain conditions and limitations:
13. CHILDREN
The Programme is intended for individuals who meet the minimum age requirement specified in the Loyalty Programme Terms and Conditions.
Under UK data protection law, individuals aged 13 years or over may provide their own consent in relation to certain online services. However, TASTER may set a higher minimum age for participation in the Programme.
We do not knowingly collect personal data from individuals who do not meet the applicable minimum age requirement. If we become aware that a person who does not meet the applicable minimum age has created a Rewards Account or provided personal data without the required authorisation, we may (i) suspend or close the relevant Rewards Account, (ii) delete associated personal data; and/or (iii) where appropriate, request parental or guardian authorisation in accordance with applicable law.
We reserve the right to implement age verification or additional safeguards where reasonably necessary.
14. COOKIES AND TRACKING TECHNOLOGIES
The WebApp and technical infrastructure supporting the Programme may use cookies and similar tracking technologies to ensure proper functionality, security and performance. Cookies are small text files stored on your device when you access a website or web-based application.
Cookies used in connection with the Programme may include:
Strictly Necessary Cookies: These cookies are essential for the operation of the WebApp and the Rewards Account, including authentication, security and session management. These cookies do not require consent under applicable law.
Performance and Analytics Cookies: These cookies help us understand how users interact with the WebApp, measure usage patterns and improve functionality. Where required by law, these cookies are deployed only with your consent.
Functionality Cookies: These cookies enable the WebApp to remember preferences and enhance user experience.
Targeting or Marketing Cookies: Where applicable, these cookies may be used to deliver more relevant communications or measure the effectiveness of marketing campaigns. Such cookies are used only where consent is obtained in accordance with applicable law.
Because the technical platform supporting the Programme is operated by Hey Pongo, certain cookies may be deployed through Hey Pongo's infrastructure. You can manage your cookie preferences through your browser settings or any cookie management tools made available within the WebApp. Please note that disabling strictly necessary cookies may affect the functionality of the Programme.
For further information regarding Hey Pongo's use of cookies, please refer to their dedicated Cookie Policy available at: link
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in legal requirements, operational practices or the structure of the Programme.
Where changes are material, we will notify you via the WebApp or by other appropriate means.
The "Last Update" date at the top of this Privacy Policy indicates when it was most recently revised.
SpudBros Express is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how personal data is collected, used, shared and protected in connection with the SpudBros Express Loyalty Programme (the "Programme") available in the United Kingdom.
This Policy applies in addition to the SpudBros Express Loyalty Terms and should be read together with them. We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and other applicable data protection laws.
Capitalised terms used in this Privacy Policy and not otherwise defined herein shall have the meaning given to them in the SpudBros Express Loyalty Programme Terms and Conditions.
1. WHO WE ARE
The Programme is operated in the United Kingdom by:
- AllTaster Limited
- Company number: 10721632
- Registered office: 9th Floor, 107 Cheapside, London EC2V 6DN
For data protection queries, you may contact: dpo@taster.com
2. SCOPE OF THIS POLICY
This Privacy Policy applies where you:
- Create or access a SpudBros Express Rewards Account,
- Enrol in or participate in the Programme,
- Provide contact details in-store,
- Interact with our WebApp,
- Receive communications relating to the Programme.
3. INFORMATION WE COLLECT AND PROCESS
Depending on your interaction with the Programme, we may collect and process:
- Identity Data: first name, last name, date of birth or age, gender.
- Contact Data: phone number, email address.
- Rewards and Transaction Data: points accrued, deducted or expired, rewards unlocked and redeemed, purchase frequency and transaction value, visit history linked to your Rewards Account.
- Technical and Usage Data: device type, IP address, access timestamps, WebApp interaction data.
- Communication Data: marketing preferences, communication history, SMS or email engagement data.
4. HOW AND WHY WE USE YOUR INFORMATION
We process personal data for the following purposes:
4.1. Programme Administration
We process personal data to:
- Create and authenticate your Rewards Account,
- Allocate, track and deduct points,
- Unlock and validate rewards,
- Manage reward expiry and redemptions,
- Administer account suspension or closure,
- Provide customer support relating to your participation.
