Privacy Policy
This Privacy Policy describes the processing of your personal information by the Fortnum & Mason Group and applies to you, our customers and visitors ('you', 'your'), whenever you use one of our websites (www.fortnumandmason.com or eu.fortnumandmason.com or www.45jermynst.com) or www.concierge.fortnumandmason.com (the 'Websites'), purchase our products or services in store or by telephone, visit our restaurants, or attend one of our events.
We appreciate that there is a lot of information in this Privacy Policy, so we have set it out in sections to help you navigate it more easily and so that you can quickly find relevant information to answer any specific questions you may have. However, if you have any questions which are not answered in this Privacy Policy, please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
It is important that you read this Privacy Policy, together with any other notice which we may provide you on specific occasions when we are collecting or processing your personal information, so that you are fully aware of how and why we are using your information, and the legal rights that you have. Where you are sharing your data with us as part of online purchases or bookings, this Privacy Policy should also be read alongside our Terms of Use, which explain how you may use our Websites and our Cookie Policy which explains the cookies which can be set (subject to your consent) and used by each Website and which collect your personal information.
Any changes to this Privacy Policy in the future will be posted on this page, so please check back frequently to see any updates or changes. Where appropriate, we will also notify you of any changes by email, and we will also post a notice on the relevant Website landing page.
Last updated: 12th August 2024
What is the Fortnum & Mason Group?
The Fortnum & Mason group of companies (the 'Fortnum and Mason Group') is made up of a number of businesses:
- Fortnum & Mason plc, a company registered in England (00084909) and having its registered office at 181 Piccadilly, London W1A 1ER; and
- Fortnum & Mason Europe BV, a company registered in Belgium (0803247988) and having its registered office at Botanic Tower, 6th floor, Boulevard Saint-Lazare, 4-10, 1210 Brussels.
Further information about the Fortnum & Mason Group premises (including our restaurants and stores) can be found here: https://www.fortnumandmason.com/stores.
For simplicity, references to 'we', 'us' and 'our' throughout this Privacy Policy means the Fortnum and Mason Group.
We are committed to ensuring that your privacy is protected and that we comply with applicable data protection laws wherever we operate. For the purposes of relevant UK and EU data protection laws, each of the companies listed above is a Controller in relation to the personal information collected and processed by it.
What types of personal information do we collect and why?
Under applicable UK and EU data protection laws we are required to explain what information we collect from you and how and why we use it. This is summarised as follows:
- Personal Details: including your first name, last name, email address, residential address, telephone number, marital status, title, gender, and date of birth.
- Image Data: including CCTV footage when you visit our stores to ensure that our customers and staff are protected, photographs or video footage when we use film or photography at one of our events, footage from body-worn security cameras (or 'bodycams') where we use these at any of our private events, and details of any user-generated content (e.g., photos that you tag us in on your social media).
Please note: Wherever we capture film or photography at one of our events or restaurants, we will provide you with a separate information notice to explain your image rights.
- Transactional Data: including information about any goods and services that you purchase either in-store or online, or events you book to attend, restaurant reservations, details of amount spent, payment card information, bank details and billing information, and details of deliveries and/or returns.
- Technical Device Data: including your IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, and other technology on the devices you use to access our guest Wi-Fi or our Websites, including details of the pages you visited on our Websites.
- Profile Data: including information about your interests, your preferences, feedback, and survey responses, and how you redeem any offers and promotions made available to you, how you interact with our Websites and our understanding of your interests and shopping habits, this can come from information you have given to us or which is inferred or derived from our analysis of all the information we hold about you and includes our predictions about your interests. This information allows us to personalise our offers and services for you.
- Communications Data: including your correspondence with us, any feedback that you provide us with and details of your contact and marketing preferences.
- Usage Data: including information such as how and when you use our Websites, details of your search history on our Websites, Website performance statistics, traffic data, and other Website usage data.
- Location Data: including information about your country of residence and GPS data.
- Third Party Data: including personal information about you which we have received from other parties such as our social media and media providers, public registers and any of our third-party service providers and partners.
