Updated November 2025
Introduction
The Caffe Nero Group operates across the United Kingdom, Europe, Turkey, the Americas,
Africa and the Middle East. For the purposes of this policy, any reference to “Caffè Nero” should be interpreted as a reference to The Nero Group Ltd and its subsidiaries and operating entities collectively. The Nero Group Ltd acts as the Data Controller, or in certain circumstances a Joint Data Controller, for the personal data processed within the Group and by the entities that sit within it.
The Caffè Nero Group, includes the following trading names and subsidiary entities:
Caffè Nero, Green Caffè Nero, Favor Bakery, Harris & Hoole, FCB, Coffee#1, 200 Degrees, Aroma, Neal Street Technologies, and Nero Coffee Roasting.
This Privacy Policy applies to The Nero Group Ltd, the parent company, and its subsidiaries. It governs how Caffè Nero Group collects, uses, and protects the personal data you provide when using our website (the “Site”), as well as any other personal information we may obtain about you (“Personal Information”). In this Policy, "we", "us" and "our", refer to The Nero Group Ltd, registered in the UK with registered office 9-15 Neal Street WC2H 9PW. Our company registration number is 06002065.
WE ARE REGISTERED AS A DATA CONTROLLER WITH THE UNITED KINGDOM INFORMATION COMMISSIONER'S OFFICE UNDER REGISTRATION NUMBER ZB128061. WE TREAT YOUR INFORMATION VERY CAREFULLY AND WE HAVE WRITTEN THIS DOCUMENT TO HELP YOU UNDERSTAND WHAT INFORMATION WE COLLECT, WHO HAS ACCESS TO IT AND FOR WHAT PURPOSES. IF YOU ARE IN THE PROCESS OF CREATING AN ACCOUNT WITH OR HAVE ALREADY DONE SO, YOU SHOULD READ THIS DOCUMENT IN CONNECTION WITH OUR AGREEMENT WITH YOU. THIS DOCUMENT IS NOT PART OF THE AGREEMENT AND IS NOT BINDING ON YOU (IT IS FOR INFORMATION ONLY).
Caffè Nero Group Ltd is committed to protecting the security and privacy of third parties (including its customers and all visitors to the Site. We comply with applicable data protection laws including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003 (as amended) all similar or related legislation relating to the processing of Personal Information and/or privacy applicable in any jurisdiction and will take reasonable steps to ensure that your Personal Information is secure, and monitored with regard to access, both internally and externally.
We use cookies and similar technologies to enhance your experience and analyse site usage; you can manage your preferences or withdraw consent via our Cookie Policy
Legal Framework
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
Consent. In specific situations, we can collect and process your data with your consent – for example when you opt in to receiving information or updates from us.
Contractual obligations. In certain circumstances, we need your personal data to comply with our contractual obligations.
Legal compliance. If the law requires us to, we may need to collect and process your data.
Legitimate interest. In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business, and which does not materially impact your rights, freedom or interests – for example when you have shown interest in receiving information or updates from us.
In some limited circumstances, we may also need to collect and process special category personal data about you. We will only do so on the basis of your explicit consent or where there is specific legal basis for doing so.
Personal Information that we collect
When you engage with us—whether by email, telephone, visiting our premises, or making enquiries through our website—you may provide personal information such as your name, contact details, should you consider making a purchase, additional personal data such as payment details may be collected. Furthermore, when you use our website, we may automatically collect technical information including your IP address, browser type, and other usage data.
The personal data which we may collect depends upon the means by which you choose to engage with us and the information that you choose to provide. This may include the following:
Identifying information such as name, gender, date of birth.
Contact details including postal address, email address, and telephone numbers.
Financial information necessary for payment processing.
Employment-related information such as job title, employer details, CVs, and qualifications when applying for a role.
Social media usernames, where interaction occurs through these channels, to respond to inquiries or feedback.
Transactional data related to purchases or services provided.
Technical data collected automatically when using our Website, access internet in storeor applications, including IP address, browser type and version, operating system, geographic location, device information, and browsing behaviour.
