YO! Sushi Limited – Privacy Notice
Date of last revision: 1 September 2020
We ask that you read this privacy notice (“Notice”) carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information, and how to contact us.
1. Who we are
For the purposes of data protection law, the “controller” is YO! Sushi UK Ltd (“we”). We are a company incorporated in England and Wales under number 02994470 and with registered office address at Level 5, 2 More London Riverside, SE1 2AP.
We are responsible for, and control the processing of, your personal data.
Please note that some YO! Sushi restaurants are franchises that are owned and operated by third parties, called franchisees. Each franchise is an independent business and is responsible for the operation of its own store and responsible for ensuring its own compliance with data protection and other laws. This Notice does not apply to franchisees of YO! Sushi, or to websites or mobile apps operated by franchisees. Please refer to the privacy notices of such franchisees for information on how they collect, store, use and share personal information. Details of our franchised restaurants are available to view on our Website here.
If you would like to contact us in relation to this Notice, you may do so by:
- sending an email to email@example.com;
- submitting an enquiry using the Contact Us page on our website https://yosushi.com/(“Website”) and selecting the Data Protection category; or
- writing to us at Data Protection Team, YO! Sushi UK Limited, Level 5, 2 More London Riverside, SE1 2AP.
2. Information collected by us
We may collect personal information about you when you use our online services or visit one of our restaurants. For example, when you:
- purchase items at our restaurants;
- register to receive emails from us relating to our products, services, discounts, offers, competitions and/or events;
- connect to our Wi-Fi networks;
- contact us (for example with a question or to provide feedback).
The types of personal information we may collect include:
- your personal details such as name, gender, e-mail address, postal address, phone number, date of birth;
- information about your use of a discount or offer;
- information about a YO! Sushi Giftcard that you purchase, register, top-up and/or use;
- information about which YO! Sushi restaurants you have visited (for example, when you connect to a restaurant’s Wi-Fi network);
- your contact and marketing preferences;
- other personal information you provide to us.
3. Information collected from other sources
We may obtain information about you from third parties and other sources. For example, if you use a giftcard, we may receive information from the Givex platform we use concerning how much top-up was put on the card, and how much was spent on each transaction, among other information. We may also receive information from Telefonica concerning the YO! Sushi stores you have visited, plus any other information you have provided to them. We can also receive a redemption code from our logistics provider NCR, which links to you and your transaction history.
This is not an exhaustive list, but is shown by way of example as to how we may lawfully obtain information about you from third parties. Any information we do receive will be used lawfully.
4. How we use your personal information
We may use your personal information to:
- fulfil your requests or orders and process payments for our products and services;
- communicate with you about our products and services (including giftcards);
- administer your participation in contests, competitions, prize draws, offers, promotions or special events;
- send you marketing emails (where we are permitted to);
- deliver content (including advertising);
- respond to questions that you ask us, or complaints or concerns that you raise with us;
- personalise your experience on our Website and in-restaurant technologies, such as providing you with content in which you may be interested, and making navigation on our Website easier;
- perform data analytics, including consumer research, trend analysis, and financial analysis;
- operate, evaluate and improve our business, including the development of new products and services; determination of the effectiveness of our sales, marketing and advertising efforts; and analysis and improvement of our products, offers, promotions, and other technologies;
- protect against, identify and prevent fraud and other criminal activity, claims and other liabilities; and
- comply with our obligations under applicable law.
We may process your location information collected through automated means to:
- personalise the visitor experience in our restaurants, on our Website or on our marketing channels;
- deliver content (including advertising) tailored to our users' interests and the manner in which our users browse our Website or in-restaurant technologies;
- help diagnose technical and service problems;
- identify a device for fraud prevention purposes;
- gather demographic information about our users.
5. Lawful bases of processing
In order to process personal data, we must have a lawful reason (sometimes called a lawful basis). We always ensure that this is the case, and we set out our lawful bases below.
5.1. Contractual Necessity
If you are our customer or applying for a job, we will process your personal data for the following purposes, on the legal basis that it is necessary for us to provide our products and services to you:
- to identify you;
- to respond to your enquiries;
- to allow you to register an account;
- to provide our products and services;
- to carry out billing and administration activities, including refunds and providing and managing giftcards;
- to evaluate your job application and take any next steps, and to evaluate your suitability for roles where you have asked to be considered for future opportunities.