- Aggregated data: we may also collect, use and share aggregated data or anonymised data for statistics and/or analysis purposes. Aggregated data may be derived from your personal information but is not considered personal information as it does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature on our Websites.
Please note: If we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will only be used in accordance with this Privacy Policy.
Sensitive Personal Information
We may also collect and use the following sensitive or special categories of personal information about you:
- Health Data: including any information about disabilities, accessibility requirements or any food allergies that you provide to us and which we need to accommodate for when you attend any of our events or restaurants, as well as information which relates to particular purchases, and which could infer (or from which we could derive) your health data (e.g., where you buy our diabetic food products); and
- Religious Data: including any information about specific religious dietary requirements you may have that you provide to us and which we need to accommodate for when you attend any of our events or restaurants (e.g., where you require a kosher or halal meal).
How and when do we collect your personal information?
We collect the majority of the personal information that we process about you directly from you, including when you provide this information to us by:
- Registering on the Website for an online account or otherwise contact us to obtain information relating to us or our products and/or services;
- Placing orders on our Website, in store or by telephone;
- Updating the 'Your Online Account', 'Your Address Book' or 'Your Order Details' section of the Website; and
- Communicating with us by phone, e-mail or otherwise, or when you complete a questionnaire or competition entry form;
- Subscribing to our newsletter, emails or other marketing communications;
- Purchasing goods and services, and other interactions we may have with you in-store;
- Engaging with us on social media, including tagging us in any of your images and entering any of our prize draws;
- Registering for or purchasing tickets to attend one of our events;
- Contacting us by any means (including via email, telephone, Web message, social media, WhatsApp, Apple Business Chat, ChatBot, Trustpilot, Eventbrite and/or SevenRooms) with queries or complaints;
- Accessing the guest Wi-Fi provided in our stores and restaurants;
- Making a reservation or dining at any of our restaurants; and
- Purchasing, registering and/or using one of our E-Gift cards.
We may also collect technical and personal information through the use of cookies when you access and interact with our Website(s) or guest Wi-Fi or which may be contained within emails or direct messages we send to you. For further information on how we use cookies, please see the "Cookies" section below as well as our separate Cookie Policy.
Data relating to Minors
Please note: If you are under 16 years of age, you are not permitted to subscribe to our services or use and/or submit your personal information on our Website(s).
Where we obtain a parent or guardian’s consent, we will collect and process personal information of children under the age of 16 solely for the purpose of managing that child's attendance at seasonal events.
We do not knowingly collect personal information about children under the age of 16 for any other purpose, and we will promptly delete such information if we are informed that we hold it.
Information from other sources
We may receive personal information about you from various third parties that we engage with in order to assist us with providing products and/or services to you, including:
- Our carriers: we may collect delivery and address information from our carriers who deliver products to you;
- Our marketing agents: we may collect marketing information from marketing companies who send customer communications and direct marketing materials on our behalf;
- Our security providers: we may collect security footage and other security information from our third-party security providers;
- Our data analytics providers: we may collect data analytics information from companies that provide us with data analytics services;
- Credit Bureaus: we may collect information on your account, payment and credit history, including information from credit bureaus and service providers we use to process payments; and
- Our other third-party providers: we may collect and share information with other third-party providers who provide support and services to us, or in relation to whom we are engaged, including social media providers, media providers, search engines and data analytics or advertising intermediaries who may collect data direct from their own cookies and websites.
Please note: If you provide us with personal information about another person (e.g., when you enter gift recipient delivery details on our Website), you must ensure that before you provide us with their personal information, you have their agreement to do so and that they are aware of the ways in which we use personal information as set out in this Privacy Policy.
Legal basis for processing personal information
By law, whenever we process your personal information, we are required to have a ‘legal basis’ for doing so. The legal bases we use to process your personal information will generally be one or more of the following:
- Contractual necessity: where it is necessary to enable us to comply with our contractual obligations to supply you with the products and/or services you want;
- Legitimate interests: where it is necessary for our legitimate business interests in administering our relationship with you and running our business effectively. Where 'legitimate interests' is our legal basis for processing your data, we will take into account any potential impact on your rights, freedoms, and interests;
- Legal compliance: where it is necessary for us to process your personal information to enable us to comply with a legal or regulatory obligation; and/or
- Consent: where we have asked for and gained your consent to use your information for particular purposes, for example, to send you marketing communications, or information related to your child (only for the purposes of attending seasonal events). We will also rely on your explicit consent wherever we need to process your sensitive personal information (such as Health Data or Religious Data).
