PRIVACY POLICY
ABOUT US
This website is hosted and operated by (or on behalf of) EG On The Move Limited. Throughout this Privacy Notice, when we use terms like “we”, “us”, “our” or “EGOTM”, we’re referring to EG On the Move Limited.
We are the organisation that is responsible for the personal data processing that this Privacy Notice describes. We are described in data protection legislation as being the “controller” of your personal data.
There are a number of companies in our group, namely: EG Retail Services Limited, EG Property Limited and Made To Order Limited. We refer to these companies collectively as the EGOTM Group. The general processing safeguards in this Privacy Notice apply to all of the EGOTM Group companies.
Our company registration
EG On The Move Limited is a company incorporated in England and Wales. Our company registration number is 14960308 and our registered office is Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA.
Our data protection registration
We are registered as a controller with the Information Commissioner’s Office (the “ICO”). The ICO is the UK regulator of data protection law. Our ICO registration number is ZB639948.
How to contact us
If you ever have a query about how we’re handling your personal data, or you want to exercise a right in relation to your personal data, there are a number of ways you can contact our team
You can write to us at: DPO, EG On The Move, Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA.
If you prefer to email, you can contact us at [email protected] .
OUR COMMITMENT TO YOU
We are committed to your respecting and upholding your privacy rights. In this Privacy Notice, we describe how we collect, use, and share your personal data. We also explain what rights you have in relation to your personal data.
Privacy and data protection are ever changing and enhancing the rights of individuals. As such, we review how we use your personal data, and we may update this Privacy Notice from time to time to reflect this, and to reflect any changes in the law. The Privacy Notice displayed on this page is always the most up to date version. We would encourage you to re-visit our Privacy Notice from time to time so that you are aware of any relevant updates we have made.
Personal data belonging to children
Our websites and our services are not specifically intended for children and we do not knowingly collect data relating to children. If you are under the age of 16, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request the erasure of their personal data or for the minor to be unsubscribed from our mailing lists.
What do we mean by “personal data” and “data subject”?
We recognise that the law defines “personal data” very broadly, namely as being “any information relating to an identified or identifiable natural person (the ‘data subject’)”.
A data subject is any living individual “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
HOW DO WE CATEGORISE PERSONAL DATA?
To help explain the different types of personal data which we use, we have grouped personal data into categories as below.
Identity data
Data specifically related to your identity, including: your full name, marital status, title, date of birth, national insurance details and other recognised official identity documents. This might also include, in the case of CCTV or promotional footage, still or moving images of you or from which you can be identified.
Contact data
The contact data of you and others, including, email addresses and telephone numbers, postal address details and social media handles.
Technical data
Technical data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Marketing data
We’d like to develop lasting relationships and to help with this we might wish to collect information about your marketing preferences. We shall only send timely and relevant information about services and products we care about and that we think are relevant to you. You always have the option to decline this, or to opt out at any point.
Location data
We may access and collect your geolocation data in order to facilitate our services, such as enabling the functionality of our websites to provide you with information about sites or stores near you. We may also use data about the location of the device you are using to help us understand how our website and other services and functionality are being used and to deliver more relevant advertising.
Transaction data
We may collect data relating to the products you buy, billing address, method of payment, and payment details.
Data relating to your engagement with us
We collect data from you when you submit a review, comment or other content to our websites or on our social networking pages, and when you contact us. In addition, we may track when you like us or share our content through Facebook, Twitter, Instagram or other social networking platforms. Please see our Cookie Policy for more information.
Special categories of personal information
For the purpose of employment and assessing the working capabilities of our employees, we may process health data, which is a ‘special category’ of personal data and is subject to more stringent conditions. We may also process data relating to ethnicity and religion, where you have agreed to this, for the purposes of monitoring our equality and diversity objectives. There may be other instances where other special categories of personal data are disclosed to us, but this is incidental and not part of an organised processing activity.
Other data requiring special protection
There may be instances where we process criminal record checks, but this is only done where necessary, aligned to local laws and is strictly limited to specific people in our teams.
You can, of course, always browse our websites without registering or submitting your personal information to us.
HOW WE COLLECT YOUR PERSONAL DATA
Personal data you voluntarily provide to us
We only collect personal data that is relevant to our relationship with you, for example:
- When you visit our websites, or use our mobile applications, we use cookies and similar technologies (please refer to our Cookie Policy for more details).
- when you subscribe to our mailing lists;
- if and when you are subscribe for, or are awarded, shares in our business (including your subscription via any share register or online platform operated for those purposes);
- when you attend events or meetings organised by us, or conducted at our offices or sites, for example, sales events, promotional and marketing events, training sessions and social events;
- when your images are captured by us via CCTV cameras while you are within or in the vicinity of properties which we operate and use, or when photographs or videos of you are taken when you attend events, meetings or training sessions organised by us;
- when you use our services or enter into transactions with us, or express an interest in doing so, including services, products and transactions in person at one of our many locations or electronically;
- when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
- when you submit an employment application to us or when you provide documents or information including your CV in connection with such applications;
- when you make a purchase through our websites; and/or
- when you submit your personal information to us for any other reason.
