Customer Privacy Notice and Cookies Policy
Ocado Retail

Ocado Retail Limited (“Ocado Retail”, we, us or our) is committed to protecting your privacy and the personal data entrusted to us in line with data protection laws and regulation applicable to the United Kingdom, including the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and EU GDPR.

To reassure you that we take our obligations to protect your personal data seriously, this Privacy Notice and Cookie Policy sets out the ways in which we process, share, retain and protect your information, alongside your rights as the data subject, and how you can raise a complaint if you feel we have not treated your personal data responsibly.

This Privacy Notice and Cookie Policy applies if you use or access any of our products and services, including but not limited to: shopping on any of the Ocado Retail websites (ocado.com, zoom.ocado.com) or apps; using voice-controlled services (such as Amazon’s Alexa or Apple’s Siri); or communicating with us by phone or in writing including telephone, email, SMS, post, push notification, or via third party digital platforms (including websites or social media platforms).

Terms and definitions within this Notice:

“Controller” is defined as the organisation making the decision as to how the information is processed and for what purpose.

“Customer” refers to an individual who has registered or shopped on an Ocado Retail website (ocado.com, zoom.ocado.com).

“Joint Controller” is defined as two or more controllers who collectively decide how the information is processed and for what purpose.

Marketing is defined as the promotion and/or selling of goods and services via methods such as: advertising, events, prize draws, competitions, gifts, vouchers, coupons, surveys, special offers and promotions. This is not an exhaustive list and may change over time.

“Ocado.com” is the website and application operated by Ocado Retail to supply Ocado own label, branded and Marks & Spencer products to customers.

“Zoom.ocado.com” is the website and application operated by Ocado Retail to provide a same day delivery service to customers operating within certain areas in west London.

“Personal data” is any information that alone, or in combination with other information, can directly/indirectly identify a living individual. This also consists of “special categories of information” which, due to its personal nature, requires further protection when processed.

“Processing” means any action undertaken on the personal data, by manual or automated means, including but not limited to collecting, recording, organising, storing, changing, accessing, using and disclosing.

“Processor” is the organisation undertaking the processing on behalf of the controller.

“Profiling” is the activity of processing personal data via automated means to analyse and make predictions about the individual.

“Specially selected partners” are third parties who have entered into a partnership with Ocado Retail aiming to jointly promote each other’s products and services. These partners have been selected based on their relevance to Ocado Retail and our customers.

Web advertising means digital marketing that is intentionally sent or displayed to you on third-party online platforms or websites (such as ads you may see on social media, Google or Bing) which we believe would be relevant to you based on your interests. It does not include marketing that we have not intentionally targeted to you specifically (such as banner ads that are randomly shown to any visitor of a third-party online platform or website) or any personalisation or recommendations we show on our websites, apps and services.

Ocado Retail Limited and/or Ocado Retail:

Apollo Court
2 Bishop Square
Hatfield Business Park
Hatfield
Herts
AL10 9EX

privacy@ocadoretail.com

Personal data is any information relating to a living individual who can be identified directly or indirectly, often by name, customer number, location, an online identifier or other factors specific to their identity.

Personal data may include “special category data” such as personal data relating to racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, and criminal records and allegations. Whilst the primary purpose of our processing of your personal data does not include special categories of personal data, where any special categories of personal data are processed, we will at all times ensure we have a valid lawful basis for processing.

Information disclosed to us, by you, in the course of communications with us will be retained automatically as part of your correspondence and may as a result include special categories of personal data. Further protection and safeguards are placed upon sensitive information we process.

When we collect personal data from you we will indicate whether it is mandatory or voluntary – this is done on our websites and applications by using asterisks to mark mandatory fields.