Withdrawing consent
Where consent is our legal basis for processing your personal information, you can withdraw your consent at any time, and we will then stop any future processing for that purpose. If you wish to withdraw your consent, then please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
Please note: If you choose not to share your personal information with us, or refuse certain contact permissions, we may be unable to provide some of the products and services you've asked for. For example, if you fail to provide us with your full address, it would not be possible for us to fulfil your delivery, or if you failed to provide us with your payment card details then we will not be able to process your payment.
Our purposes for using your personal information
There are many ways we will need to use your personal information in the context of your relationship with us. We have set out the main purposes in the tables below and we have indicated the main applicable legal bases of processing. In some cases, more than one legal basis may apply to our use of your personal information and there may be other specific uses which are linked to or covered by the purposes set out below.
If you would like further information on the specific legal bases which we rely on in relation to any of the processing purposes we have set out below, please contact us using the details set out in the ‘How to Contact Us’ section below.
Shopping and Retail Purposes
| Purpose for Processing | Legal Basis |
| To register and maintain your customer account on our Websites | Contract Necessity |
| To fulfil your orders (including order delivery and processing payments) | Contract Necessity |
| To send you emails about outstanding E-Gift card balances | Legitimate Interests: To keep you up to date with your balances |
| To send you email reminders when you shop on our Websites and then abandon your online shopping bag before completing your checkout | Consent or Legitimate Interests: Where you are an existing customer, we rely on our legitimate interests to increase our customer engagement |
| To send you service messages about your order or updates regarding delivery of your order | Legitimate Interests: To contact you whenever we need to and provide you with relevant service information |
| To enrich our picture of who you are and what you like, and to inform our business decisions. For this purpose, we will combine data captured from across our business, including from third parties and publicly available information. | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: In relation to data we otherwise capture across our business and from third parties which we use to tailor your experience as one of our customers |
| To improve the products we offer in-store and on our Websites | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: In relation to data we otherwise capture across our business and use to ensure our products are of the highest quality for our customers |
| To personalise your customer experience on our Websites. For this purpose, we use Cookies and similar technologies. For more information about how we use Cookies, please see our Cookie Policy. | Consent where data is captured by way of cookies which require you to positively opted in; and/or Legitimate Interests: In relation to data we otherwise capture across our business and use to tailor your customer experience |
Events, Hospitality and Personalised Service Purposes
| Purpose for Processing | Legal Basis |
| To allow you to register to attend one of our events or to book a table at one of our restaurants | Legitimate Interests: To manage your registration or booking |
| To send you email reminders about any upcoming events or bookings | Legitimate Interests: To provide you with relevant service information about your registration or booking |
| To respond to any enquiries and/or complaints at any of our events or restaurants | Legitimate Interests: To manage our relationship with you and ensure that we are able to support you with any queries or complaints |
| To monitor your attendance at any of our events so that we can enrich our picture of who you are and what you like. For this purpose, we will combine data captured from across our business, including from third parties and publicly available information | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: In relation to data we otherwise capture across our business and use to help us build your customer profile and manage our relationship with you |
| To improve the hospitality and events services we offer | Legitimate Interests: To ensure our services are of the highest quality for our customers |
| To accommodate any dietary preferences (including food allergies and religious requirements) and any other accessibility requirements you may have when attending one of our events or restaurants. For this purpose, we will (where applicable) process certain sensitive personal information about you, including Health Data and/or Religious Data | Consent (wherever we process your Health Data or Religious Data) Legitimate Interests: To ensure that we are able to accommodate any specific health-related or religious requirements our customers may have prior to attending one of our events or restaurants |
| To provide our personal shopper and/or concierge services | Consent where you have expressly asked us to provide services Contract Necessity where the processing relates to any purchase you have made; and/or Legitimate Interests: Where we process your data to tailor your experience and provide a bespoke personal shopper and/or concierge service |
Marketing (including Social Media) Purposes
| Purpose for Processing | Legal Basis |
| To send you marketing emails about our products, services and any ongoing or upcoming promotional offers or events that we think may be of interest to you | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Where you are an existing customer, we also rely on our legitimate interests to increase our customer engagement |
| To send you any postal marketing materials about our products, services and any ongoing or upcoming promotional offers or events that we think may be of interest to you | Legitimate Interests: To increase our customer engagement and boost our target audiences |