Personal data that has been provided by others
Depending on your relationship with us, we may also collect your personal data from third party sources, for example:-
- from your referees, educational organisations or previous employers (if you have applied to us for a job);
- from your family members, friends or colleagues who provide your personal information to us on your behalf; and/or
- from public agencies or other public sources.
HOW AND WHY WE PROCESS YOUR PERSONAL DATA
Lawful basis
There are specific reasons set out in data protection law that ensure personal data processing is fair and lawful, which is known as a “lawful basis”. We always have a lawful basis for processing personal data, and we have methodically assessed the purpose of our processing to ensure we have this.
We have set out in the table below the ways in which we process your personal data, our lawful basis for doing so, and how we try to ensure your data and rights are respected. Please let us know if you would like more information.
| Processing Type | Data Category | Our Lawful Basis | Specific Purpose and Respect for Your Information Rights |
|---|---|---|---|
| Marketing communications | Identity, Contact & Marketing data | Legitimate Interests | When you’ve asked us to, or if you are an existing customer, we’ll use your information to contact you with details of our products, events and services and to facilitate our relationship with you, your business or colleagues. You have the right to opt-out of email marketing at any time, and to object to marketing in any form. |
| Customer relationship management | Identity, Contact, Marketing & Transaction data | Legitimate Interest | We organise our customer records within customer relationship management (CRM) systems. We securely store, access, and analyse the information that we have in our CRM systems. The use of our CRM systems helps us ensure the smooth operation of our businesses, plan effectively and it helps us analyse our business. |
| Customer service | Identity, Contact, Technical & Transaction data | Contractual Obligation; Legitimate Interest | We keep and maintain records of any enquiry or complaint made by you (which may include customer service tickets), in order to manage our customer service processes efficiently and to improve our future services. |
| Training and other corporate events | Identity & Contact data (including Special Category data) | Contractual Obligation; Consent | The information you provide will be used to communicate with you about your attendance at the event and to follow-up on your experience post-event. The personal information we may process could include your name, job title and employer, address and phone number, email address, dietary and access requirements. We will ask for your consent to process any health data. |
| Promotional images and footage | Identity data | Consent | We may take photographs and/or video footage at our offices or an event we host, which could capture personal information of staff, customers, visitors, and other third parties. We will always notify participants when a photographer or filmmaker is present at our offices or events. Written consent will always be obtained, and we will respect the wishes of anyone who signals their desire not to have their image taken and will always ask for consent where photos are to be published alongside a name or other personal identifier. |
| Collection/analysis of statistical information about website usage | Technical data | Consent | We may use cookies to collect information about how you use our website, what links you follow and tells us what you’re most interested in. Other than cookies which are strictly necessary for our website to function as intended, we shall seek your consent to the use of these cookies. |
| Disclosure to regulators and government bodies, and to our professional advisers | Identity, Contact & Transaction data (including Special category data) | Legal Obligation; Legitimate Interests | We are subject to reporting, filing and (in some cases) audits and assessments to or by regulators, government entities (such as HMRC or Companies House) and industry standard bodies. In this context, we may be required to share information with disclose your personal data either to comply with the law or in the protection of our business interests. |
| Administrative and business purposes | All categories | Legitimate Interest | We may disclose your personal information to other EGOTM Companies, our investors and third parties who provide services to us, including our service providers and data processors. |
| Recruitment | Identity and Contact data (including Special category data) | Legitimate Interest | If you apply for a job with us, we shall maintain a record of your application and associated information during the recruitment process and (if you are unsuccessful) for a short period of time thereafter. |
| Security & Safety | Identity, Contact & Technical data | Legal Obligation /Legitimate Interest | We use CCTV in and around our sites, and we also use cameras that will automatically recognise your vehicle registrations, known as ANPR. |
| Investor relations | Identity, Contact, Technical & Usage data | Legitimate interest | We’ll also use your information to invite you to press releases, presentations and other investor relations events. |
| Personalise content | Contact information, Technical data, Location data | Consent | To make recommendations, promotions and offers to you about our products and services; to tailor the information that we send or display to you. |
| Testimonials | Identity information | Consent | To publish your user experience on our websites or social networking pages. |
If you provide consent to processing
If you have given us your consent to process your personal data, you may withdraw your consent at any time. When seeking your consent, we shall provide clear and specific information to you about what you are consenting to, in a transparent and unambiguous way.
Use permitted under applicable laws
We may also collect, use, disclose and process your personal data, without your knowledge or consent, where we are required to so by law.
SHARING OF YOUR PERSONAL DATA
Sharing with our service providers
In the normal course of our business, we may share your personal data with other businesses who provide services to us, and who process that data for us and on our behalf. When disclosing personal information to third parties, we have contracts with these third parties to protect your personal information, which ensures we are compliant with the law and so that they only process your personal information in accordance with our instructions. This includes sharing with vendors and service providers, who are engaged to provide business, support, operational and/ or administrative functions such as IT support, auditing, legal, marketing, website maintenance, payment, fulfilment and delivery of orders. It might also include sharing of data with credit reference agencies, debt collection and tracing agencies. We also use Shopify to power our online Cinnabon UK store and you can read more about how Shopify uses your personal data here: https://www.shopify.com/legal/privacy.