Security-related data such as CCTV footage and Body Worn Camera recordings recorded on our premises.
Loyalty Programme Data
The Caffe Nero App is powered by Neals Street Technologies, through participation in our loyalty programme, we collect data including purchase history, rewards balances, and user preferences, and subject to the Neal Street Tech Privacy policy.
Personal Information that we receive from other sources
We may obtain personal information about you from third parties who have collected it with your consent. This can include data shared for purposes such as fraud prevention. Additionally, our employees may provide us with emergency contact details and information about their dependents or other individuals relevant to employee benefits arrangements. In all such cases, the third party is responsible for ensuring that you have provided the necessary consents for your personal information to be shared and used as described.
We may also receive information about you through your use of other websites or services operated by us. Furthermore, we collaborate with a variety of third-party partners—including business partners, subcontractors (in areas such as technical support, payment processing, and delivery), advertising networks, analytics providers, search information providers, customer insight companies, credit reference agencies, recruitment agencies, and job boards—and may receive personal data from these entities.
Where you apply for a job vacancy with us, we may conduct verification checks, including contacting referees, to confirm the accuracy of the information you have provided
What we do with your Personal Information
We collect and process personal data for various legitimate purposes, including but not limited to:
Responding to Feedback: To respond directly to any feedback or enquiries you provide.
Order Fulfilment: To process and deliver the products or services you purchase from us.
Surveys: To collect and analyse data such as usernames, contact details, date of birth, and purchasing behaviour, enabling us to enhance your experience and provide targeted promotions.
Marketing Communications: Where you have opted in, to send relevant updates, offers, job opportunities, and important service-related information via post, telephone, or email. You may opt out at any time.
Security: To operate CCTV surveillance in some stores.
Service Provision and Support: To supply the services you have requested, provide customer support, and improve our website and services.
Internal Business Processes: To support our staff and conduct internal operations efficiently.
Employment Applications: To process and verify your application where relevant.
Loyalty Programme Management: To operate the loyalty programme, manage accounts, and personalize rewards.
Website Customization and Analytics: To customize the Website based on your interests, track usage, and improve user experience.
How we share your Personal Information
We may share your personal data within the Nero Group to facilitate smooth operations, manage loyalty programmes, conduct marketing, and perform analysis. Trusted third-party processors—such as those handling payments and app functionalities—may access your data only under strict confidentiality and privacy obligations.
In certain circumstances, we may disclose your personal information to carefully selected third parties. This will only occur with your consent or where we have a lawful basis to do so. If you have previously granted permission but later change your mind, you may opt out by contacting us as outlined below.
By submitting your personal data, you acknowledge that these third parties may receive and process your information. We require all third parties to handle your data securely and in accordance with this Privacy Policy, and we take reasonable steps to enforce these standards.
Circumstances Requiring Disclosure
We may be required to disclose your personal data to comply with legal obligations, conduct internal investigations, enforce our Terms and Conditions or protect the rights, property, or safety of Caffè Nero group companies, our customers, employees, or other personnel. This may include sharing information with other organizations for fraud prevention, legal and insurance claims and credit risk management.
Purpose of Data Sharing
To enhance your customer experience, we combine data from various sources to offer personalized updates, offers, promotions, and, for loyalty members, relevant rewards. Additionally, we may use your personal data to:
Fulfil our contractual obligations, such as processing orders made via our websites, app.
Notify you of updates, special offers, discounts, events, competitions, and job vacancies that may interest you.
Provide information about products or services similar to those you have purchased or enquired about.
Administer prize draws or competitions entered.
Improve our systems, products, and services through research and marketing activities.
Respond to your queries and complaints, maintaining records for quality and transparency.
Ensure optimal presentation of content on our sites, apps, and other platforms.
Protect our company, customers, premises, assets, and staff from crime.
Comply with legal or contractual obligations, including sharing data with law enforcement or regulatory bodies.
Send communications required by law or necessary to inform you of changes to our services.