| To improve our marketing communications and enrich our picture of who you are and what your preferences are. For this purpose, we use Cookies and similar technologies for data analytics purposes. For more information about how we use Cookies, please see our Cookie Policy. | Consent where we collect Technical Device Data via cookies, we do this on the basis of your consent, or in the case of Essential Cookies, on the basis of our legitimate interests in order to operate the site and ensure its security Legitimate Interests: To offer you the most tailored and bespoke customer experience |
| To select and serve relevant adverts to you and/or to serve relevant ads to our target audiences which may also include you. For this purpose, your personal information is anonymised beforehand and may be aggregated. | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process your data to serve adverts which do not require express consent (e.g. adverts displayed on websites or in a general feed on social media) to offer you the most tailored and bespoke customer experience |
| To enable our third-party marketing partners to send marketing communications on our behalf | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise, where we process your data to ensure that our products and services are appropriate and delivered in a timely fashion |
| To allow you to update and manage your contact and marketing preferences | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process your data to ensure that you have control over your own contact and marketing preferences |
| To optimise our social media operations and target specific customer engagement. For this purpose, we use Meta (Facebook and Instagram), TikTok and Pinterest in relation to targeted and 'Lookalike' audiences, and programmatic behavioural advertising to help us build a customer profile | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process your data to allow us to create a more tailored and bespoke customer experience |
| To allow you to enter any of our prize draws or competitions | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process your data to manage the prize draw or competition and for our internal business purposes |
| To seed organic social media content, to buy relevant ad space, to provide social media customer service support (e.g., answering DMs and comments) and for community management purposes (e.g., answering comments and posting comments across our relevant special media content) | Legitimate Interests: To build and develop our brand |
| To carry out data matching and analytics in respect of data obtained from third-parties (such as our third-party advertisers). For this purpose, your personal information will be anonymised | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process data to build and develop our targeted advertising campaigns |
| To carry out data matching and analytics of the success of our marketing campaigns | Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process data to build and develop our brand and marketing campaigns across all channels |
| To interact with and monitor any user-generated content. To the extent that you tag F&M products, services or sites in your user-generated content, we will obtain your consent |
Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Otherwise where we process data to build and develop our brand and engagement with our customers |
General Purposes
| Purpose for Processing | Legal Basis |
| To respond to any enquiries and/or complaints, whether in-store or online | Legitimate Interests: To manage our relationship with you and ensure that we are able to support you with any queries or complaints |
| To update our records and maintain any online account you may have with us | Legitimate Interests: To ensure that we have accurate and up to date information. |
| To administer and protect our business and this site, including to prevent or detect fraud or abuses of our Websites and safeguarding your personal and financial data | Legal Compliance where the activity is to ensure we meet our legal obligations and prevent or detect fraud Contract Necessity where we process data to ensure appropriate steps are taken to meet the terms in our contract with you, including payment of taxes or otherwise Legitimate Interests: Otherwise to protect our business and customers |
| To comply with our financial record keeping obligations | Legal Compliance as applicable where we have a legal duty to meet; or Legitimate Interests: where we otherwise process data to ensure that we are compliant with our legal obligations |
| To protect our customers, premises, assets and partners from crime. For this purpose, we use CCTV and other security measures (such as security guards and bodycams) in-store, at our events and on our premises (including our restaurants). Wherever we use CCTV for this purpose, we will provide appropriate signage to inform you that this is the case. | Legal Compliance as applicable where we have a legal duty to meet; or Legitimate Interests: Where we otherwise process data to ensure the security of our premises, our staff and our customers |
| To develop, test, maintain and improve our systems and Websites | Legitimate Interests: To ensure that our systems and Websites are secure and reliable |
| To comply with our legal obligations (where applicable) to share personal information with law enforcement and/or government bodies | Legal Compliance as applicable where we have a legal duty to meet |
| To enable our third-party service providers to carry out technical, logistical, or other functions on our behalf | Legitimate Interests: To ensure that our products and services are appropriate and (where applicable) delivered in a timely fashion |
| To anonymise and aggregate your personal information for our own data analytics purposes | Legitimate Interests: To allow us to make improvements to our products and services |
| To provide you with access to our [membership/loyalty/reward] scheme | Legitimate Interests: To develop our relationship with our members and customers |
Legitimate Interests
Where required under applicable data protection laws, we have determined, acting reasonably and considering the circumstances, that we are able to rely on legitimate interests as the lawful basis on which to process your personal information in certain circumstances (as set out in the tables above).