5.2. Legitimate Interests
We process your personal information for our legitimate business purposes, which include the following:
- to conduct and manage our business;
- to enable us to carry out our services;
- to ensure our website and systems are secure (for example, by conducting security penetration tests on our website to ensure our security tools are effective);
- to personalise your web experience – for example, by tailoring our products, offers and services to you;
- to analyse, improve and update our services for the benefit of our customers;
- to deal with complaints;
- to detect and prevent fraud;
- to let you know about our products, services, promotions or events that we consider may be of interest to you: we carry out this processing on the legal basis that we have a legitimate interest in marketing our products and services, and only to the extent that we are permitted to do so by applicable direct marketing laws. Please see clause 8 below for further information about our marketing activities and regarding your right to opt out.
Whenever we process your personal data for these purposes, we ensure that your interests, rights and freedoms are carefully considered.
5.3. Compliance with laws
We may process your personal data in order to comply with applicable laws (for example, if we are required to co-operate with an investigation pursuant to a court order).
You may submit a query to a restaurant located outside the European Economic Area (“EEA”). In such cases we will share the information you provide with that overseas restaurant based on your explicit consent to do so. Please note that countries based outside the EEA may not have data protection laws that protect you to the same standard as European data protection laws.
Otherwise, we generally do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email where we are not otherwise entitled to do so. You have the right to withdraw consent to marketing at any time. This will not affect the lawfulness of processing that took place prior to the withdrawal of consent.
We will always be clear whenever we intend to process on the basis of consent, and we will process lawfully and only for the purpose for which consent was given.
6. Sharing your personal information
We may provide your personal information to the following recipients for the purposes set out in this Notice:
- other companies within our group;
- our employees, consultants, agents and service providers, in each case where it is relevant to do so;
- law enforcement agencies in connection with any investigation to help prevent unlawful activity.
In addition, you may choose to post information about, or interact with, us on social media platforms, for example Facebook, Twitter and Instagram.
7. How long will your personal information be kept?
We carefully consider the personal data that we store, applying reasonable criteria, and we will not keep your information in a form which identifies you for longer than is necessary for the purposes set out in this Notice.
We may store your contact details, and carry out marketing profiling activities, for direct marketing purposes. If you have given your consent, or if we are otherwise permitted to do so, we may contact you about our products or services that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by sending an email to firstname.lastname@example.org. We will also give you the option to opt out each time we send a marketing communication by electronic means.
9. Transferring your information outside the EEA
Although we are based in England, we are a global organisation and may transfer your personal information to a location (for example to a secure server) outside the European Economic Area, if we consider it necessary or desirable for the purposes set out in this Notice. Countries based outside the EEA may not have data protection laws that protect you to the same standard as European data protection laws. Therefore, in such cases, to safeguard your privacy rights, transfers:
- will be carried out based on your explicit consent, for example where you submit a query to a restaurant located outside the EEA (as mentioned in clause 5.4); or
- will be made to recipients to which a European Commission adequacy decision applies (this is a decision from the Commission confirming that adequate safeguards are in place for the protection of personal data); or
- will be carried out under standard contractual clauses that have been approved by the European Commission as providing appropriate safeguards for international personal data transfers, copies of which are available to view on the Commission’s website(https://ec.europa.eu/info/index_en).
10. Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
11. Your information rights
We draw your attention to your following rights under data protection law:
- the right to be informed about the collection and use of your personal data;
- the right of access to your personal data, and to request a copy of the information that we hold about you and supplementary details about that information;
- the right to have inaccurate personal data that we process about you rectified;
- the right (in certain circumstances) to have personal data that we process about you blocked, erased or destroyed;
- the right to object:
- to processing of personal information concerning you for direct marketing;
- to decisions being taken by automated means which produce legal effects concerning you or that similarly significantly affect you;
- in certain other situations, to our continued processing of your personal information;
- the right of portability of your data in certain circumstances;
- rights in relation to automated decision-making.
These rights are subject to certain limitations that exist in law. Further information about your information rights is available on the ICO’s website: https://ico.org.uk/. If you wish to know more detail as to how we observe the rights above, please contact us.
13. Changes to this Notice
We may change this Notice from time to time. Please check this Notice on our Website regularly to ensure you are aware of the most recent version.
14. How to complain
If you have a complaint about the way we handle your personal data, please contact us at the address in clause 1 of this Notice. In addition, should you find it necessary, you have a right to raise a concern with the information regulator, the Information Commissioner’s Office: https://ico.org.uk/.