Privacy Policy
Last updated: 16 June, 2021
MARUGAME WEBSITE PRIVACY POLICY
Welcome to the Marugame Website Privacy Policy. This Policy explains how and why we collect and use information about customers, website visitors, Marugame Club members and other individuals.
This Policy covers the following:
- About Marugame
- Information about customers and other individuals
- Marketing and online advertising
- Business contacts
- CCTV
- Contact tracing
- Recipients of personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Updates to this policy
- About Marugame
We are Marugame Udon (Europe) Limited, a limited liability company with registered number 12716679, having our registered office at Ampney House Falcon Close, Quedgeley, Gloucester, England, GL2 4LS. If you have a question about how we use your information or about this Policy then you can contact us by writing to our office address, telephoning us on 01452 888450 or emailing konnichiwa@marugame.co.uk.
We are regulated as a controller under applicable data protection laws (including the UK Data Protection Act 2018 and the UK GDPR (“Data Protection Laws”)) in relation to the personal data we collect and process. As a controller, we are responsible for deciding how and why we use personal data and for keeping it safe. We are registered with the Information Commissioner’s Office under registration number ZB017621.
- Information about customers and other individuals
We collect information about customers, website visitors, Marugame Club members and persons who contact us. For example:
- Restaurant Visitors: If you visit one of our restaurants we may collect your data. This could be because you fill in a comments form, pay by card, use loyalty points/rewards/vouchers or because CCTV is in operation. We may also collect information as part of the coronavirus contact tracing measures we are required to put in place.
- Marugame Club Members: We store information Marugame Club members including name, postcode, email address, membership number, rewards, order history, dietary preferences you tell us about, interests you inform us of and marketing preferences.
- Click & Collect / Online Orders: If you place an order via our website we will process information in connection with your order, including your contact details and payment details as well as your Marugame Club membership (so that we can credit you with rewards).
- Website visitors: Our website and social media pages use cookies and local storage technologies, including third party advertising cookies, which results in us processing personal data about individuals. Further information can be found in Section 3 (Marketing and Online Advertising) and our Cookies Policy.
The table below sets out our lawful basis for using the information we collect:
Category of data | How we collect it | How we use it | Lawful basis for use |
Contact details (name, email and telephone number (SMS)) and marketing preferences | Provided by you when signing up for marketing or join the Marugame Club | To send you marketing emails and SMS messages about our services and the Marugame Club loyalty program, also for marketing research and for advertising via social media. See Section 3 below for further details | Consent or legitimate interests (though please note that we will only ever send direct marketing emails or SMS messages with consent) |
Interaction with email and SMS messages | Collected via a third party analytics services provider | To determine if emails and SMS communications have been opened and interacted with | Legitimate interests (determining the success and uptake of marketing campaigns) |
Post code | Provided by you when signing up for marketing | We aggregate and anonymise this information (so it no longer identifies you) and use it for demographic research purposes | Legitimate interests (understanding where our potential customers are approximately located) |
Enquiry details (including contacting information and message information) | Provided by you when making an enquiry | We use this information to respond to enquiries and, where necessary, keep a record of our response and dealings with an individual | This depends on the nature of the enquiry, though it will usually be legitimate interests for general enquiries, or compliance with a legal obligation for the exercise of legal rights (as set out in Section 11) |
Technical/device information (e.g. browser, network and device, IP address) | Collected when you visit our website | This information is anonymised and used to operate our website and ensure it displays properly | Legitimate interests (ensuring our website displays properly, monitoring visitor numbers and understanding how our website is used) |
Payment and cardholder information | When an electronic/card payment is made in one of our restaurants or via our website | This information is processed securely using a third party payment processor (such as our website payment provider) | Taking payment is a necessary part of entering into a contract with our customers to provide food and drink |
Marugame Club information (interests, dietary preferences, order history, rewards) | When you complete your Marugame Club membership registration | This is used to administer your membership, help us deliver relevant content, and provide you with rewards | Administering your membership and delivering rewards is part of our agreement to provide you with Marugame Club membership. Delivering relevant content is in our legitimate interests |
Business contact data | Please see section 4 (Business contacts) | ||
CCTV data | Please see section 5 (CCTV) | ||
Covid-19 contact tracing data | Please see section 6 (Contact tracing) |
Further details about how we use information for marketing and advertising purposes can be found in Section 3 below. We do not typically collect sensitive personal data about customers, website visitors, Marugame Club members or persons who contact us (and, in the event that we do process any sensitive personal data about such persons, it will only be because they have freely chosen to provide it). We do not intentionally collect information about persons aged under 13.
