Who We Are & How to Contact Us
Bean & Brew Ltd ("Bean & Brew", "we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales (company number 12345678), with our registered office at 42 Grind Lane, Coffee District, London EC1A 4AB.
We are registered with the Information Commissioner's Office (ICO) under registration number ZA123456 and process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy applies to all personal data we collect through our website at www.beanandbrew.com, our mobile app, in-store interactions, and any other means through which you interact with Bean & Brew.
What Personal Data We Collect
We collect different categories of data depending on how you interact with us. Here is a complete breakdown:
Data you give us directly
- Identity data: first name, last name, username or similar identifier
- Contact data: email address, phone number, billing and delivery addresses
- Financial data: payment card details (processed and stored by our PCI-DSS compliant payment provider β we never see or store full card numbers)
- Account data: password (stored as a one-way hash), order history, saved preferences, subscription details
- Communications data: messages, emails, or enquiries you send us, survey responses, and competition entries
- User-generated content: product reviews, blog comments, and social media interactions with our accounts
Data we collect automatically
- Technical data: IP address, browser type and version, device type, operating system, time zone setting, browser plug-in types
- Usage data: pages visited, time on page, links clicked, referring URLs, search terms used on our site
- Transaction data: details of purchases, products viewed, basket contents, abandoned baskets
- Cookie data: see our Cookie Policy for full details of cookies we use
Data from third parties
- Analytics data from Google Analytics and similar platforms
- Advertising data from Meta Pixel and Google Ads if you interact with our paid campaigns
- Social login data if you choose to sign in with Google or Apple
- Fraud prevention data from our payment processor
How We Use Your Data
We only ever use your data for the purposes described below. For each purpose, we rely on a specific legal basis under the UK GDPR:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Process & fulfil orders | Identity, contact, financial, transaction | Contract performance |
| Manage your account | Identity, contact, account | Contract performance |
| Send order confirmations & updates | Identity, contact, transaction | Contract performance |
| Send marketing emails | Identity, contact, usage | Consent / Legitimate interest |
| Personalise your experience | Usage, transaction, cookie | Legitimate interest |
| Improve our website | Technical, usage | Legitimate interest |
| Fraud prevention & security | Identity, financial, technical | Legal obligation / Legitimate interest |
| Comply with legal obligations | Identity, financial, transaction | Legal obligation |
| Customer service & complaints | Identity, contact, communications | Contract performance / Legal obligation |
| Remarketing & targeted ads | Cookie, usage | Consent |
How Long We Keep Your Data
We keep your personal data only for as long as necessary to fulfil the purpose for which it was collected. Here are our standard retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & order data | 7 years after last order | HMRC tax obligations |
| Customer service records | 3 years after resolution | Legal claims |
| Marketing consent records | Until withdrawn + 2 years | ICO guidance |
| Website analytics (GA4) | 14 months | Google Analytics default |
| CCTV footage (in-store) | 30 days | Security |
| Fraud detection logs | 5 years | Legal obligation |
| Deleted accounts | 30 days after deletion request | Dispute resolution window |
After the applicable retention period, we will securely delete or anonymise your data so it can no longer be associated with you.
Cookies & Tracking Technologies
We use cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and deliver relevant advertising. Here is a summary of the cookies we use:
| Category | Purpose | Required? | Duration |
|---|---|---|---|
| Strictly necessary | Session management, security, basket | Required | Session / 1 year |
| Functional | Remember preferences, language, login | Optional | 1 year |
| Analytics | Google Analytics, site performance | Optional | 14 months |
| Marketing | Meta Pixel, Google Ads remarketing | Optional | 90 days |
You can manage your cookie preferences at any time using our cookie settings panel, or by adjusting your browser settings. Note that disabling certain cookies may affect the functionality of our website. For full details, see our Cookie Policy.
Your Data Protection Rights
Under UK GDPR, you have the following rights regarding your personal data. We will respond to all requests within one calendar month (extendable by a further two months for complex requests, with notification).
Right of Access
Request a copy of all personal data we hold about you (a Subject Access Request). Free of charge in most cases.
Right to Rectification
Ask us to correct inaccurate or incomplete data. You can also update most data directly in your account settings.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where there is no compelling reason for us to continue processing it.
Right to Restriction
Ask us to pause processing of your data in certain circumstances, for example while you contest its accuracy.
Right to Portability
Receive your data in a structured, commonly used, machine-readable format to transfer to another service.
Right to Object
Object to processing based on legitimate interests or for direct marketing. You have an absolute right to stop marketing at any time.
Automated Decisions
Request human review of any automated decision that significantly affects you. We currently make no purely automated significant decisions.
Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
International Data Transfers
Some of our third-party service providers are based outside the UK. Where we transfer your personal data internationally, we ensure adequate protection is in place through one or more of the following mechanisms:
- UK adequacy decisions β transfers to countries the UK has determined provide adequate protection (e.g., EEA countries, Canada)
- Standard contractual clauses (SCCs) β legally binding contractual terms approved by the ICO for transfers to other countries
- Binding corporate rules β for transfers within multinational corporate groups
- Your explicit consent β where you have specifically agreed to the transfer
The most common international transfer is to the United States, where several of our service providers (Stripe, Google, Klaviyo, Shopify) operate data centres. These transfers are protected by SCCs and, where applicable, supplementary technical and organisational measures.
How We Protect Your Data
We take the security of your personal data extremely seriously and have implemented technical and organisational measures appropriate to the level of risk:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (256-bit SSL)
- Encryption at rest: All databases containing personal data are encrypted at rest using AES-256
- Access controls: Strict role-based access controls mean only staff who need your data for their job can access it
- Two-factor authentication: Enforced for all staff accessing production systems
- Regular audits: We conduct annual security audits and penetration testing
- PCI DSS compliance: Our payment systems are independently audited to PCI DSS Level 1 standards
- Staff training: All staff complete data protection and security training annually
Children's Privacy
Our website and services are not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@beanandbrew.com and we will delete such data promptly.
Where UK GDPR requires, we obtain verifiable parental consent before collecting data from children aged 13β17.
Manage Your Privacy Preferences
You can update your communication and data preferences at any time below. Changes take effect immediately.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or the services we offer. We will notify you of significant changes by email (if you have an account) and by displaying a prominent notice on our website for at least 30 days before the change takes effect.
Minor updates β such as clarifications or corrections β will be made without prior notice, but the "last updated" date at the top of this page will always reflect the most recent revision.
This policy was last reviewed by our DPO and legal team on 1 March 2026. Questions? Contact privacy@beanandbrew.com.