We have reached this decision by carrying out a balancing exercise to make sure our legitimate interest is not overridden by your privacy rights as an individual, and we consider that it is reasonable for us to process your information for the purposes of our legitimate interests as:
- We process your personal information only so far as is necessary for such purpose; and
- It can be reasonably expected for us to process your personal information in this way.
Our Marketing Communications
If you are an existing customer or you have consented to receiving marketing communications by phone, post or email or direct message, we may send you information on any offers, events or news about our products and/or services that we believe may be of interest to you. You may opt out of receiving this information at any time; please see the section below for further information on how to do this.
Please note: If you are ‘opted in’ to Fortnum & Mason marketing, we may use Google and Facebook services to identify users for personalised advertising on these platforms.
Opting out and marketing preferences
You can unsubscribe from receiving our marketing emails at any time by using the ‘unsubscribe’ link in any marketing email we send you. You can also ask us to stop sending you marketing messages (whether by direct message, email or post) by changing your contact preferences in your Fortnum & Mason Customer Account on our Website(s).
How and when do we share your personal information?
We sometimes share your personal information with trusted third parties so that they can assist us in providing products and/or services to you. These trusted third parties will only process your personal information on our specific instructions, and we remain responsible for ensuring that your personal information is protected and processed lawfully by anyone that we share it with.
In some specific circumstances, we may also share your personal information with third parties who process it for their own purposes. Those third parties will have their own legal obligations to protect your personal information, and you will have legal rights that you can enforce directly against them.
Some examples of the trusted third parties that we share your personal information with are set out below:
Service Providers
The trusted third-party service providers we share personal information with include:
- Delivery Providers, such as couriers and postal workers, who help us with fulfilling your orders;
- Direct marketing companies who help us send customer marketing communications;
- Advertisers and advertising partners, such as advertising networks and social media platforms which help us to select and serve relevant adverts to you or to retarget you. Please see the 'Social Medial Platforms' section below for further information;
- Technology partners involved in the operation and support of our Websites and business systems, including Google and Adobe Analytics, and who help us to build our understanding of our customers' behaviour so that we can provide a personalised customer experience;
- Customer call centres who help us to provide customer services and respond to queries and complaints;
- Payment services providers who help us to process payments, prevent fraud and reduce credit risk; and
- Events suppliers and providers, such as Eventbrite and Seven Rooms, who help us coordinate and run our events.
Please note: We do not buy or sell personal information for marketing or advertising purposes.
External agencies and organisations
The trusted external agencies and organisations we share personal information with include:
- The police and other law enforcement agencies, for the purpose of preventing and detecting fraud (including fraudulent transactions) and criminal activity;
- Government bodies or other regulatory bodies, where requested or if we consider that it is reasonably required, so that they can carry out their legal functions;
- Insurers or other organisations, where a claim is made or could be made against us. For example, we may send CCTV footage and information contained in our accident logs to our insurers;
- Our professional advisors, including without limitation tax, legal, insurance, or other corporate advisors who provide professional services to us; and
- HMRC or other tax bodies or agencies as necessary to comply with our legal and regulatory obligations.
