privacy policy
YO! Sushi UK Limited – Privacy Notice
Date of last revision: September 2023
Introduction
This privacy notice (“Notice”) contains important information on who we are, on how and why we collect, store, use and share personal data, and on your rights in relation to your personal data.
It is important that you read this Notice, together with any other privacy policy or fair-processing policy that we may provide on specific occasions, so that you are fully aware of how and why we use your personal data. This Notice supplements our other notices and policies and does not override them.
This Notice and our website, https://yosushi.com/ (“Website”), are not intended for use by children and we do not knowingly collect personal data in relation to children.
1. Who are we?
We are YO! Sushi UK Ltd (referred to from now as “we” and via similar words, such as “our”). We are a company incorporated in England and Wales under company number 02994470, and with our registered office address at 69 Wilson St, London EC2A 2BB.
.
We are one business in a group of companies. Therefore, the words “we” (and similar) shall include a reference to a group company, where relevant.
Under data protection law, we are known as a “data controller”. This means we are responsible for the way in which we collect and process your personal data and must meet our legal obligations in relation to it.
2. How can you get in touch?
If you would like to contact us in relation to this Notice or your personal data, you may do so by:
- sending an email to privacy@yosushi.com
- submitting an enquiry at https://yosushi.com/contact-us by selecting “Data Protection” from the drop-down menu of topics
3. Our key data principles
We live by the following principles:
- We do not collect more personal data than we need
- When we collect it, we do not use personal data more widely than is necessary
- We safeguard your personal data
4. What is “personal data”?
Any information that relates to an identified, or identifiable, living person is personal data.
You are identifiable if it is reasonably likely that your identity could be inferred from that data alone or from that data in combination with other information.
5. When do we collect personal data?
We collect personal data at the following times:
Direct interaction with you. For example, when you:
- make a booking
- visit and purchase items or services at or from our restaurants
- register to receive emails or newsletters from us (relating to our products, services, discounts, offers, competitions or events)
- take part in competitions or contact us via social media or other means
- connect to our Wi-Fi networks
- buy and/or use a YO! Gift Card
- use a YO! digital loyalty card
- contact us (for example, with a question or to provide feedback)
Note on CCTV: for your safety, and for that of our other customers and our staff, we have CCTV at our restaurants. This is used proportionately, and naturally we do not make recordings in private places such as our washroom facilities. The CCTV data is deleted without undue delay, and we limit access to the data to a small number of people who have a legitimate reason to have such access.
From third parties. For example, when you:
- interact with one of our partners (for example, our YO! Gift Card partner, Toggle, or our YO! digital loyalty card partner, Vita Mojo)
- mention us in publicly available sources such as non-private Facebook, Twitter and Instagram posts
- are one of our business partners and we receive information, for example, when you are copied on an email. (Note: while this Notice will primarily be of interest to consumers, it is equally relevant to individuals working at our suppliers and at other businesses with which we have a relationship.)
From automated technologies. As you use the Website, we automatically collect Technical Data (see definition in section 6 below) about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our Cookies Policy for further details.
6. What types of personal data do we collect?
It will depend on circumstances, but the types of personal data we may collect include:
- Identity Data - such as your name, title, date of birth, and gender (and when you visit our premises, your image on CCTV)
- Contact Data - such as your billing address, delivery address, email address, mobile number, current location (when you use the location function on our Website to find a store), and the ID number of any YO! Gift Card or YO! digital loyalty card that you own
- Financial Data - namely your payment card details
- Transaction Data - namely details about payments you make to us (and any refunds given), products and services you have purchased from us, rewards you have collected and used and the outstanding balance on a YO! Gift Card and/or YO! digital loyalty card
- Technical Data - including your internet protocol (IP) address, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website
- Profile Data - including your purchases or orders, any feedback and survey responses that you provide, and in some cases biographical information that you provide
- Usage Data - including information about how you use our website, products and services
- Marketing Data - including your opt-in/opt-out preferences in relation to electronic marketing
We also collect Aggregated Data, which is large-scale statistical data. We use it for matters such as understanding what percentage of Website users look at a particular page. Aggregated Data is not personal data, as it will not reveal your identity. However, if we combine Aggregated Data with your personal data, so that you can be identified, we will treat the combined data as personal data and use it in accordance with this Notice.