In dealing with legal and Insurance claims
Sharing with Group Companies and Third Parties
We may share your data with any member of our corporate group, as defined under UK law (section 1159 of the Companies Act 2006).
In specific situations, your data may be disclosed to third parties such as:
Prospective buyers in the event of a sale or transfer of business or assets.
Legal or regulatory authorities, or to enforce agreements and protect rights, property, or safety.
Business partners, suppliers, and service providers engaged to perform contractual services with us or on our behalf.
IT service providers supporting and maintaining our websites and business systems.
Marketing, research, advertising, and data insight companies helping us refine our marketing strategies and keep your data accurate.
These third parties are provided only with the information necessary to perform their services and are contractually obligated to use your data solely for those purposes.
User rights and data deletion
We are committed to respecting your privacy and ensuring that you have control over your personal data. Under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), you have certain rights regarding the personal information we hold about you. These rights include:
1. Right to Access
You have the right to request access to the personal data we hold about you. This allows you to obtain a copy of your data and information about how it is being processed.
2. Right to Rectification
If any personal data we hold about you is inaccurate, incomplete, or outdated, you have the right to request correction or updating of your data.
3. Right to Erasure (“Right to be Forgotten”)
You may request the deletion or removal of your personal data where:
• The data is no longer necessary for the purposes for which it was collected or processed.
• You withdraw consent and there is no other legal ground for processing your data.
• You object to the processing and there are no overriding legitimate grounds for continuing processing.
• The personal data has been unlawfully processed.
• The personal data must be erased to comply with a legal obligation.
Please note that in some cases, we may be required to retain certain personal data to comply with legal obligations or for legitimate business purposes, such as fraud prevention or to enforce contractual terms.
4. Right to Restrict Processing
You have the right to request that we limit how we use your personal data in certain circumstances, for example, if you contest the accuracy of the data or object to its processing.
5. Right to Data Portability
Where applicable, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transfer this data to another controller.
6. Right to Object
You may object to our processing of your personal data on grounds relating to your particular situation, including where we process your data for direct marketing purposes. If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing.
7. Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to decisions based solely on automated processing, including profiling, which significantly affect you. We may use “knock-out” questions and limited automated decision-making as part of our recruitment processes. These questions are designed to quickly determine whether certain minimum criteria are met (for example, legal eligibility or required qualifications). Responses to knock-out questions may result in an automated decision that disqualifies an applicant without further human review. We process this information solely for the purpose of evaluating eligibility, in accordance with applicable data protection laws
Exercising Your Rights
To exercise any of your rights or make any requests regarding your personal data, please contact us at: enquiries@caffenero.com
We will respond to your request in accordance with applicable data protection laws, usually within one month. In some cases, we may require additional information to verify your identity before processing your request.
Data Processors and Joint Controllers
When we engage third-party service providers (data processors) to process your personal data on our behalf—such as payment processors, IT support, marketing agencies, and analytics providers—we require them to handle your information in accordance with this Privacy Policy and applicable data protection laws.
These data processors process your personal data solely for the purposes defined by us and under strict contractual obligations, including:
Ensuring the confidentiality and security of your personal data.
Using your data only for the services they are engaged to provide.
Complying with our instructions regarding the handling of your data.
When your personal data is no longer necessary for the purposes for which it was shared with third-party processors, or upon termination of the contract with those processors, we require them to securely delete, anonymize, or return your personal data to us, in accordance with our data retention policies and applicable laws.
We take reasonable steps to verify that our data processors comply with this deletionrequirements to prevent any unauthorized retention or use of your personal information beyond the agreed scope.
If you exercise your right to erasure (data deletion), we will instruct our data processors to delete your personal data as soon as reasonably practicable, except where retention is required by law or for legitimate business purposes as permitted by applicable regulations.
Where applicable, we will inform you of which joint controller holds responsibility for your data deletion request and provide relevant contact details if you wish to pursue your request with the other controllers directly.
Data Security and Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet any legal, accounting, or reporting requirements.