Types of data we may process on you includes but is not limited to:

  • Personal details
    Name, address, email address, telephone number;
  • Order details
    Delivery address(es), order and delivery times, contact information, complaint / enquiry information, delivery photographs;
  • Payment details
    We never store your payment details in full, we only store an encrypted token that represents your payment card;
  • Account details
    Identification, purchase history and trends, account activity, log in details; and
  • Online aActivity dDetails
    Details of your operating system, browser software, IP (Internet Protocol) address and Uniform Resource Locator (URL), including the date and time of your visit.
  • Supplier details
    Name, contact details, business information and/or payment details of suppliers may be stored on our systems, or on third party systems, for the purpose of providing a service, access and fulfilling contractual obligations

We gather information from you through, for example, the use of our websites, apps, products or services. This includes tailoring the information we share with you to ensure that it is relevant, useful, timely and non-intrusive.

The information we process may be done so for a number of purposes and these are detailed, non exhaustively, under the lawful basis of processing section below.

The lawful basis we rely upon to process your personal data may differ for each processing activity. Dependent upon the purpose for processing as detailed below, and the business area processing your data, one of the following lawful basis of processing may apply:

  • Article 6 (1) (a) GDPR Consent:
    • Telephone marketing to numbers registered on the Telephone Preference Service List;
    • Automated phone marketing;
    • SMS reminders concerning deliveries and services;
    • Direct mail marketing to Customers on the Mail Preference Services List;
    • Electronic marketing of third party products and services;
    • Sending push notifications, where your device requests an affirmed action;
    • Reposting images you have tagged Ocado Retail in on your own social media;
    • Contacting Marks & Spencer on your behalf in regards to an enquiry or complaint relating to a Marks & Spencer product or service;
    • For use of cookies where consent is required;
    • Sharing or publishing of personal data where required; and
    • To process any personal data for other purposes where your consent has been freely given, specific and informed.
  • Article 6 (1) (b) GDPR Performance of a contract:
    • Registering you as a customer;
    • Providing a service and processing your orders and returns;
    • Arranging deliveries and collections;
    • Processing payments and transactions;
    • To respond to complaints, rights requests and enquiries;
    • To provide online account management, subscription and related services;
    • For a supplier to to provide a service to us or on our behalf
    • To fulfil any agreed terms and conditions such as for use of our website, our app or entering a competition; and
    • To meet any other contractual obligation.
  • Article 6 (1) (c) GDPR Legal Obligation:
    • To allow us to comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies or authorities, or pursuant to legal proceedings;
    • To maintain records to meet legal, audit, regulatory and tax requirements;
    • To help us defend legal claims, or to exercise legal rights;
    • To contact affected Customers and process personal data in connection with product recalls, other similar product quality issues and product liability purposes;
    • To comply with our legal obligations in connection with the sale of age restricted products;
    • Prevention and detection of fraud, crime and anti-money laundering;
    • Suppression lists and managing communication opt-out requests;
    • To meet government legal guidance, such as track and trace for Covid 19; and
    • To meet any other legal or regulatory obligation.
  • Article 6 (1) (f) GDPR Legitimate interests: These include:
    • Training, communications and awareness;
    • Audit, quality control, performance management and monitoring;
    • Market research, management information, data aggregation and product performance, either for own purposes, or for the purposes of collaboration partners, or assisting the wider retail industry;
    • Understanding and publishing trends, customer behaviours and other data insights, and/or to improve usefulness and content of our websites, apps, products and services, and/or to promote products and services either for own or third party purposes;
    • To develop, and provide the most relevant products and services and gain a wider understanding of our Customers;
    • To monitor the use of our websites and apps, and to ensure data security, data loss prevention and improve its facilities;
    • To process feedback, and customer engagement and determine the effectiveness and performance of our products and services;
    • Reviewing, deleting and publishing reviews made directly or via third parties;
    • To personalise, target and improve your experience of our products and services;
    • Direct marketing of our own products and services;
    • Data shares for the purposes of marketing or promotional activities;
    • To share hashtag data with partners such as the Guardian and Channel 4 for trend analysis;
    • Tracking activity on our websites, apps and third party platforms (such as Social Media) to provide a more personalised online experience;
    • Linking with social media sites and services, for example, for advertising purposes;
    • Operating and improving our products, services, websites, mobile applications and other digital assets as well as developing new products and services; and
    • Processing for competitions, promotions and other marketing purposes.