Sharing with other businesses
We may also share your personal data with other businesses, who use that data for their own purposes (and as independent ‘data controllers’). Examples of this are as follows:-
- if our business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business;
- data may be shared to other EGOTM companies, where necessary or desirable for centralised management purposes, including operations, marketing, IT, HR or finance functions, and this may include sharing with international entities or colleagues;
- data may be shared with regulatory authorities, statutory bodies or public agencies, including to support their investigations or enquiries;
- data including CCTV footage may be shared with government or law enforcement authorities, in connection with their discharge of their public duties (such as the prevention and detection of crime).
- we may also share data with businesses with whom we work (such as fuel loyalty card providers), who need to have that data in order to provide services to you whilst engaging with us or whilst visiting our sites or stores.
International transfer of your personal data
In the provision of our websites and services to you, we may from time to time need to transfer data to other entities which are based outside of the UK. The UK General Data Protection Regulation has strict rules about data transfers to international organisations and so, where this occurs, we shall ensure we have put in place all safeguards required by the law. This may include specific rules around how and where data is transferred, and entering into contracts with them which have been approved by the UK or EU authorities as providing an appropriate level of protection for your data.
If you would like any more information, please contact our Data Protection Officer, the details of whom can be found at the end of this Privacy Notice.
Third-party links
Our websites may contain links to third-party websites. Any access to and use of these linked websites is not governed by this Policy, but instead is governed by the privacy policies of those third-party websites. We are not responsible for the information practices of such third-party websites. Please read their respective privacy policies for information about how these third parties handle the processing of personal information and other information.
THE SECURITY OF YOUR PERSONAL DATA
Unauthorised access
We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Specific access
We limit access to your personal data to those employees, agents, contractors and other third parties who have been authorised to access it.
Vulnerabilities
We have put in place procedures to deal with any suspected personal data breach. We will notify you and the appropriate supervisory authority of a breach where we are legally required to do so.
We cannot guarantee that our systems or applications are invulnerable to security breaches, or that your use of our systems or applications is safe and protected from viruses or other vulnerabilities.
Also we cannot guarantee the security of information that you choose to send us electronically. Sending data to us electronically is entirely at your own risk.
HOW LONG WE KEEP YOUR PERSONAL DATA
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available on request from our DPO’s office at [email protected].
YOUR RIGHTS RELATING TO YOUR PERSONAL DATA
At any point while we are processing your personal data, you may exercise certain rights against us, known as ‘data subject rights’. These rights differ depending on your location, but we have set out below a short explanation of your rights which apply if you live in the UK.
Right of access
You have the right to request a copy of the information that we hold about you. Access to a copy of your personal information is often known as a Subject Access Request, and is usually free of charge. We have a one-month time period with which to respond; however, if your request is complex then we may extend that limit by up to two further months. We may also ask for a reasonable administration fee if your request is manifestly unfounded or excessive in nature, or if further copies of data are requested.
Right of rectification
You have a right to review and correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten
In certain circumstances you can ask for the data we hold about you to be erased from our records. As detailed within data protection law, a request to be forgotten is not an absolute right and will be assessed on its merits.
Right to restriction of processing
Where certain conditions apply, you have a right to restrict our processing. In particular, if we do not need to process your data in order to meet a contractual or other legal requirement, or if we are using your data only for direct marketing, then you may be entitled to restrict our further usage of it.
Right of portability
You have the right to have the data that you have provided to us, for the fulfilment of a contract or where you have provided your consent, transferred in a structured and machine-readable format to another organisation.
Right to object
You have the right to object to certain types of processing, in particular where we process your personal data for marketing purposes, this is an absolute right. You will be able to object to or opt out of any marketing message we send you.
Right to object to automated processing, including profiling
You also have the right to be subject to the legal effects of automated processing or profiling.
Right to query or complain to the ICO
In the event that we refuse your request under rights of access, we will provide you with a reason why. You have the right to contact the ICO, the UK regulator, if you wish to query or complain about that, and we have provided a specific section on this below.
QUERIES, COMPLAINTS AND FURTHER INFORMATION
What to do when things don’t go as planned
If you have a query or complaint about how your personal data is being handled by us, you can write to us at DPO, EG On The Move Ltd, Waterside Head Office, Haslingden Road, Guide, Blackburn, Lancashire, United Kingdom, BB1 2FA. Alternatively you may email us at [email protected].
Your right to complain to the ICO
You also have the right to complain directly to the UK regulator, the Information Commissioner’s Office (the “ICO”). Details of how to contact them may be found at https://ico.org.uk/make-a-complaint/.
If you'd like more information about this Privacy Notice
If you have any queries about this Privacy Notice, please get in touch with our Privacy & Data Protection team, by emailing us at [email protected].
This Privacy Notice is effective from 10 December 2024.