- Marketing and Online Advertising
We use personal information to carry out direct marketing and deliver online advertising. We also use cookies, details of which are set out in Section 4 below, for advertising purposes. Your advertising and communication choices are important to us. You can withdraw your consent or object to the use of your personal data for direct marketing by logging into your account and changing your preferences. You can also control marketing and advertising using the specific methods set out below.
Email updates: If you sign up for email marketing will contact you until you unsubscribe or change your preferences. We send email marketing communications on the basis of your consent (meaning either you have signed up, or chosen to place an order with us and have been given a clear opportunity to opt-out but have chosen not to do so). You can unsubscribe from email marketing at any time by clicking the relevant link in one of our emails.
We also use data analytics in relation to our marketing emails. This allows us to see if an email has been opened. We do this because it is in our legitimate interests and helps us understand the level of interaction recipients have with our communications. Analytics information is aggregated and anonymised and used to help improve future marketing communications.
Targeted advertising: We may use information you provide when signing up to the Marugame Club in order to show you relevant advertising on third party websites and social network news feeds. You can adjust your advertising preferences using the settings on your social media profile. Advertising services providers (such as social networks) may also display our adverts to individuals they class as having similar interests/characteristics to you. We do not directly target or collect data about these individuals, and the advertising is carried out by the social network/advertiser using data they already hold.
Cookies and related technologies: Our website uses cookies and related advertising technologies such as local storage and web beacons. Cookies are small files which are stored on your device and which can be read in order to distinguish you from other users. Cookies have a variety of functions, such as enabling website functionality and remembering users who have visited or logged in previously (for example, to track visitor numbers). Cookies can also keep track of sites you have visited so that relevant advertisements can be placed on other sites (such as by search engines and social media sites). We only use advertising cookies with your consent.
You can opt-out of cookies, either by refusing to consent to their installation or by adjusting your browser or device settings. You can also control targeted advertising on social media platforms by adjusting your privacy and advertising settings. For further information about cookies please visit our Cookies Policy.
- Business contacts
We collect and process personal information on business contacts (such as supplier contacts, individual contractors, professional advisers etc.). We do this either because it is necessary in order to perform a contract with the individual in question or, where the individual is a company contact or representative, because it is necessary for our legitimate interests in purchasing goods or services in connection with our business. This information (which typically includes a person’s name, job title, employer, contact details and profession/expertise) is collected for business purposes and will not be used for direct marketing or advertising.
- CCTV
Some of our restaurants use CCTV in order to protect staff, customers and property. CCTV cameras are always visible and clearly signposted. CCTV may be located inside or outside of a restaurant, but will only ever be used in publicly visible areas such as doorways, or secure areas such as tills or loading bays. CCTV normally only records video footage and images are only stored for a short period (usually around a month) after which they are automatically deleted unless there is a reason to store specific footage for longer.
Access to CCTV images is restricted to senior staff, who will only view the recording where necessary. We only share CCTV with others in exceptional circumstances (such as requests from law enforcement) or if required by law. If there is a possibility of recordings being made public (for example, to assist in the identification of an offender) we will consult with and take into account the wishes of any other persons who might be affected, alternatively we may blur or disguise other individuals where possible to prevent identification. All staff are required to comply with a strict policy regarding the use of access to CCTV, and we adhere to the CCTV Code of Practice published by the Information Commissioner’s Office.
If you require more information about the CCTV used in any of our restaurants please contact us. Please note, there may be some situations where we are not the controller in respect of CCTV used in or outside restaurant (for example if you visit a franchise restaurant, then the franchise owner may be the data controller, alternatively exterior CCTV may be controlled by a landlord or local authority), in which case your request should be directed to the relevant controller.
