PRIVACY

Privacy Policy

Welcome to the website of Fresh Grocery Delivery Services Limited (T/A “HelloFresh”). In our capacity as controller within the meaning of the General Data Protection Regulation ("GDPR"), we are obliged to comply with statutory provisions on data protection. As a matter of course, we greatly value the protection of your personal data along with fair and transparent data processing. We have provided you below with all the information you need to verify and exercise your data protection rights.

Who is responsible for data processing?

The controller of your personal data is: Fresh Grocery Delivery Services Limited 16 Sir John Rogerson's Quay, Dublin 2, D02 DH34, Ireland www.hellofresh.ie

How can I contact the data protection team?

You can contact our data protection team at: privacy@hellofresh.ie

Why and on what legal basis do we process personal data?

If you are a HelloFresh customer, create an account with us, participate in competitions or promotions or otherwise contact us, we will receive your personal data. We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows: Identity Data may include first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender. Contact Data may include billing address, delivery address, email address and telephone numbers. Financial Data may include bank account and payment card details. Transaction Data may include details about payments to and from you and other details of products and services you have purchased from us. Technical Data may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. Profile Data may include your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. Usage Data may include information about how you use our website, products and services. Marketing and Communications Data may include your preferences in receiving marketing from us and our third parties and your communication preferences. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. We generally process data on the following legal bases: 6.1a GDPR, if you give us your explicit consent for data processing, e.g. if you are a prospective customer we may need your consent to send you marketing emails; 6.1b GDPR, if we are acting to fulfil our contractual obligations, e.g. if we use your email address to confirm the delivery date for your next cooking box; 6.1c GDPR, if we are acting to fulfil legal obligations, e.g. if we check your age and your identity before the conclusion of a contract or to prevent fraud; 6.1f GDPR, if we process your data due to a legitimate interest of ours or a third party’s, e.g. if we use your email address to send you our newsletter for direct advertising purposes, where we provide your data to third parties (as outlined below) or for optimising our website’s advertising design. You have the right to object to use of your personal data for our legitimate business interests. If you do object, we will have an opportunity to demonstrate that there are compelling legitimate grounds which override your rights and freedoms or that processing is necessary for the establishment, exercise or defence of legal claims. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Data processing by HelloFresh

3.1.1 Shipping your cooking boxes / customer account

We are pleased to be able to supply you with our cooking boxes and recipes kits. To enable you to order from us, we will create a customer account for you after your registration. In order to protect your customer account from access by third parties, we store your user name and password. In order to be able to deliver the cooking boxes to you as desired, we store your contact data, order and delivery time and payment information. You can voluntarily provide your phone number so that we can contact you in case of delays or problems delivering your cooking box. Please note that you may deactivate your account at any time.

3.1.2 Paying for the HelloFresh Box

Your payment details will be sent to the appropriate payment service provider depending on the payment method you choose. The payment service provider is responsible for your payment data. Information, particularly about the authority responsible for the respective payment service provider, the contact information for the data protection officers of the payment service providers and the categories of personal data that are processed by the payment service providers, can be obtained from the following addresses: PayPal (Europe) S.à.r.l. et Cie., Luxembourg, Data protection declaration: https://www.paypal.com/ie/webapps/mpp/ua/privacy-full Adyen B.V. Netherlands, Data protection declaration: adyen.com/policies-and-disclaimer/privacy-policy American Express Services Europe Ltd., United Kingdom, Data protection declaration: https://www.americanexpress.com/en-iec/company/legal/privacy-centre/binding-corporate-rules/

3.1.3 Customer Care

You can contact us via phone, chat, facebook or twitter message to ask us questions, send us messages or make complaints. We only process your personal data in this context in order to get in contact with you the way you wish and to answer or fulfil your request or complaint.
We may also use your personal data, such as your name, email address, phone number and product information to identify and call you to find out more about your experience with HelloFresh and how you think it could be improved. We may also call you after you have deactivated your customer account so that we can find out if you would like to re-activate it (or change how you have used HelloFresh's services in the past). All of our calls will be recorded for training and monitoring purposes and you will have the right to opt out from receiving these calls at any time by contacting us at www.hellofresh.ie or by informing the agent on the call. For users who are not already existing HelloFresh customers, you will have the right to opt-in to be contacted by us.