We do not ordinarily collect any Special Categories of personal data about you (this is the legal term describing details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. If we ever do collect it – for example, if you make an accident report and provide health data to us – we will treat it lawfully. We may ask about allergies at a restaurant so that we can help safeguard customers, but we do not record such information in a way that would identify you.
Note: do you have to provide personal data?
In general, no – although in some situations we may be unable to provide a service if you do not. If we need to collect personal data by law, or to perform a contract with you, and you do not provide it, we may be unable to proceed. An example of this would be where we need your delivery address or card details.
7. How do we use your personal data?
We use your personal data to perform contracts with you, when our legitimate interests allow us to, and to comply with the law.
Whenever we use your personal data, we need what is known as a “lawful basis”. These are prescribed by law and are limited in number. Please see the glossary below for more about lawful bases. Sometimes we may have more than one lawful basis for the same processing activity.
A summary of our use of your personal data, and the lawful bases on which we rely, is as follows:
Activity | Types of personal data | Lawful basis (or bases) | ||||
Providing you with products and services | Identity Contact | Performing a contract with you | ||||
Taking a pre-authorisation from your card when you make a booking, to cover “no-shows” | Identity Contact Financial | Performing a contract with you Legitimate interests | ||||
Processing payments and refunds | Identity Contact Financial Transaction | Performing a contract with you Legitimate interests | ||||
Registering, and processing information about, your YO! Gift Card | Identity Contact Financial Transaction | Performing a contract with you Legitimate interests | ||||
| Identity Contact Financial Transaction |
| ||||
Communicating with you about this Notice | Identity Contact | Legal obligation Legitimate interests | ||||
Administering your involvement in competitions and special offers | Identity Contact Profile Usage | Performing a contract with you Legitimate interests | ||||
Asking and enabling you to leave a review or complete a survey | Identity Contact Profile Marketing | Performing a contract with you Legitimate interests Legal obligation | ||||
Sending marketing emails or SMS | Identity Contact | Consent | ||||
Responding to your questions or complaints | Identity Contact Financial Transaction Profile | Performing a contract with you Legitimate interests | ||||
Personalising your Website and in-restaurant experience | Identity Contact Profile Usage Marketing Technical | Legitimate interests | ||||
Operating, evaluating and improving our business and the Website | Technical Usage | Legitimate interests | ||||
Protecting against fraud and other criminal activity | Identity Contact Financial Transaction Technical Profile Usage | Legitimate interests Legal obligation | ||||
Complying with our legal obligations (for example, to HMRC and to comply with requests not to send electronic marketing) | Identity Contact Transaction Marketing | Legal obligation Legitimate interests | ||||
Participating in legal action | Identity Contact Financial Transaction Profile Usage Marketing | Legitimate interests Legal obligation | ||||
Evaluating your job application | Identity Contact Profile | Legitimate interests Legal obligation |
Consent
Whenever the law requires, we will ensure that we have your unambiguous consent before undertaking certain processing. The most common exampke of this type of situation relates to the sending of direct e-marketing communications to you via email or SMS.
You have the right to withdraw consent to such e-marketing at any time. This will not affect the lawfulness of marketing that took place prior to the time when we action your withdrawal of consent.
8. How do we share your personal data?
Business partners
Like most businesses, we rely on partners to provide some of the services that we offer to you. Our current partners include the following:
| Partner name | Role | Data collected |
| Vita Mojo | Electronic point-of-sale system, enabling us to sell to you Provider of the YO! digital loyalty card | Name Customer ID Restaurant visited Date of visit Email address Gift card ID Stamps and rewards collected (including dates) Stamps and rewards used (including dates) |
| Wireless Social | Wifi provider | Name Email address WiFi user ID Restaurant visited |
| Toggle | Provider of the YO! Gift Card | Name Email address Gift card number Balance on the card |
| Yumpingo | Feedback tool for customers | Restaurant reviewed Date and time of visit Substance of your review |
| Oracle Cloud | Storage of details | Opt-in for newsletter Feedback form from Website |
| Design My Night | Booking platform | Name Email address Mobile number Date of birth Details of booking |
Other companies in our group
Your personal data may, where necessary, be collected, stored or used by other companies within our group. An up-to-date list of group companies is available from us at privacy@yosushi.com.