- Contact tracing
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we are required by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing. By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus. As a restaurant visitor you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all visitors
- a contact phone number for each visitor date of visit and arrival time and departure time
- the details of the waiting staff you interacted with
As the controller collecting this data, we will be responsible for it unless or until it is requested by NHS Test and Trace (from which point that service will be responsible for it). NHS Test and Trace require that we retain contact tracing information for 21 days from the date of your visit after which it will be destroyed. We will only share information with NHS Test and Trace if it is specifically requested by them. For example, if another customer reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
We collect and process this information because we have a legal obligation to do so. The legal obligation to which we’re subject, means that we’re mandated by law to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus. If you refuse to provide contact tracing information when requested to do so then you may be refused entry or service.
- Recipients of personal data
Information that you provide to us will be kept private. We will only disclose or share your personal data with other data controllers where it is necessary and we are legally permitted to do so. This may include sharing information with third parties that provide advertising services (described in Section 3 above), as well as within the Marugame group (which includes our affiliates, subsidiaries and the franchisees who operate our restaurants) and with our professional advisers. If we decide to sell or transfer all or part of our business we may share the information we hold with parties involved in the sale or transfer.
We also share personal data with some of the third parties who provide services to us. This includes IT service providers, vendors, suppliers and consultants. However, these third parties will only be allowed to handle personal data after providing guarantees that the information will be kept safe and secure, and if they agree to only use it for specified purposes in accordance with our strict instructions.
- How long we store personal data for
We only retain personal data for as long as is necessary for the specific purposes it was collected for (or for related compatible purposes such as complying with applicable legal or administrative/record-keeping requirements). To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If we are holding data on the basis of your consent for direct marketing or targeted advertising purposes, we will only keep it for so long as your consent remains valid. If you withdraw your consent we will delete the data being processed on that basis. We may retain some information if there is another lawful basis for doing so, such as keeping data on a suppression list to ensure you do not receive marketing information after unsubscribing.
- How we keep personal data safe
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. Our security includes physical security measures and electronic technical and organisational measures. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to legal and contractual confidentiality obligations.
We have put in place reporting procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when legally required to do so.
- International transfers
We normally only store personal data within the UK or European Economic Area (“EEA”). However, some of our suppliers and affiliates are located in other countries. Before transferring information outside the UK or EEA we take steps to make sure that it will be adequately protected and transferred in accordance with Data Protection Laws. We do this by either: (1) ensuring the recipient is in a country approved as providing adequate protection for personal data; (2) implementing appropriate safeguards (such as Standard Contractual Clauses); or (3) using other international transfer methods permitted by Data Protection Laws.
If you would like more information regarding the measures and safeguards we implement when carrying out international data transfers, then please contact us using the details set out in Section 1 above.
- Your rights as a data subject
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right of access. This is the right to receive a copy of the personal data we hold about you, subject to certain exemptions.
- The right correction or completion of personal data. This is the right to have any incomplete or inaccurate personal data corrected.
- The right erasure (the “right to be forgotten”). This allows you to request us to delete or remove personal data. You also have the right to request us to delete or remove your personal data where you have exercised your right to object to processing. In certain circumstances this right may not apply, such as where we have a good, lawful reason to continue using the information in question and, if so, we shall inform you of such reasons at the relevant time.
- The right to object. You can object to us processing your personal data for legitimate interests purposes or for direct marketing. We must then stop processing your data unless we have a strong reason to continue which overrides your objection. If your objection is to direct marketing, we must always stop.
- The right to restrict use. You can limit how we use your personal data in certain circumstances. Where this applies, any processing of your personal data (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
- The right to a portable copy or to transfer your personal data. You can request that we provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to personal data which we obtain from you and, using automated means, process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data then you have the right to withdraw that consent at any time.
We try to respond to all personal data requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. Alternatively, in these circumstances, we may refuse to comply with your request.
- Updates to this policy
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated in June 2021.