We share and publish promotional and PR articles online which sometimes include insights and statistics gathered from analysing, for example, our customers’ shopping and browsing behaviour (such as products purchased and pages visited). Any insights and statistics we publish will always be presented in an aggregated and anonymised form.

We do not tend to ask for, or process, “special category data” about visitors to our websites/apps or our customers or suppliers for our primary purposes of providing our products and services. However, we may process information regarding a disability or vulnerability to facilitate us in providing our service in an appropriate way and to make such reasonable adjustments as may be required.

Should we identify suspected criminal activity such as fraudulent claims, transactions or the use of stolen payment card details we will document the suspected criminal activity and may take appropriate action, including refusing to accept orders, make payments or give refunds. We may also report the incident to the relevant bank or payment card issuer, the police or other appropriate authorities.

Should we process information defined as “special category” the following lawful basis for processing may be relied upon:

  • Article 9 (2) (a) GDPR Explicit Consent:
    Your permission has been granted and documented directly to us.
  • Article 9 (2) (f) GDPR Establishing, exercising or defending a legal claim:
    Such as litigation against a business, supplier or fraudulent person.
  • Article 9 (2) (g) Reasons of substantial public interest (with a basis in law).
  • Article 9 (2) (h) Health or social care (with a basis in law).
  • Article 9 (2) (i) Public health (with a basis in law).
  • Article 9 (2) (j) Archiving, research and statistics (with a basis in law).

Where we rely on conditions (h), (i) or (j) above, we commit to meeting associated conditions in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.

Where we rely on the substantial public interest condition in Article 9 (2) (g) above, we commit to meeting one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.

We may also process criminal conviction data under:

  • Schedule 1, Part 3, Paragraph 33 DPA 2018 Legal claims:
    In connection with legal, or potential legal proceedings, obtaining legal advice or establishing, defending and /or exercising legal rights.

We may collect and process your personal data for humanitarian purposes, such as the monitoring of epidemics and their escalated spread (Recital 46) and in compliance with those purposes as defined by the appropriate authority/government under the lawful basis of “public interests” in order to protect our customers and employees.

Where child data is processed, for example within a marketing campaign or activity, processing of child data will only be undertaken with the appropriate consent, where required.

Health data may need to be processed, for example when querying or processing regards to allergies, and the processing of health data will only be undertaken with the appropriate consent where required.

Biometric data may be processed for the purpose of uniquely identifying a natural person, for example, to access our apps. The processing of biometric data will only be undertaken with the appropriate consent, where required.

Information about you may also be provided to us indirectly by:

  • Consumer profiling experts, such as Experian
    These organisations provide demographic or other profiling data, to help us better understand how consumers’ lifestyles or shopping behaviours may be affected by factors such as their age, or the area in which they live.
  • Personal Assistant services
    For example, Amazon’s Alexa or Apple’s Siri provide us with details of the voice requests you have made in connection with your account so we can fulfil the orders you place with us, understand your shopping experience, and improve the related services that we offer.
  • Customer review websites, such as Trustpilot
    Information relating to feedback and reviews, which may contain your name or username is provided to assist Ocado Retail in improving our services.
  • ′Trusted Sources′:
    • Credit / Default Agencies;
    • Financial Institutions;
    • Third-party services or suppliers who may have sought your consent;
    • Collaboration partners and affiliates, such as Marks and Spencer, the Guardian, MOB Kitchen and SKY;
    • Social media and other third party online platforms/services such as Facebook, Ambassadors or Influencers; and
    • Ocado.com to zoom.ocado.com and visa versa.