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
4.2. Service Communications
We process contact and account data to send communications that are strictly necessary for the functioning of your Rewards Account, including:
- Confirmation of enrolment,
- Points allocation updates,
- Reward confirmation or expiry reminders,
- Security alerts,
- Material changes to the Programme.
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
4.3. Marketing Communications
Where you have provided your explicit consent, we may use your contact details and engagement data to send you marketing communications relating to:
- The SpudBros Express Rewards Programme and,
- SpudBros Express products and services.
- Promotional offers and limited-time discounts,
- Loyalty incentives and bonus point campaigns,
- Cross-brand campaigns,
- Personalised or targeted offers based on your engagement or purchasing behaviour.
You may withdraw your consent at any time through the WebApp, by using unsubscribe mechanisms included in communications, or by contacting us at dpo@taster.com.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. We maintain records of marketing consents and preferences in accordance with applicable law.
Legal basis: Consent (Article 6(1)(a) UK GDPR).
4.4. Analytics, Insights and Business Improvement
We process Rewards and Transaction Data, Technical Data and limited Identity Data to:
- Analyse purchasing behaviour and engagement patterns,
- Improve the relevance of offers and rewards,
- Develop internal statistical and commercial insights,
- Optimise customer communications,
- Understand aggregated demographic trends.
This processing may involve segmentation and profiling for campaign optimisation purposes. However, it does not involve automated decision-making producing legal or similarly significant effects on individuals.
We have assessed that this processing is proportionate, expected within a loyalty context, and does not override your fundamental rights and freedoms.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).
4.5. Fraud Prevention, Security and Compliance
We process personal data to:
- Detect suspicious or fraudulent activity,
- Prevent misuse of points or rewards,
- Monitor system integrity,
- Protect against unauthorised access,
- Comply with regulatory or legal obligations.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) and/or Legal obligation (Article 6(1)(c) UK GDPR).
5. USE OF THE HEY PONGO LOYALTY PLATFORM
The technical infrastructure supporting the Programme is operated through a third-party loyalty platform provided by Hey Pongo. Hey Pongo manages, on our behalf:
- Rewards Account creation and authentication,
- Points allocation, tracking and deduction,
- Rewards unlocking and validation,
- Campaign configuration and communication routing (including SMS dispatch),
- Secure hosting of loyalty-related data,
- Operational monitoring and system logging.
For further information regarding Hey Pongo's data protection practices in its capacity as processor, you may consult their information here: Hey Pongo Website
6. ACCOUNT DELETION
If you wish to close your Rewards Account and withdraw from the Programme you may do so by contacting us at: support@spudbrosexpress.com
Due to the technical configuration of the Programme platform, account closure and deletion requests are processed through customer support rather than through an automated in-app function.
We will process such requests in accordance with applicable data protection law and may request information necessary to verify your identity before completing the request.
Please note that certain information may be retained where required for legal, regulatory or legitimate business purposes.
7. DATA SHARING
We may share personal data, where necessary and proportionate for the purposes described in this Privacy Policy, with:
- Other entities within the TASTER group and their authorised personnel, where required for group-level administration, marketing operations, analytics, IT infrastructure or customer support,
- Carefully selected third-party service providers supporting the operation of the Programme,
- Professional advisers (including legal and compliance advisers),
- Regulatory authorities, courts or law enforcement bodies where disclosure is required by law or necessary to protect our legal rights.
We do not sell personal data.
8. USE OF PROCESSORS AND SUB-PROCESSORS
We engage third-party service providers ("Processors") to process personal data strictly on our behalf where necessary to operate, administer and improve the Programme. Processors may provide services including, without limitation:
- Loyalty platform infrastructure and account management (please see Section 5. - USE OF THE HEY PONGO LOYALTY PLATFORM),
- Cloud hosting and secure data storage,
- SMS and email routing services,
- IT maintenance and system support,
- Data analytics and reporting services.
We enter into written data processing agreements with all Processors which, without limitation, (i) limit processing to our documented instructions, (ii) impose strict confidentiality obligations, (iii) require appropriate technical and organisational security measures, (iv) govern the appointment of any sub-processors, (v) require prompt notification of personal data breaches and (vi) provide for deletion or return of personal data upon termination of services.