3.1.4 Participation in competitions

If you take part in one of our competitions, we collect data that is necessary to carry out the competition. This usually includes an individual competition entry (e.g. a comment or a photo), as well as your name and your contact details. It is possible that we transmit this data to our competition partners, e.g. to send you the prize. The processing and transfer of data may vary depending on the competition and is therefore specifically described in the respective conditions of participation. Participation in the competition and the associated data collection is, of course, voluntary.

3.1.5 User images of Gravatar

We have integrated the Gravatar avatar service from the operator Automattic, Inc, San Francisco, USA, on our website. If you are registered with Gravatar, the company will send us your profile picture, which will be displayed next to your comment. Using this function means that your email address is transmitted encrypted to Gravatar and compared with the email address stored there. By displaying the images, Gravatar can store user IP addresses. For more information on Gravatar’s collection and use of data, please refer to Gravatar’s privacy policy (https://automattic.com/privacy/). If you do not want your Gravatar image to be displayed, please use an email address that you have not provided for the Gravatar avatar service.

3.1.6 Sending our newsletter

At HelloFresh, you have the option of subscribing to our newsletter in different ways, e.g. when registering, on our recipe page or on our blog. Advertising information will only be sent to your email address as part of our newsletter if you are an existing customer or have agreed (by opting in) to use your email address for this purpose. Of course, you can revoke your consent to be sent newsletters at any time, e.g. by clicking the unsubscribe link in the newsletter, updating the communication setting in your customer account or by sending a message to www.hellofresh.ie.
For users who are not already existing HelloFresh customers, we use the double opt-in procedure for subscribing to our newsletter. This means that after your registration we will send you an email to the email address provided asking you to confirm that you would like to receive the newsletter. We also store your IP address and the time of your registration and confirmation. This enables us to prove your registration and, if necessary, clarify any possible misuse of your personal data.

3.1.7 Other advertising by HelloFresh

HelloFresh uses the email address, telephone number and postal address provided by the customer to inform on similar product and service offers by email, SMS, and mail. If you do not wish to receive any further advertising information by email or mail, you can object to the use of your contact data for advertising purposes at any time without incurring any costs other than for transmission according to the basic rates.
You can submit your revocation by phone +353 1 223 8958, in writing privacy@hellofresh.ie It is also possible to change communication preferences at any time in the customer account area when subscribing to the newsletter with an existing customer account.
If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this.
We also work with Experian, who help us with a number of different marketing initiatives.
Here’s a list of the current activities carried out by Experian:
HelloFresh provides Experian with customer records, which Experian analyse and segment in order to build prospect audiences and customer modelling for direct marketing campaigns.
Experian combines our customer records with their own data in order to identify an actionable audience within Facebook for targeted advertising. These activities are carried out on the legal basis that marketing HelloFresh is a legitimate interest of our business and you have the right to object to this activity as outlined above.

3.1.8 Recruiting friends

If you are already a HelloFresh customer, you can also invite your friends to order our boxes. As we do not want to bother anyone, it is important that your friend wants to receive information about our services. Therefore, please only use our “Refer-a-Friend” function if you are convinced of your friend’s interest beforehand.

3.1.9 Customer feedback and support

HelloFresh uses the tool Usabilla, a service of Usabilla B.V., Netherlands. The tool enables you to give us feedback on our offers. The use of the tool is anonymous, i.e. we cannot associate your feedback with your identity. We also use a service provider, called FlavorWiki, which collects personal data from you (for example, your email address) so that we can find out more about what recipes and food you enjoy as a HelloFresh customer.
For customer support, we use the cloud-based platform PureCloud, a service of Genesys. All data that you enter on the support platform is stored and processed in order to provide customer support. The data is stored in the EU, USA and Australia. After termination of the contract with PureCloud, the data will be deleted.