Ocado Retail may share personal data or engage with third parties, for example, to meet legal obligations, fulfil contractual terms, or promote our products and services. Whenever we use or disclose your information, we put in place measures to keep it secure, and make sure it is protected as far as is reasonably possible. Third parties may include:

  • Other companies within Ocado Retail;
  • Payment card processors for the purpose of debit//credit card transactions;
  • Customer analytic companies;
  • Marketing and advertising agencies;
  • Social media platforms and users, such as influencers and ambassadors;
  • Post, courier, drivers or other delivery services;
  • Surveyors and researchers;
  • Web and app designers;
  • Tax, customs and excise authorities;
  • Regulators, courts and government agencies;
  • Public agencies, fraud and crime prevention and screening bodies/authorities;
  • Third parties assisting in the Fulfilment of competition terms and conditions;
  • Collaboration partners such as the Guardian, MOB Kitchen and Channel 4;
  • IT, information security and facility providers; and
  • Shareholders or key stakeholders, such as Ocado Holdings Limited and Marks and Spencer Holdings Limited and their group companies.

In the event Ocado Retail sells, merges or transfers our business, brands or assets, your information, if associated, may be passed to the acquirer and, as such, will be subject to the acquirer’s own Privacy Policy. The information, however, will remain subject to the obligations as outlined in this Privacy Notice and Cookie Policy.

Social media and digital platforms

Ocado Retail may share your personal data (largely hashed mobile numbers and email addresses) with certain social media and digital platforms including but not limited to Facebook, Instagram TikTok, Nextdoor, YouTube, Snapchat, Twitter, Pinterest, Verizon and DV360 (Google), to allow us to build our campaigns through their platforms.

Ocado Retail may share you personal data with these platforms for the purposes of:

  • Identifying you on a social media or digital platform so that we can advertise products we think would be of interest to you, based on the information we hold about you and your social media profile;
  • Understanding the performance and return of our marketing activities on a social media platform, and to optimise the efficiency of marketing activity;
  • Helping a social media platform serve non Ocado Retail customers targeted marketing about our products and services on the social media platform, based on whether their profile matches those of our Customers; and
  • Aiming to prevent you being targeted for the promotion of our products and services on your social media account, and where possible on social media and digital platforms, if you have opted out of Ocado Retail marketing.

In most circumstances Ocado Retail and the social media platform are Joint Data Controllers for this processing and both parties have entered into a written agreement that sets out their respective responsibilities for carrying out the processing in a GDPR compliant manner. This includes a requirement for Ocado Retail to provide our Customers with details of the processing we carry out (as detailed above) and an acknowledgment that the social media platform will be responsible for enabling Data Subjects′ GDPR rights for any Personal Data it stores after the joint processing.

You have the right to opt out of data shares with social media platforms. To exercise your right to object you can email privacy@ocadoretail.com.

Marketing preferences and any valid right to object to data shares with social media platforms are at all times respected.

For further information about how a social media platform processes your personal data, including the legal basis they rely upon, and the ways you can exercise your rights over the data they hold about you please visit their privacy notice that can be found on their website/s or within their application/s.

We work with third party partners who help us to identify any social media posts in which we have been tagged. If your tagged post includes an image we would like to reuse then we may post a comment asking if you would be happy to give your consent for us to potentially reuse it, we will only ever reuse or retweet content you have posted about us on social media if we have both asked for, and received, your consent. You can withdraw your consent at any time by emailing privacy@ocadoretail.com.

If you make a comment about Ocado’s services on one of our social media posts then we may add our own comments in response. If you have provided negative feedback then we may post a comment encouraging you to message us directly to discuss further.

Marks and Spencer

Ocado Retail has entered into a partnership with Marks and Spencer to provide their products via our delivery service. We provide information relating to our customers to a contracted and independent third party who combines our data securely with that of Marks and Spencer, to produce an output to identify whether we share mutual customers, allowing us to enhance our marketing; operate a smooth, mutually beneficial relationship; and better understand our customers. No personal data such as names or contact details are directly shared with Marks and Spencer for this purpose.

Should you have a query or complaint regarding a Marks and Spencer product or service, we kindly ask that you contact them directly. However, should you require our assistance we ask that you provide us with written permission for us to pass your information to Marks and Spencers in order to deal with this.

We know how important it is to protect and manage your personal data and we take the security of your personal data seriously, by implementing technical and organisational measures to protect its integrity and privacy.