CCTV
We share CCTV data with our partner responsible for the maintenance and storage of the information (and where appropriate, with law-enforcement agencies)
Franchisees
Some of our kiosks and other businesses are run by franchisees. A franchisee is a separate business that has a licence to sell produce under one of our brands. A franchisee has the “look and feel” of our business, but it is not part of our group.
Each franchisee is responsible for compliance with privacy laws, and we place strict burdens on franchisees to ensure that they do so. Occasionally, there may be an exchange of personal data with a franchisee where it is necessary: for example, if you have raised a query with us about a matter that relates to a franchised kiosk, we would be required to discuss that issue with the franchisee, which would involve the use of your personal data for this purpose.
Law-enforcement agencies
We may be required to share personal data with a law-enforcement agency (or similar regulatory body) in connection with an investigation.
HM Revenue & Customs
We are required by law to maintain certain data for a period of years to enable proper assessment of taxation and similar matters.
Professional advisers
We may, where necessary, share your personal data with our lawyers, accountants or other professional advisers where we consider it necessary.
9. How long will your personal data be kept?
We retain your personal data for no longer than is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data (and whether we can achieve those purposes through other means), and the applicable legal, regulatory, tax, accounting and other requirements.
10. Marketing
We may store your contact details, and carry out marketing profiling activities, for direct electronic marketing purposes. If you have given your consent, we may contact you about our products or services that may be of interest to you.
If you prefer not to receive any direct electronic marketing communications from us, you can opt out at any time by sending an email to hello@yosushi.com. We will also give you the option to opt out each time we send a marketing communication by electronic means.
Opting out will not affect our ability to use your personal data for the other purposes set out in this Notice, and it will not affect the lawfulness of electronic marketing carried out prior to the time when we actioned your opt-out request.
11. International transfers
We are a global organisation and may transfer your personal data to another location if we consider it reasonably necessary for the purposes set out in this Notice.
Where we do so, we will sure that transfers:
- are made to countries that have been deemed to provide an adequate level of protection to personal data; or
- are carried out under approved standard contractual clauses that enable the transfer.
12. Keeping your personal data secure
We have appropriate security measures in place to prevent personal data from being accidentally lost or used or accessed in an unauthorised way.
All our employees and contractors who have access to your personal data are required to adhere to this Notice and our internal privacy policy, and we have in place contractual safeguards with our third-party data processors to ensure that your personal data is processed only as instructed by us.
We take all reasonable steps to keep your data safe and secure and to ensure the data is accessed only by those who have a legitimate interest to do so. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
13. Your information rights
You have certain rights in relation to your personal data. Please see the “Your Legal Rights” section of the glossary below for more information.
We may first need to verify your identity (and, in certain cases, verify that you have authority to make the request on another person’s behalf).
In general, we try to deal with genuine requests within one month. Occasionally it may take longer, in which case we will let you know in advance.
You do not have to pay a fee to exercise these rights. However, if your request is excessive, repetitive or unfounded, we may charge a reasonable fee or refuse to comply with your request.
14. Cookies
Our website uses cookies. For more information on which cookies we use and how we use them, please see our Cookie Policy.
15. Third-Party links
This Website may include links to websites, plug-ins and applications that are owned by someone other than us. Clicking on those links may allow the owner to collect or share your personal data. We have no control over other sites, are we not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.
16. Changes to this Notice
We may change this Notice from time to time. Please check this Notice on our Website regularly to ensure you are aware of the most recent version.
17. How to complain
In the first instance, we hope you raise any issues with us directly – in almost all situations, matters can be resolved very simply. To do this, please use the details set out in section 2 above.
Should you find it necessary, you have a right to raise a concern with the UK’s information regulator, the Information Commissioner’s Office: https://ico.org.uk/.
GLOSSARY
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
YOUR LEGAL RIGHTS:
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected (although we may need to verify the accuracy of the new data you provide to us).
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for legal reasons, which will be notified to you, if applicable, at the time.
Object to processing of your personal data where we are relying on a legitimate interest and this adversely affects your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to continue to process your information.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy
- Where our use of the data is unlawful, but you do not want us to erase it
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
Request the transfer of your personal data to you or to a third party. We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent
END OF PRIVACY NOTICE