Please note: If we sell, transfer or merge parts of our business or our assets, or if we buy or acquire any business or assets, we may share the personal information held by us with the prospective buyer or seller of such business or assets. If substantially all of our assets are acquired by a third party (or subject to a reorganisation within our corporate group), personal information held by us will be one of the transferred assets.
Social Media Platforms
We use a number of social media platforms to communicate with you and to promote our products and services. We do this in a number of ways:
- We may share your personal information with social media platforms so we can identify you on those channels and engage with you
- We also share data to find other people with similar interests to our customers
- The social media platform processes data we submit for the purpose of matching, online targeting, measurement, reporting and analysis and
- We use cookies on our website which sends data to the social media platforms about you and actions you take (subject to you consenting to such cookies being placed)
Our relationship with the social media platforms
Where we share data with social media platforms as described above, we are joint controllers with these platforms for certain processing activities. Each of the platforms and us have:
- entered into an agreement to set out each party's responsibilities for the personal data they process
- we have agreed that we will provide you notice of the relationship and provide you with information relating to their privacy policy
- agreed that in relation to their processing of personal data where they are our joint controller, you would contact them direct to exercise your rights
For further information about how these third-party social media platforms process and use the personal information we share with them, please read their privacy policies which can be found on each platform's own website, as follows:
| Meta (Facebook and Instagram) | www.facebook.com/privacy/policy/ |
| TikTok | www.tiktok.com/legal/page/eea/privacy-policy www.tiktok.com/legal/page/row/privacy-policy |
| www.pinterest.com/en-gb/privacy-policy |
If you would like further information about any of the third parties with whom we share your personal information, please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
Analytics
We use Google and Adobe Analytics on our website. This means that we may use cookies to collect online identifiers about your use of our website, including cookie identifiers, internet protocol addresses and device identifiers, which we may use for the purpose of better understanding our customers and your use of our website.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How do we use cookies?
Cookie is a general term often use to describe a number of technologies. Cookies are small text files that are stored on your computer or other device by any websites that you visit. Web beacons are tiny invisible images placed within emails message which tell us if you have opened an email and how you interreacted with it. Link tracking relates to hyperlinks contained within our websites or marketing messages which when you click on such link would notify us if you click the link as well as redirecting you to the relevant webpage. For the purpose of this Privacy Policy and our Cookie Policy, we refer to all of these technologies as "cookies".
We use cookies in order to make our Websites easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how our Websites are used so that we can make sure it is as up to date, relevant and error free as we can. We also use cookies to try to ensure that our online adverts, emails and electronic marketing messages which we send to you reflect the interests of our customers and Website users.
Please note: Third parties (including, for example, advertising networks and providers of external services like website analysis services) may also use cookies, over which we have no control. Please therefore make sure that you read the privacy policies and cookie policies of any such third parties.
Further information about how our Websites use cookies can be found in our Cookie Policy.
How do we keep your information secure?
We employ appropriate security measures and safeguards to keep your personal information secure, including but not limited to the following:
- Firewalls: We ensure that connections between our internal systems and the internet are protected by firewalls;
- Encryption: We ensure that any personal information or data in transit is encrypted to industry standard. Please note, your payment card details will always encrypted;
- Restricted Access: We ensure that access to our systems and data is password protected and restricted on a need-to-know basis, so employees can only access the data they need in order to perform their job. Our premises (including our offices, stores and restaurants) and our physical data centres are also protected with physical access controls;
- Monitoring: We continually monitor our systems for vulnerabilities and signs of attack, and carry out penetration tests regularly to assess the strength of our defences;
- Identity Verification: Before divulging your personal information in response to a telephone call or email enquiry, we ask you for proof of identity in order to ensure that we do not provide your personal information to someone else; and
- General Security Safeguards: We also enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal information.
Please note: Due to the nature of the internet, email correspondence with us may not be entirely secure, so please do not send any sensitive information such as credit card details or passwords to us via email.
How long do we hold your personal information for?
