Privacy Policy for Creams Franchising Ltd

BACKGROUND:

Creams understands that your privacy is important to you and that you care about how your personal data is processed. We respect and value the privacy of everyone and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

1. Information About Us

Creams Franchising Ltd, registered in England under company number 07985478, is the data controller for the personal data we process, unless otherwise stated.

Registered address: 7th Floor Winchester House, 259 – 269 Old Marylebone Road, London NW1 5RA

Information Commissioner’s Office – Data Protection Registration number: ZA031240.

VAT number: 131245063

We are members of British Franchise Association.

2. What Does This Notice Cover?

This Privacy Information explains how we use your personal data. It also contains details of your rights regarding your personal data under law.

3. What is Personal Data?

Personal data is defined by the UK General Data Protection Regulation (European Union (Withdrawal) Act 2018) (the “UK GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

The categories of personal data we use are set out in Part 5, below.

4. Our commitment to data protection principles

Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

processing is fair, lawful and transparent
data is collected for specific, explicit, and legitimate purposes
data collected is adequate, relevant and limited to what is necessary for the purposes of processing
data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
data is not kept for longer than is necessary for its given purpose
data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
we comply with the relevant GDPR procedures for international transferring of personal data

5. What Personal Data Do We Collect?

We may collect some or all of the following personal data (this will vary according to your relationship with us):

Name
Address
Email address
Telephone number
Date of birth
Gender
Business name
Job title
Citizenship
Education
Profession
Payment information
Information about your preferences and interests
CCTV images

For job applicants, along with personal data, we will also process special categories of personal data as required within the field of employment, social security and legal obligations. We do also process this type of data when you have given explicit consent for us to do so, when it is necessary for legal claims or reasons of substantial public interest, or you have already made the data public. The categories of data processed for this purpose are the following:

Personal details such as name, address, phone numbers;
Name and contact details of your next of kin;
Your photograph;
Right to work documentation;
Information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter;
References from former employers;
Details on your education and employment history etc;
Driving license;
Criminal convictions details.

We will only collect your driving license and criminal conviction data where it is appropriate given the nature of the role you are applying for and where the law permits us. We use criminal conviction data to determine your suitability for the role.

The personal data listed above will usually be collected directly from you. However, depending on your relationship with us, we will collect your personal data from the following third parties:

5loyalty Ltd (Creams App)
Access Group
Employment agencies
Former employers
Credit reference agencies

6. How Do We Use Your Personal Data?

Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it, or there may be a legal obligation on us to do so. Your personal data may be used for one or more of the following purposes:

Providing and managing your account.
Supplying our products AND/OR services to you.
Personalising and tailoring our products AND/OR services for you.
Communicating with you. This may include responding to emails or calls from you.
Supplying you with information by email and/or post that you have opted-in to. You may unsubscribe or opt-out at any time.
For marketing purposes, which can include contacting you by email, telephone, text message and/or post with information, news, and offers on our products and/or services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the UKGDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt out of marketing activities.
To process a job application, including carrying out checks in relation to your right to work in the UK, to make reasonable adjustments for disabled employees, to make decisions on recruitment, salary and benefits, assessing training needs and preventing fraud.
To process a Franchisee application.
Dealing with legal claims made against us.

Where you have provided consent for us to process your personal data for a particular purpose, you have the absolute right to withdraw that consent at any time and we will no longer process your personal data for that particular purpose with no consequences to you. You can request to withdraw your consent using the data protection team contact details specified in Part 12.

Where your personal data is required for a contractual requirement, if you fail to provide such data, we may not be able to provide you with the services AND/OR product or fulfill our requirements for entering into a contract of employment with you.

7. How Long Will We Keep Your Personal Data?

We will not keep your personal data for any longer than necessary given the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods or, where there is no fixed period, the following factors will be used to determine how long it is kept:

Required legal time frames for keeping the personal data.
Commercial needs and interests.
Unsuccessful job applications are not retained after the application process or, with your consent, for up to 6 to 12 months.
Unsuccessful Franchise applications 12 months.

8. Do We Share Your Personal Data?

We will not share any of your personal data with any third parties for any purposes, subject to one important exception.

In some limited circumstances, we may be legally required to share certain personal data, which might include your name, address, phone number, email address, if we are involved in legal proceedings or complying with legal or contractual obligations, a court order, or the instructions of a government authority.

9. Where Do We Store or Transfer Your Personal Data?

We will only store or transfer your personal data within the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This is based on the adequacy status that the members of the EEA have been recognised with under the UK GDPR. This means that your personal data will be fully protected under the GDPR or to equivalent standards by law. Where there is a business need to transfer data outside the EEA, we will ensure that these transfers are done in accordance with law and meet the data protection requirements of the exporting and importing country.

10. What Are Your Rights?

Under the GDPR, you have the following rights under certain circumstances, which we will always work to uphold:

The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the data protection team contact details specified in Part 12.
The right to access the personal data we hold about you (commonly known as a Subject Access Request).
The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have.
The right to restrict (i.e. prevent) the processing of your personal data.
The right to object to us using your personal data for a particular purpose or purposes.
The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

Further information about your rights can also be obtained from the Information Commissioner’s Office (ICO) or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the ICO. The contact details for the ICO can be found at www.ico.org.uk/make-a-complaint.

11. How Can You Exercise Any of Your Rights?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held), i.e. submit a “Subject Access Request”.

Subject Access Requests, along with all other rights, can be exercised in writing, via email or post, by telephone or through our social media channels. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible. Please email our DPO at info@creamscafe.com for a copy of the Subject Access Request Form.

If you would like to exercise any of your rights specified in Part 10, you can do so by getting in touch with us, including via the data protection team contact details specified in Part 12.

There is not normally any charge for exercising any of your rights. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding or we may refuse to act on your request.

We will respond to your subject access request without undue delay and not more than one month after receiving it. Normally, we aim to provide a complete response within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

12. How Do You Contact Us?

For any matters relating to the processing of your personal data, including exercising your rights and raising a complaint, you can contact our data protection team via the following details:

Email address: info@creamscafe.com

Postal Address: DPO, Creams Franchising Ltd, 7th Floor Winchester House, 259-269 Old Marylebone Rd, London NW1 5RA

Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes. If there are changes to the way we process your data or if we change our business in a way that affects personal data protection.

The latest privacy notice will be available via the Creams Website.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_LC5PR2JL3K	2 years	This cookie is installed by Google Analytics.
AtreemoUniqueID_cookie and AtreemoCookiesToken_cookie	3 years	These cookies are used to track the pages browsers visit so it can be used for customer segmentation and marketing. They can be personalised to an individual.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.