Our security measures

Our websites use Secure Sockets Layer (SSL) encryption technology to protect the transfer of your information to and from our website. Our web page URLs will start with https and a padlock will be displayed in front of the URL bar to show that we always encrypt the information that you send us.

We maintain and enforce physical, electronic, and procedural safeguards in connection with the collection, storage and disclosure of your personal data. However, whilst we take appropriate technical and organisational measures to ensure the protection of your personal data, we cannot guarantee the security of all personal data that you transfer over the internet to us in every circumstance, for example, if we suffer a sophisticated cyber-attack.

Our security procedures mean that we may occasionally request proof of identity before we disclose personal data to you, including in relation to a request by you for the data we hold on you (a subject access request).

Keeping your payment details secure

We are committed to ensuring the protection of your payment card details and are compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Payments made via our sites are processed and managed by specialist payment card companies which are not part of Ocado Retail. We only store and display the first six and last four digits of your payment card number, the card type and the card expiry date. The full payment card number is never stored on any of our systems and is only stored and processed by a payment card processing company approved by us.

We keep an encrypted authentication token to represent your card and this token is transmitted to the relevant payment card processing company during the order processing.

We use 3D Secure to provide additional fraud protection and to protect your payment card from unauthorised use. During the checkout process, you may be asked by 3D Secure to provide your Verified by Visa or Mastercard Secure Code password.

Protecting your password

It is important to keep your password secure to prevent fraudulent use of your account. Never disclose your password to anyone else, and especially to anyone who requests it from you by telephone or email; we’ll never do this (more information below). You should avoid using the same password for other websites, because if their systems are hacked, the hackers will also be able to access your account.

Avoid using common terms for your password such as "password" or "123456"; hackers know the most popular passwords and will try to access accounts using these. Instead, try to use a combination of letters and numbers that means something to you so it’s easy to remember but difficult to guess.

Personal security and identity fraud

Using public WiFi networks can be risky, and hackers may try to capture your online transactions and personal data. You should only connect to networks that you trust. If you use a shared computer, make sure that you log out once you have finished using a website or application.

Criminals and fraudsters may attempt to steal your personal data using a technique known as ’phishing’. This is where criminals send bogus emails that appear to be from Ocado Retail but are actually fake. These emails often deceive people into giving away their personal data (such as usernames and passwords) under the guise of updating security details, and contain a link to false websites asking you to input your account details.

We will never ask you to provide your personal data via email. If you receive an email like this that claims to be from us and contains a link to an external website, or a request for you to enter any personal data, treat it as suspicious and do not enter any personal data, even if the page appears legitimate. If you suspect that your account details are subject to such fraudulent activities, please let us know by calling our Contact Centre.

We retain your personal data only for as long as is necessary to support the purposes laid out in the "Lawful basis of processing" section, for our business interests and/or to comply with our legal, regulatory and contractual obligations.

If you wish to understand specific retention schedules please contact: privacy@ocadoretail.com.

Closing your Ocado Retail account(s)

Please note that all of your Ocado Retail accounts are linked, so if you wish to close one account, this will result in all of your Ocado Retail (Ocado.com and Zoom.Ocado.com) accounts being closed. Alternatively, your accounts can remain active and we can ensure that you are removed from all relevant marketing communications from any given account. For further information, please contact our Contact Centre. Should you wish to re-register at a later date you will be required to use a new email address.

Our operations are based in the UK and the personal data that we collect from you is processed, stored, and used within the UK, and other countries such as in the European Economic Area (EEA) and third party territories including the US.

For any transfer of personal data outside the UK or EEA namely third party territories, we aim to apply a similar level of protection by following requirements set out in data protection legislation, such as ensuring the country has been granted adequacy status by the European Commission (and as considered by the UK Information Commissioner′s Office to offer an adequate level of protection for personal data) or including Standard Contractual Clauses as created by the European Commission.

We also have the ability to rely on the derogation under Article 49 of the GDPR (when the transfer relates to the performance of a contract and for your benefit), and where you provide permission for the transfer to go ahead.