3.1.10 Social media

Registration with Facebook Connect We offer you the opportunity to register with us through Facebook Connect (Facebook Inc., USA, Data protection declaration: www.facebook.com/policy.php). An additional registration is not necessary in this case. You will be redirected to the Facebook page where you can log in with your user data. This will link your Facebook profile and our service. The link automatically provides us with the following information from Facebook: Facebook name, Facebook profile and cover picture, email address stored on Facebook, Facebook friends lists, Facebook likes, birthday, gender, country, language.
Data is used to set up, provide and personalise your customer account.
Social media plugins On our blog or in our recipe suggestions, we have included social media plugins that you can use to share certain content over social networks. To protect your privacy, we offer you these social plugins as so-called “2-click buttons.” The “2-click solution” prevents data (e.g. your IP address) from being transmitted to social networks such as Facebook or Twitter as soon as you open our website. For this purpose, the buttons are deactivated by default and are only activated by clicking the social plugins for the first time. After activation, the plugins also collect personal data such as your IP address and send it to the servers of the respective provider where it is stored. In addition, activated social plugins set a cookie with a unique identifier when loading the relevant website. This also allows providers to create profiles of your usage behavior. The data will be used to show you personalised advertising, as well as for market and opinion research purposes. Data transfer is independent of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be assigned to your existing account with the plugin provider.
We have no exact information about the concrete use of the data nor about the storage period. Please read the privacy policy of the respective providers. We have integrated the plugins of the following providers on our website: Facebook (Facebook Inc., USA, Data protection declaration: http://www.facebook.com/policy.php) Twitter (Twitter Inc., USA; Data protection declaration: http://twitter.com/privacy/) Pinterest (Pinterest Inc., USA; Data protection declaration: http://de.about.pinterest.com/privacy/) Google+ (Google Inc., USA; Data protection declaration https://www.google.com/policies/privacy/partners/?hl=de)

