Privacy and Cookie Policy

This privacy notice explains how we collect, use and store your personal data. It also gives you information about your legal rights granted under data protection laws.

The controller is Matthew Clark Bibendum Ltd, Whitchurch Lane, Whitchurch, Bristol, BS14 0JZ.

If you have any questions about this privacy notice, or how your personal data is processed, please contact our Group Data Protection Officer (DPO) at the address above or by emailing gdpr@candcgroup.com

This privacy notice was last updated June 2022. We may amend this notice at any time. The latest version will be made available on this site, and we’ll contact you if we make any significant changes to it.

We won’t be able to respond to your queries, complaints or provide certain services if you don’t provide your personal data. It’s also important that the personal information we hold about you is correct and up to date, so please keep us informed if your personal information changes during your relationship with us.

1.    Summary of this privacy notice

Personal data is information that relates to an identified or identifiable individual. We use your personal data for purposes including managing our relationship with you, to promote and market our products and services (including the use of profiling and social media), to run our business effectively, and so we can comply with our legal obligations. You can find out more about each of these purposes in Section 2 of this notice.

We only share your information with other organisations or transfer it outside the UK or European Economic Area (EEA) when this is necessary, and we require these third parties to respect the security of your data and treat it lawfully. Further information is found in Sections 3 and 4.

We only keep your personal data for as long as it’s needed to meet our operational, legal or reporting requirements, or to defend our legal rights. Section 5 provides more detail.

The rights you’re granted in relation to our use of your personal data and information on how to make a rights request can be found in Section 6.  

Information about our use of cookies and similar technologies can be found in our cookie notice.

2.    Why we use your personal data, and our lawful basis

To provide and manage our services to you

  • Your personal data is used so we can provide goods and services to you and manage any accounts you hold with us. Any such processing is a contractual requirement so we can, for example, fulfil orders you place.
  • It’s used to process payments and to prevent fraudulent transactions. We do this as part of our contractual obligations to you, and our legitimate interests to help protect our customers from fraud.
  • We’ll respond to your queries and complaints using the contact details you provide. We do this as part of our contractual obligations to you, and our legitimate interests to provide you with the best possible service. 
  • Your personal data will be used if you attend any of our events, for planning and administrative purposes.

To promote and market our products and services

  • We’ll only send electronic direct marketing to you, where:
    • we have your consent; or
    • you have bought goods or services from us and you did not opt-out of receiving marketing when this opportunity was given to you.
    • If you change your mind about receiving our electronic direct marketing, simply click the unsubscribe link in any marketing emails we send you or contact our DPO at the contact details above.
  • When we send you a direct marketing email, we may track how you respond to it using a ‘pixel’. We do this so we can see whether the email was opened and if any content was clicked, so that we can understand how effective our marketing strategies are and make improvements, where necessary. You can find out more about our use of pixels and cookies in our cookie notice.
  • Your personal data is used to administer any prize draws or competitions which you enter, based on your consent given at the time of entering. Some of these competitions use QR codes, to take you to a web-based entry form. Please note that we use a third-party vendor to provide our QR codes, who may conduct their own analysis of code usage. We also monitor QR code performance, but you cannot be identified from this data.
  • We conduct profiling to identify opportunities to promote our products and services to customers and prospective customers. This may include reviewing previous purchases or orders and combining this information with other datasets and information. This profiling allows us to better understand which of our products and services are likely to be of interest to you and develop our marketing campaigns accordingly. The lawful basis for profiling is our legitimate interests to promote our brands and help ensure our customers receive information which is likely to be of most interest. You can contact us if you don’t want us to use your personal data for this purpose. For more information, see the ‘right to object’ held in the ‘Your rights’ section below.
  • We conduct market research and studies to improve our websites, goods and services, and customer and supplier relationship and experiences. We do this on the basis of our legitimate interests to provide our customers with the best possible products and service, and more widely inform research and development within our industry. Any research findings or reports do not identify individuals. You can contact us if you don’t want us to use your personal data for this purpose. For more information, see the ‘right to object’ held in the ‘Your rights’ section below.
  • You can download our ‘Plonk’ app from App Stores. This uses Augmented Reality Technology and Application Programming Interface (APIs) for in-app facial recognition and target acquirement. Below is a summary of how APIs are used:
  • Used for facial recognition to overlay animation over the face accurately. 
  • Data is used internally in the app for efficient and effective facial recognition. 
  • User facial data is not shared by any third parties.
  • Facial data is used for internal app operation for Augmented Reality.

Because Plonk is all about sharing your Augmented Reality experience with friends, with photos and videos taken on the app, the app asks - with your permission - to allow access to contacts for this purpose. 

Our services require us to collect images and other information from your device's camera and photos. For example, you won't be able to send videos or upload photos from your camera roll unless we can access your camera or photos. 