You can exercise certain rights in regards to the data we hold on you:

  • The right to receive a copy of the information we hold about you
  • The right to have inaccurate information corrected or incomplete information completed
  • The right to have your information erased
  • The right to have the processing of your information restricted
  • The right to withdraw your consent or object to processing reliant upon legitimate interests
  • The right to have your information transferred to another organisation or yourself in a machine readable format
  • The right to request human intervention in regards to automated decision making

The applicability of these rights is dependent upon our purpose and the lawful basis of processing relied upon. There may be reasons why the above rights may be limited in some circumstances. For example, we can refuse to provide information if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required to retain by law, have compelling legitimate interests to keep, or need to access in order to fulfil our legal obligations. In such situations, we would only use your information for these purposes and not use or share your information in other ways. We will always protect your privacy and retain any personal data in accordance with the section entitled ’Data Retention’.

How to exercise your rights and timescales

You can exercise your rights either verbally or in writing. However, if you submit a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail.

We have an obligation to respond within one month of receiving your request. However, we also have the ability to extend the response time by two months should we determine the request is complex and requires additional time and resources to respond. If this is the case you will be informed of the extended response date, alongside an explanation, within the original one-month time frame.

The quickest and easiest way to make a data subject right request is to contact us directly by emailing privacy@ocadoretail.com.

To exercise a data subject right you can further email us at privacy@ocadoretail.com this includes but is not limited to the following requests:

  • To provide you with more information if required, on how we process your personal data
  • To request access to personal data where you have the right to access a copy of the personal data we hold about you. We utilise an online portal to provide data to you, in a machine-readable format. Personal data is information that relates to an identified or identifiable individual. Personal data must relate to you. Therefore, not all data is personal data, we are however happy to provide you with information held and feasible to retrieve with regards to your engagement and any account with us, that is not exempt from disclosure.
  • To inform us personal data we hold on you is incorrect or incomplete, so we can help you update it. In most instances you can update your personal data online within your account.
  • To withdraw consent at any time where we have asked for it, but this will not affect any processing that has already taken place. For processing for marketing purposes refer to the section entitled ′Marketing Preferences′.
  • To object to certain processing activities which use your personal data, in particular where the processing is based on legitimate interests as outlined in the section entitled ′Lawful Basis of Processing′. For processing for marketing purposes refer to the section entitled ′Marketing Preferences′.
  • To ask us to delete, remove, or stop using your personal data if there is no need for us to keep it. You can also ask us to restrict the use of your personal data in certain circumstances. These rights are known as the ′right to object,′ the ’right to erasure’ and the ’right to restrict processing’. Should you request your data be deleted outside of our retention period, you will need to use a different email address, if you decide to re-register as a customer with us, as your old email address will no longer be valid. You may be unable to continue using our services if you require us to stop using your personal data, since this information is necessary for us to accurately fulfil and provide our services.

Identity Verification

We will only process a data subject rights requests where we are satisfied that ID verification has been successful, and you are the one asking for your personal data to be processed. We will not process personal data where we are in doubt of the identity of the requestor. You may be asked to prove your identity when making a subject rights request.

Requests made by third parties

In line with our privacy practices and to protect your rights and freedoms, we are unable to process a data subject rights request made by a third party (such as Rightly) where; there is doubt that the third party has the appropriate authority to act on your behalf; and where we are not satisfied adequate evidence has been provided in support of identity verification. We would always aim to ensure that a third party has the appropriate consent or authority to act on your behalf, and most significantly that you are fully aware that the third party has made contact specifically with us (Ocado Retail Limited), regarding exercising your data subject rights.

Before we can process a data subject rights request made by a third party on your behalf, we require as a minimum from the third party:

  1. a copy of an identity document for you; and
  2. evidence of your address; and
  3. a physically signed authority by you; or a verbal authority provided directly to us from you and noted on your account; and if provided electronically the authority is to come directly from your email address that matches our records.

We will not access or process your personal data without being confident we are acting on your specific instructions.

If required, identification will be requested within the one-month time frame and only limited to what is necessary for confirmation, such as a copy of your driving licence, passport or utility bill. Once the ID has been confirmed we will then process your request.