3.2 Will my usage data be processed for website optimisation and usage-based online advertising?

HelloFresh uses cookies to create pseudonymous user profiles in compliance with legal requirements, but also to make the use of our website as optimal as possible. We can evaluate usage profiles in order to understand the use of our website, to determine target audiences for our products and to optimise our offers. When we create pseudonymous user profiles, we do not directly associate this data with you and therefore cannot trace specific activities back to you.
Cookies are small text files that are placed on your computer when you visit our website and allow your browser to be reassigned. Cookies store information such as your language setting, the duration of your visit to our website or the information you enter there. This avoids the need to re-enter all necessary data for each use. Cookies also enable us to recognise your preferences and to tailor our website to your interests.
Most browsers automatically accept cookies. If you want to prevent cookies from being saved, select “do not accept cookies'' in the browser settings. You can find out how this works in detail from your browser provider’s instructions. You can delete cookies that are already stored on your computer at any time. However, we would like to point out that our website may only be of limited use without cookies. Alternatively, you can prevent the collection and forwarding of your data (particularly your IP address) and the processing of this data by deactivating the execution of Javascript in your browser or by installing a tool such as “NoScript.”
You can also disable the use of cookies by third parties by using the Network Advertising Initiative’s disabling tool. However, we and the providers will continue to receive statistical information on how many users visited our website and when.
We would like to explain some of the services in more detail below:
3.2.1 Google Analytics Our website uses Google Analytics, a service of Google Inc., USA (“Google”). Google Analytics enables us to evaluate your website use in order to compile analyses of website activity and make use of other services associated with website and Internet use.
We would like to point out that the code “gat.anonymizeIp();” has been added to Google Analytics to ensure anonymous collection of IP addresses (so-called IP masking). Your IP address will be anonymised by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there. The IP address transmitted by your browser with Google Analytics will not be merged with other Google data. More information on terms of use and data protection can be found at https://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/.
In addition, you can prevent Google from collecting data by downloading and installing the browser add-on. By clicking the following link, an opt-out cookie is set that will prevent the future collection of your data when you visit this website: Disabling Google Analytics.
We also use the Google Conversion Tracking service as part of Google Analytics. This enables us to record the behavior of our website visitors. For example, we are shown how often the contact form has been filled in. We also see how many clicks on advertisements from external sources (AdWords, LinkedIn, Xing, Bing) have led to our website.
3.2.2 Facebook Custom Audience Pixel This website uses Custom Audience Pixel, a service of Facebook Inc., USA. Custom Audience Pixel is a Java script code that we have integrated into each of our web pages. We use custom audience pixels to collect information about the way visitors use our website. This pixel collects and reports Facebook information about the user’s browser session, a hashed version of the Facebook ID and the URL being viewed. Each Facebook user has a unique and device-independent Facebook ID that enables us to address and recognise users across multiple devices on the social network Facebook so that we can reach our visitors again for advertising purposes through Facebook ads. After 180 days, the user information will be deleted until the user returns to our website. Therefore, no personal information about the individual website visitors is disclosed to HelloFresh and website customer target audiences can only be specifically advertised to as soon as they have reached a significant mass in terms of numbers. For more information on Facebook and its privacy settings, please see the privacy policy and terms of use of Facebook Inc.
3.2.3 Facebook Audience Building Experian combine our customer records with their own data in order to identify an actionable audience within Facebook for targeted advertising. Experian will upload the resulting actionable audiences, in accordance with HelloFresh’s instructions, into Facebook’s Custom Audience feature to allow for targeted advertising within Facebook. When using Facebook’s Custom Audience feature, the data used to build the audiences is hashed. For more information on Facebook and its privacy settings, please see the privacy policy and terms of use of Facebook Inc. This activity is carried out on the basis that marketing HelloFresh is a legitimate interest of our business and you have the right to object to this activity as outlined above.
3.2.4 Other operators We also use the following services for website analysis purposes and for personalised advertising. If you want to deactivate the respective service, please follow the respective opt-out link, if indicated:
Service Operator Opt-out Hotjar Hotjar Ltd, Malta www.hotjar.com/opt-out New Relic New Relic Inc., USA Email: Privacy@newrelic.com Bing Ads Microsoft Corp., USA Deactivation of cookies in general browser settings SalesForce Salesforce.com Inc. Email: privacy@salesforce.com Google AdWords and Conversion Tracking Google Inc., USA Deactivation of cookies in general browser settings Google Dynamic Remarketing Google Inc., USA Deactivation of cookies in general browser settings Google GA Audience Google Inc., USA www.google.de/settings/ads/onweb#display_optout Google DV360 Floodlight Google Inc., USA https://support.google.com/campaignmanager/answer/2893966?hl=en Double Click and Double Click Spotlight Google Inc., USA www.google.de/settings/ads/onweb#display_optout Twitter Advertising Twitter Inc., USA https://optout.aboutads.info Taboola Taboola Inc., USA www.taboola.com/privacy-policy Crazy Egg Crazy Egg Inc., USA www.crazyegg.com/opt-out Outbrain Outbrain UK Limited, USA www.outbrain.de/legal/privacy-713 BidSwitch BidSwitch, USA www.iponweb.com/privacy-policy/ Flashtalking Flashtalking Inc., USA http://www.flashtalking.com/privacypolicy/ VE Interactive Ve Global UK Limited, UK Deactivation of cookies in general browser settings Impact radius Impact Tech, Inc., US https://impact.com/privacy-policy/ FLXONE Mapp Digital Germany GmbH, Germany http://flxone.com/platform/