Where a Processor appoints a sub-processor, this is subject to appropriate contractual safeguards to ensure compliance with applicable data protection law.
9. INTERNATIONAL TRANSFERS
Personal data is primarily hosted within the United Kingdom or the European Economic Area.
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are implemented in accordance with UK data protection law. These safeguards may include:
- UK International Data Transfer Agreements (IDTAs);
- Adequacy regulations recognised by the UK Government;
- Other legally approved transfer mechanisms.
10. DATA RETENTION
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including satisfying legal, accounting or regulatory requirements.
In particular:
- Rewards Account data is retained for the duration of account activity and for up to three (3) years following the last recorded interaction,
- Marketing data is retained until consent is withdrawn or for up to three (3) years of inactivity,
- Technical logs and security data are generally retained for up to six (6) months unless longer retention is necessary for investigation, fraud prevention or legal purposes.
11. DATA SECURITY
We implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risks associated with processing personal data.
These measures include:
- Secure hosting environments and controlled infrastructure access;
- Role-based access controls and authentication procedures;
- Monitoring and logging of system activity;
- Encryption and secure data transmission where appropriate;
- Regular review of security practices and system protections;
- Incident detection and response procedures.
12. YOUR RIGHTS
Under applicable law, you have the following rights, subject to certain conditions and limitations:
- The right to request access to your personal data;
- The right to request correction of inaccurate or incomplete data;
- The right to request deletion in certain circumstances;
- The right to request restriction of processing;
- The right to object to processing based on legitimate interests;
- The right to withdraw consent at any time where processing is based on consent;
- The right to request data portability where applicable;
- The right to lodge a complaint with the Information Commissioner's Office (ICO). We encourage you to contact us first so that we may address your concerns directly.
13. CHILDREN
The Programme is intended for individuals who meet the minimum age requirement specified in the Loyalty Programme Terms and Conditions.
Under UK data protection law, individuals aged 13 years or over may provide their own consent in relation to certain online services. However, TASTER may set a higher minimum age for participation in the Programme.
We do not knowingly collect personal data from individuals who do not meet the applicable minimum age requirement. If we become aware that a person who does not meet the applicable minimum age has created a Rewards Account or provided personal data without the required authorisation, we may (i) suspend or close the relevant Rewards Account, (ii) delete associated personal data; and/or (iii) where appropriate, request parental or guardian authorisation in accordance with applicable law.
We reserve the right to implement age verification or additional safeguards where reasonably necessary.
14. COOKIES AND TRACKING TECHNOLOGIES
The WebApp and technical infrastructure supporting the Programme may use cookies and similar tracking technologies to ensure proper functionality, security and performance. Cookies are small text files stored on your device when you access a website or web-based application.
Cookies used in connection with the Programme may include:
Strictly Necessary Cookies: These cookies are essential for the operation of the WebApp and the Rewards Account, including authentication, security and session management. These cookies do not require consent under applicable law.
Performance and Analytics Cookies: These cookies help us understand how users interact with the WebApp, measure usage patterns and improve functionality. Where required by law, these cookies are deployed only with your consent.
Functionality Cookies: These cookies enable the WebApp to remember preferences and enhance user experience.
Targeting or Marketing Cookies: Where applicable, these cookies may be used to deliver more relevant communications or measure the effectiveness of marketing campaigns. Such cookies are used only where consent is obtained in accordance with applicable law.
Because the technical platform supporting the Programme is operated by Hey Pongo, certain cookies may be deployed through Hey Pongo's infrastructure. You can manage your cookie preferences through your browser settings or any cookie management tools made available within the WebApp. Please note that disabling strictly necessary cookies may affect the functionality of the Programme.
For further information regarding Hey Pongo's use of cookies, please refer to their dedicated Cookie Policy available at: link
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in legal requirements, operational practices or the structure of the Programme.
Where changes are material, we will notify you via the WebApp or by other appropriate means.
The "Last Update" date at the top of this Privacy Policy indicates when it was most recently revised.