Whenever we collect or process your personal information, we will only keep it for as long as necessary for the purposes for which it was collected and in accordance with our internal Data Retention Policy. At the end of this period, your data will either be deleted or anonymised.
Your legal rights
You have the following rights in relation to the personal information that we hold about you:
- The right to request access to your personal information (commonly known as a “data subject access request”). This enables you to request a copy of the personal information we hold about you and to check we are processing it lawfully.
- The right to request correction of the personal information we hold about you. This enables you to request that we correct any incomplete or inaccurate information that we hold about you.
- The right to request erasure of your personal information in some circumstances. This enables you to request that we erase your personal information where there is no good reason for us continuing to process it.
- The right to object to us processing your personal information. This enables you to object to us processing your personal information where we are relying on our legitimate interest as a legal basis for processing, or where we are using your personal information for direct marketing purposes.
- The right to restrict our processing of your personal information. This enables you to ask us to suspend the processing of your personal information in certain circumstances.
- The right to data portability. In certain circumstances this enables you to request that we provide you, or a third party, with a copy of the personal information that you provided to us in a structured, commonly used, machine-readable format.
- The right to stop us using your personal information for direct marketing purposes. This can be by a specific channel or all marketing channels.
- The right to request that we review any decision made solely on the basis of automatic processing of your personal information. This right applies where no person was involved either in the processing, nor in reviewing the outcome of the processing which led to the decision.
- The right to withdraw your consent. As detailed in the 'Withdrawing consent' section above, wherever you have given us your consent for any of our processing purposes, you have the right to withdraw that consent at any time.
Whilst we would appreciate the opportunity to deal with any query, concern or complaint you may have before you do so, if you are unhappy with how we have used your personal information, you also have the right to lodge a complaint at any time with a data protection supervisory authority.
The supervisory authority in the UK is the Information Commissioner’s Office (the "ICO") and if you reside in the EEA, you have a right to complain to the supervisory authority in the country in which you reside.
How to exercise any of your rights
Further information about your rights in the UK can be found on the ICO website here: https://ico.org.uk/
For more information on your legal rights or if you would like to exercise any of them, please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
To protect the confidentiality of your personal information, we will ask you questions in order to verify your identity before proceeding with any requests to exercise your rights under this Privacy Policy.
California Consumer Privacy Act (CCPA) Addendum
If you are a resident in California, this addendum to the F&M Group Privacy Policy sets out additional rights and information about your data privacy.
As used in this Addendum, 'personal data' shall mean personal information as defined under the CCPA, controller shall mean business as defined under the CCPA, data subject shall mean consumer as defined under the CCPA.
As a business covered by the CCPA, we do not sell personal data. As set out above, we may share Technical Data and Usage Data with third party advertisers for the purpose of sending relevant adverts on other websites such as social media.
Many obligations under the CCPA are addressed in other provisions of the F&M Group Privacy Policy. This Addendum aims to address the gaps for California residents and the terms used in this Addendum are either defined in the F&M Group Privacy Policy or in the text of the CCPA. As well as the rights set out in the 'Your Legal Rights' section, under CCPA you also have the following rights:
- When exercising a data subject access request, to know both the categories of personal information and the specific personal information we collect;
- The right to have your personal information deleted, subject to some legal limitations set out in the CCPA;
- The right to request disclosure of the personal information collected; and
- The right to opt out of the sale of your personal information (to note as highlighted above we do not sell personal).
If you are a resident in California and wish to exercise your rights, please contact us using the details set out below.
Fortnum’s Rewards - Personal Information Collection Statement
Background
Our policy is to respect and protect the privacy, confidentiality and security of the personal data we collect, hold and process by complying with the requirements under the Hong Kong Personal Data (Privacy) Ordinance.
Under the Personal Data (Privacy) Ordinance, personal data is defined to mean any data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable.
The provision of your personal data is not mandatory; however, if you do not provide us with your personal data, we may not be able to provide you our services and you may not be able to receive certain benefits.
Collection of Personal Data
The personal data that the Company may collect from you includes, without limitation:-
- Your name;
- Your phone number;
- Your email address;
- Your date of birth;
- Your payment data such as card data; and
- Your transaction data and interaction with our platform and products/services.