4. Will my data be transmitted to third parties?

In order for HelloFresh to process your data according to the purposes described above, it may be necessary for other recipients to also be able to view and process your data.
4.1 Recipients within the HelloFresh Group HelloFresh is a global company with subsidiaries worldwide. In special cases, it may be necessary for us to transfer your data to our Group parent company, HelloFresh SE, Berlin, or other HelloFresh affiliates, to perform certain tasks for the Group. However, such a transmission shall only take place if we have a basis of authorisation or as part of order processing in accordance with Art. 28 GDPR.
4.2 Other service providers, partners and third parties HelloFresh shares personal data with third party service providers processing personal data on HelloFresh’s behalf in accordance with Art. 28 GDPR. This includes the following service providers:
Transport companies (for example, to ship and deliver your recipe box) Banks and payment service providers (for example, to process credit cards and payments)
IT service providers (for example, to host, manage and service our data) Our customer care providers (for example, RSVP, CityConnect and Linea Directa); and
Marketing companies who assist us with marketing campaigns (for example, our direct sales agencies and printers)
HelloFresh also shares personal data with third parties to the extent necessary to: (i) comply with a government request, a court order or applicable law;
(ii) prevent illegal uses of our sites and apps or violations of our sites’ and the apps’ terms of use and our policies;
(iii) defend ourselves against third party claims;
and (iv) assist in fraud prevention or investigation (e.g., counterfeiting).

5. Will my data be processed outside the EU/EEA and how is data protection ensured?

It is important to us to process your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA, for example, Experian use a data sub-processor in India. In these cases, we ensure that an appropriate level of data protection is established prior to the transfer of your personal data to non-EEA countries including; an adequacy decision under Article 45 GDPR, Standard Contractual Clauses under Article 46.2 GDPR or Binding Corporate Rules under Article 47 GDPR. To obtain more information concerning these safeguards see Contact Us below.

6. How long will my data be stored?

We delete personal data as soon as the purpose of storage no longer applies and legal retention periods do not preclude deletion.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
At HelloFresh, we usually delete data as follows: Job applicant data: no later than six months after receipt of application Contract data: after termination of the HelloFresh subscription, except where retention obligations provide otherwise
Contact requests: after processing the request

7. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

8.What rights do I have and how can I assert them?

Every customer or any other person affected by data processing has the right of access according to Art. 15 GDPR, the right to rectification according to Art. 16 GDPR, the right to erasure according to Art. 17 GDPR, the right to restriction of processing according to Art.18 GDPR, the right to objection according to Art. 21 GDPR and the right to data portability according to Art. 20 GDPR.
The following is a summary of your rights:
The right of access enables you to receive a copy of your personal data The right to rectification enables you to correct any inaccurate or incomplete personal data we hold about you The right to erasure enables you to ask us to delete your personal data in certain circumstances The right to restrict processing enables you to ask us to halt the processing of your personal data in certain circumstances The right to object enables you to object to us processing your personal data on the basis of our legitimate interests (or those of a third party), including processing for direct marketing purposes or where we are performing a task in the public interest. Your objection will be upheld, and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for the exercise or defence of legal claims that may be brought by or against us. The right to data portability enables you to request us to transmit personal data that you have provided to us, to a third party without hindrance, or to give you a copy of it so that you can transmit it to a third party, where technically feasible.
If you wish to exercise any of these rights, please contact us at privacy@hellofresh.ie
You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us prior to the validity of the General Data Protection Regulation, i.e. before May 25, 2018. Please note that revocation will only take effect for the future. Processing that took place before the revocation is not affected.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to the Data Protection Commission, the Irish supervisory authority for data protection issues (https://www.dataprotection.ie/). We would, however, appreciate the chance to deal with your concerns before you approach the DPC so please contact us at privacy@hellofresh.ie or on+35312238958 in the first instance.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
You can ask us or third parties to stop sending you marketing messages by contacting us at any time, or by adjusting your communication preferences via Account Settings on our website. If you no longer wish to receive our email communications, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each newsletter.
Changes to our Privacy Policy
Applicable law and HelloFresh’s practices change over time. If we decide to update our privacy policy, we will post the changes on our website. If we materially change the way in which we process your personal data, we will provide you with prior notice, or where legally required, request your consent prior to implementing such changes. We strongly encourage you to read our privacy policy and keep yourself informed of our practices. This privacy policy was last modified in [July 2022].