If your request cannot be processed, due to legal obligations or the non-applicability of rights, we will inform you of this, along with the reasons as to why your request cannot be carried out. Should we refuse to comply with a request we will inform you of this within the one-month time frame and provide an explanation outlining our justification, our internal complaints procedure and your right to complain to a supervisory authority and to enforce your rights through a judicial remedy.

We market and promote ocado.com and zoom.ocado.com offers, gifts and other marketing promotions about our products and services, and those of our specially selected partners, via a range of communication channels in line with the Privacy and Electronic Communications Regulation (PECR), the Data Protection Act 2018 and UK GDPR.

We rely upon our legitimate interests to market our products and services via:

  • Live telephone calls to numbers not listed on the Telephone Preference Service
  • Direct mail marketing to individuals not listed on the Mail Preference Service
  • Email, SMS and other electronic mail to individuals whose information has been obtained via the use of soft opt-in

For both ocado.com and zoom.ocado.com, we also rely on legitimate interests as a means to market to all of our customers, regardless of the service you used (either ocado.com and/or zoom.ocado.com).

We rely on consent to market our products and services via:

  • Live marketing calls to numbers listed on the Telephone Preference Service (with consent)
  • Direct mail marketing to individuals listed on the Mail Preference Service (with consent)
  • Automated phone calls
  • Push notifications

We also rely on consent to market to you about our specially selected partners via electronic mail, SMS and push notifications. Consent is further obtained, where required, to utilise cookies for marketing purposes.

We will only ever send you marketing we believe is beneficial and specifically relevant to you, or where you have given your consent. You can change your marketing preferences at any time for what you receive from us, and how your receive it by:

  • Using the marketing preferences found by going to “Account Settings” and then selecting “Marketing Communications” on the relevant Ocado Retail website (ocado.com or zoom.ocado.com)
  • Clicking on the unsubscribe link contained in marketing emails
  • Utilising opt out functionality on SMS
  • Emailing us at privacy@ocadoretail.com for any personal data shares for marketing purposes where valid
  • The option to receive push notifications are managed by you through the App and/or your device.
  • For changes to your cookie preferences see our Cookie Policy below.

To unsubscribe from ocado.com postal marketing and telephone marketing please complete this online form https://help.ocado.com/hc/en-us/requests/new

To unsubscribe from ocado.zoom.com postal and telephone marketing please email zoom@ocado.com or utilise the form on Ocado.com found here https://help.ocado.com/hc/en-us/requests/new

If you decide to opt out or unsubscribe from marketing communications it could take up to 72 hours to process the update through our systems, legally we are entitled to one month to process a data subject right request, however we most often action much sooner. Whatever you choose, you may still receive non-marketing related messages and other important service information. We may also ask you to confirm or update your marketing preferences if there are changes in law, regulation, or business strategy or structure where lawful to do so.

Objecting to one channel of marketing or Ocado Retail brand (such as ocado.com and zoom.ocado.com) may not automatically opt you out of other marketing channels or brands. To check you are opted out of all marketing channels and brands, you can email: privacy@ocadoretail.com.

If you are not satisfied with our use of your personal data or our response to any request made by you in relation to your personal data, you have a right to make a complaint to the Information Commissioner at:

Information Commissioner′s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545745 (national rate)

Email: casework@ico.org.uk

The ICO currently recommends you contact them within 3 months of your last contact with us and advises you to contact them once the company’s complaints process has been exhausted.

When you visit an Ocado Retail website (ocado.com or zoom.ocado.com) or use one of our related apps, we apply our own and third-party cookies and similar technologies (for example, pixels and tracking URLs) to identify your device, personalise and improve your customer experience and, where appropriate, serve you relevant advertisements.

This Cookie Policy provides information regarding our use of cookies and the choices you have, it also applies to the SDKs on our apps. You can find useful information and set your cookie preferences within our cookie preference centre at: https://www.ocado.com/settings/cookies

What are Cookies?