Purpose of Collection
The purposes for which your personal data may be used include, without limitation:-
- Communication about promotions and offers (including in app and/or by sending emails and/or SMS messages);
- Sending details of promotional gifts to celebrate your birthday;
- Handling of payment data for purchase;
- Analysis of transaction data and customer interaction with our platform and products/services to better understand our consumers and their spending habits and to inform our offers/promotions and our services;
- Offers of rewards and promotions;
- Generation of points and rewards and keeping track of points and rewards due to you along with any conditions and expiration dates;
- Reminding you of rewards/promotions and/or points you may have available or are close to obtaining;
- Understanding which rewards you have chosen to redeem which may inform the rewards we offer in the future to you and/or other customers;
- Analysis of the impact of promotions and rewards on customer behaviour and analyse customer shopping and hospitality trends to inform our services, communications and promotions; and
- Contacting you for research purposes to help improve our business offerings.
Direct Marketing
We intend to use your personal data in direct marketing of the above offers and promotions. Notwithstanding anything to the contrary in this statement, we may not use your personal data for direct marketing unless we have received your consent where and as required by the applicable laws and regulations.
You may request for us to stop doing using your personal data at any time, please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
Transfer of Personal Data
We may transfer your personal data (other than credit card data) to our head office (in the United Kingdom) where we will comply with both applicable English and Hong Kong legislations and regulations for the use, processing and protection of your personal data and where the purposes of use or processing will be substantially similar to those listed here.
We use third party software providers to provide us with services such as marketing support, application services, and CRM systems. Where such third party would have access to your personal data, we have agreements in place to contractually obligate them to protect your data to the standards imposed by applicable Hong Kong law and, where relevant, English law.
Security of Personal Data
We take reasonable steps to keep personal data accurate, secure against loss or misuse, and for no longer than is necessary.
Access and Correction of Personal Data
Under and subject to the Personal Data (Privacy) Ordinance, you have the right to:
- ascertain whether the Company holds your personal data;
- request access to your personal data; and
- request the correction of your personal data that is inaccurate.
In accordance with the Personal Data (Privacy) Ordinance, the Company may charge a reasonable fee for the processing of any data access request you make.
Requests for access to or correction of personal data should be addressed in writing - please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
Miscellaneous
In this Personal Information Collection Statement, Fortnum & Mason Public Limited Company shall be referred to as the “Company” or “we”, and the terms “our” and “us” shall be construed accordingly.
If you have any question about the privacy policies and practice of the Company, please contact us using the details set out in the ‘How to Contact Us’ section at the end of this Privacy Policy.
How to Contact us
If you have any questions about the information contained in this F&M Group Privacy Policy or if you would like to exercise any of your legal rights, please contact us by email at data.privacy@fortnumandmason.co.uk
For any other general queries, you can also contact us using any of the methods detailed on the 'Contact Us' page on our Website.
Fortnum’s Lower Ground Loyalty Card
If you subscribe to the Fortnum’s Lower Ground Loyalty Card we will collect the following data: First name, last name and email address.
We store this data in our CRM system, Adestra, and use this data to send emails about promotions and offers relating to F&M products and services, you may unsubscribe at any time by clicking the unsubscribe link in any email.
We will also send push notifications (if you have them turned on in your device, note you can turn them off at any time) via the wallet to let you know how many purchases you have made and, for example, whether you are entitled to a free hot drink.
We will also analyse your transaction data (frequency & usage) relating to coffee vendor purchases only to inform promotions & offers and future loyalty propositions.
Our loyalty platform provider is Loopy Loyalty owned by Passkit Inc and their terms and conditions can be found here and privacy policy. For the purposes of your data F&M is data controller, and, where applicable Passkit Inc is data processor
Fortnum & Mason plc.
Registered in England : 00084909
Registered office: 181 Piccadilly, London W1A 1ER.
Registered as a Data Controller with the Information Commissioner’s Office, registration number: Z5685139
Fortnum & Mason Europe BV.
Not required under Belgian data protection law to notify processing activities to the Belgian DPA, nor to pay a registration fee.