You will be asked to agree to these access permissions at the time you download the app from the App Store. 

Information about our use of social media

We rely on social media including Facebook to promote our products. We use ‘lookalike’ audiences to display our marketing to people who are more likely to be interested in it. We don’t share any of your personal data with social media companies to do this. Instead, the social media companies will determine the audience of a particular advert based on a criteria we provide, for example social media users in a specific city with an interest in beer or cider.

You can also manage some advertising settings on the social media platforms you use. Please refer to your social media platforms for more information.

To run our business effectively

The purposes outlined in this section are primarily carried out under the lawful basis of our legitimate interests.

  • We’ll use your personal data to make sure we give you and other customers the best possible service, and to run effective and efficient systems and processes. This includes developing, testing and improving our systems, sites and services.
  • It’s used for business management, decision-making and planning purposes, to effectively run and protect our business.
  • Your data will be used to help train our staff. For example, through recording the calls made to our customer contact centres.
  • We may send you survey and feedback requests to help improve our products and services. You’re under no obligation to respond or take part if you receive these from us.
  • We monitor our network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  • We maintain and monitor this website including, but not limited to, traffic data, location data, web logs and other communication data.

To comply with our legal obligations

  • Your personal data will be used to manage service issues or legal disputes involving you, other customers and suppliers, or our own employees, workers and contractors.
  • It’ll be used to help prevent and detect crime, and support the health and safety of our workforce or others. For example, through CCTV systems in place at our sites and visitor centre. Signage will be in place to tell you where CCTV is operating.
  • We may use it during our accounting and auditing processes and for any regulatory or legal reporting purposes which we must comply with.

3.    Passing your information to others

We may have to share your data with other people and organisations. We require these third parties to respect the security of your data and to use it legally. Where a third-party is acting as a ‘data processor’, they’ll act solely on our instructions and will only use your information for that specific purpose.

We may share your data:

  • With the other entities within our Group (C&C Group plc), as part of our regular reporting activities on company performance, as part of research findings conducted about our brands and products, in the context of a business reorganisation or group restructuring exercise, or for system maintenance support and hosting of data.
  • With companies that help us provide our products and services, for example companies that help us process payments, or fulfil orders and deliver products to you.
  • With marketing and media agencies who help us with our promotional activities, such as competitions and prize fulfilment.
  • With IT system providers, including data storage providers and their technical support teams, if necessary.
  • Governmental bodies, regulators, law enforcement agencies, insurers, our accountants, auditors, legal advisors, debt collection agencies, or court or tribunal services where we must do so to comply with legal obligations, exercise or defend our legal rights, to prevent and detect crime or prosecute offenders, or to safeguard and protect our employees, customers or other individuals.
  • If we sell or buy any business or assets, we may disclose your information to the prospective seller or buyer of such business or assets. If we’re acquired by a third party, customer information will be one of the transferred assets so they can continue to provide services to you.

 

4.    International transfers

Your personal data may be transferred to and stored in locations outside the UK and the European Economic Area (EEA). This will typically occur when we use service providers located outside of these areas. These data transfers require us to follow certain rules under data protection law to ensure that your data will be adequately protected, so we’ll only transfer data to countries that have been confirmed as protecting personal data to UK or EEA standards, or where we have put contractual commitments in place which make sure the data is protected to these standards.

Please contact our DPO if you want to find out more about where personal data is transferred to, or the safeguards we have in place.

5.    How long we keep your personal data

 Your personal data is only kept for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any operational, legal or reporting requirements, and in order to defend our legal rights. To decide the right retention period, we consider the purposes for which the data is processed, the amount, nature, and sensitivity of it, the potential risk of harm from unauthorized use or disclosure, and any applicable legal requirements.  

Your personal data is deleted once it’s no longer needed for these purposes.

6.    Your rights

Under data protection law you have the right to:

  • Request access to your personal information (commonly known as a data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request the correction of incomplete or inaccurate personal information that we hold about you.
  • Request erasure of your personal information in certain circumstances. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information in certain circumstances. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party, known as data portability.
  • Withdraw your consent. In circumstances where your consent is the lawful basis for the processing, you have the right to withdraw your consent at any time.

If you want to exercise any of these rights please contact GDPR@candcgroup.com.

Your right to complain to a data protection regulator

We aim to collect, use and safeguard your personal information in line with data protection laws and guidance. If you do not believe we have handled your personal data appropriately, please get in touch with our Data Protection Officer at the contact details above so that we can try to resolve your concerns.

While we hope that we can resolve your concerns, you can complain to a data protection authority regardless of whether you have exhausted our internal procedure.

  • For UK residents:

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can find further information and contact details at https://ico.org.uk.

  • For ROI residents:

You have the right to lodge a complaint with the Data Protection Commission (DPC). You can find further information and contact details at https://www.dataprotection.ie.