When your data is no longer needed, we will securely delete or anonymize it in accordance with our data retention policies and industry best practices.
Below you can see the most common processing, legal basis and retention periods for personal data within the Caffe Nero Group.
Data Type | Legal Basis | Retention Period |
When you contact CS | Legal Obligation Legitimate interest | Up to 6 Years Up to 3 Years |
CCTV Recordings | Legitimate interest | 2 - 6 Weeks |
Transactional Data | Legal Obligation | Up to 6 Years |
Online Shop Purchases | Legal Obligation | Up to 6 years |
Customer data for Direct Marketing | Consent | Consent withdrawn or account inactive |
Customer database for Customer Insight | Legitimate interest | 28 days from when the purposes for which it was collected ends |
When you Sign in to the Wi-Fi | Legitimate interest | 28 days from when the purposes for which it was collected ends |
Please be aware that deleting your personal data may affect our ability to provide certain products or services to you, or to comply with legal obligations.
If you unsubscribe from marketing, we maintain a record of the request indefinitely to ensure we do not contact you again.
If you request deletion of your data, we retain a record of the deletion request so we can demonstrate compliance to guidelines set under GDPR.
Transferring Personal Information outside of the EEA
The Personal Information you provide to us is primarily stored and processed on our servers located within the European Economic Area (EEA).
However, to deliver our services effectively, it may sometimes be necessary to transfer your Personal Information outside the UK and, where relevant, the EEA to our staff, third-party service providers, suppliers, or group companies. This includes individuals involved in support services and other business operations who may be based outside the EEA.
We are committed to ensuring your Personal Information is handled securely and in compliance with applicable Data Protection Legislation when processed or accessed from locations outside the EEA. Accordingly, such transfers will only occur under one or more of the following conditions:
Adequacy Decision: The recipient country has been recognized by the European Commission as providing an adequate level of data protection, ensuring that your data rights and protections remain consistent.
Appropriate Safeguards: Where the recipient country is not subject to an adequacy decision, we enter into legally binding agreements such as Standard Contractual Clauses (SCCs) approved by the European Commission. These clauses impose contractual obligations on the recipient to safeguard your Personal Information in accordance with data protection laws. Additional technical and organizational measures may also be implemented to ensure data security.
Explicit Consent: In certain cases, where you have expressly consented, we may transfer your data outside the EEA, for example, if you request services from one of our partners located abroad. You can withdraw this consent at any time by contacting us.
Complaints
Should you have any queries or complaints in relation to how we use your Personal Information, please contact using the details set out as described below. Should you wish to take any complaints or queries further, you have the right to contact the Information Commissioner's Office regarding such issues.
Our Site may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these websites or their related policies. Please check these policies before you submit any Personal Information via these websites.
Scope and Changes to this Policy
This Privacy Notice is directed at our guests, customers, job applicants, and any external individuals with whom we engage. In relation to personal data our current and former employees are covered by separate internal documentation and operational practices, including individual employee contracts and company rules, policies, processes and procedures.
Caffè Nero may amend this Policy at any time without notice. By continuing to use the Website and making use of our services you agree to the updated Policy. If you do not agree to any changes that we make, you should not use or access (or continue to use or access) the Site and/or our services. Any changes to this Policy will be posted on the Site.
Our contact information and opting out
You can opt out of receiving various communications from us by contacting us through our contact us page
Caffè Nero Group Ltd complies with GDPR and other relevant privacy laws. Users can exercise their rights, submit requests, or lodge concerns by contacting Caffè Nero Group Ltd through the following channels:
Email: enquiries@caffenero.com
Phone: +44 (0)20 7520 5150
Web: Contact Us Form (https://www.caffenero.com/uk/help/contact-us/)
For unresolved complaints, users have the right to contact the Information Commissioner’s Office (ICO): ICO Contact Details: Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Website: www.ico.org.uk
If you have any questions please feel free to contact us by email at Alternatively, you may call our team on +44 (0)20 7520 5150 , Monday to Friday: 9am to 5pm