Cookies are small files that are placed on your computer, mobile phone, tablet or other device when visiting a website. Cookies assist in the performance and end user experience by remembering preferences and choices, identifying traffic and remembering your selections, such as the items you place in your basket.

We have two main categories of cookies: essential and non-essential.

Essential cookies

These cookies are essential in order to enable you to move around our website and use its features, including accessing secure areas. Without these cookies, any services on our website you wish to access cannot be provided.

Strictly necessary cookies
These cookies are necessary for the website to function. You can set your browser to block or alert you about these cookies, however this is likely to affect your user experience as certain parts of the site will not be able to function. These cookies do not store any personally identifiable information.

Non-essential cookies

Performance cookies
We set cookies that help us assess the performance of our online and TV advertising campaigns. For example, these cookies will record whether a customer visited the website or made a purchase after viewing one of our adverts. These can include third party cookies set by online advertising platforms such as Facebook, Bing and Pinterest.

Analytics cookies
These cookies collect information about how you and other visitors use our websites. This can be anything from which pages you go to most often or if you get error messages from web pages. We use data from these cookies to help test designs and to ensure a consistent look and feel is maintained on your visit to our websites. In addition to this we use third-party web analytics software on our websites and apps (such as Google Analytics) to help us understand for example how well our website is performing.

Functional cookies
These cookies allow our website to remember choices you make (such as your username, language, or the region you are in) and provide enhanced personal features. These cookies can also be used to remember settings such as changes you have made to text size, fonts, and other parts of web pages that you can customise.

Targeting cookies
These cookies are used to deliver adverts more relevant to you and your interests, including the ads we display on third party advertising platforms such as Facebook. They are also used to limit the number of times you see an advertisement, as well as help measure the effectiveness of a marketing campaign. They are usually placed by third parties (such as advertising networks or platforms) with the website operator’s permission. They remember that you have visited a website and this information is shared with the advertiser. We have enabled Google Analytics Data Collection for Advertising Features, including Remarketing and Advertising Reporting Features. These features enable us to make use of data from users who have chosen to allow Google to associate their web and app browsing history with their Google account in order to personalise the ads we may show in Google Search and Display Advertising. This helps us provide more relevant messaging to our users. This also provides us with demographic and interest information at an aggregate level that helps us to understand our users better.

In order to assess the performance of advertising campaigns we may use a cookie to share information, for example with SKY when arriving on our landing page through use of a SKY QR code. This cookie may collect digital identifiers such as IP addresses and User IDs which help us record whether you visited the website or made a purchase after viewing the relevant advert. By consenting to Targeting cookies you will agree to us placing and sharing such cookies.

Social media extensions
These technologies allow you to share what you’ve been doing on our websites on social media, such as Facebook and Twitter. For example, by clicking the ’Facebook Like’ icons that may appear on our product pages. Although we enable these tools to be displayed on our websites so that you may interact with them, if you choose to do so, they are not within our control. Please refer to the relevant third party privacy policies for how these functionalities work.

Managing cookies
You can change your cookie preferences at any time by visiting the cookie preference centre https://www.ocado.com/settings/cookies. This allows you to choose which non-essential cookies are set on our websites and applications. Essential cookies are always set to active. You may need to ensure your preferences are selected for each device and/or website or application you visit.

To find out more about cookies please visit: www.allaboutcookies.org or see www.youronlinechoices.eu which contains further information about behavioural advertising and online privacy.

To opt out of Google Analytics for Display Advertising and customize Google Display Network ads please go to https://www.google.com/settings/ads or Google Analytics’ currently available opt-outs for the web.

We may review and amend the contents of this Privacy Notice and Cookie Policy from time to time therefore we recommend you check it regularly.

If you have questions regarding the contents of this Policy, or wish to exercise any of your rights described in it, you can contact our Data Protection Officer by email or by post:

Email: privacy@ocadoretail.com.

Post: Data Protection Officer, Ocado Retail Limited, Apollo Court, 2 Bishop Square, Hatfield Business Park, Hatfield, Herts, AL10 9EX.