Privacy Policy

Welcome to the Bob & Berts Privacy Policy.

Bob & Berts Group Limited (“Bob & Berts”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, and share personal data when you interact with us, whether in-store, online, or through third-party platforms, including gift card services provided via Toggl. It applies to all operations in Northern Ireland, England, and Scotland.

1. Important Information and Who We Are

Bob & Berts is a brand operated by a number of separate legal entities across Northern Ireland, England, and Scotland. Each branch is operated by its own company, which acts as the Data Controller for the personal data it collects and uses in connection with its operations (for example, customer transactions in-store or employee records for staff working at that branch).

Bob & Berts Group Limited is also a Data Controller for certain centralised systems and services, such as our website, online ordering, loyalty programmes, brand-wide marketing, and central HR/payroll systems. In some cases, the relevant branch company and Bob & Berts Group Limited act as Joint Data Controllers, meaning we jointly determine how and why your personal data is used.

If you are unsure which Bob & Berts company is the Data Controller for your personal data, please contact us using the details below and we will confirm this for you.

Contact details for Data Protection queries:
Bob & Berts Group Limited
Registered office: Keith Dinsmore Accountants, 15 Duke Street, Ballymena, BT43 6BL
Email: headoffice@bobandberts.com
Postal address: 37-39 Ballymoney Street, Ballymena, BT43 6AN
Telephone: 028 2585 7199

We are not legally required to appoint a Data Protection Officer under UK GDPR, however, we have appointed a Data Privacy Manager to oversee compliance.

2. The Data We Collect About You

We may collect, use, store, and transfer different kinds of personal data about you, including:

• Identity Data: name, date of birth, gender, customer ID.
• Contact Data: address, email, telephone number.
• Financial Data: payment card details, bank account details (for payroll or refunds).
• Transaction Data: purchases, order history, gift card usage.
• Technical Data: IP address, browser type, operating system, device identifiers.
• Profile Data: preferences, feedback, survey responses.
• Usage Data: website browsing patterns, system access logs.
• Marketing & Communications Data: marketing preferences, communication preferences.

3. Third Party Platforms and Service Providers

We use trusted third-party platforms to provide services to our customers and employees. These systems may collect personal data directly from you and share it with Bob & Berts. In all cases, we ensure that personal data is handled securely and in accordance with UK GDPR and the Data Protection Act 2018.

The main platforms we use are:

• Vita Mojo – for online ordering, click-and-collect, delivery, and loyalty programmes.
• Toggle – for gift card purchases, balances, and redemptions.
• Fourth – for employee records, payroll, scheduling, absence management, and training records.
• Talos – for recruitment management, including applications from job boards such as Indeed.
• Mapal – for learning, training and compliance management after onboarding.

Where personal data is entered into these systems, Bob & Berts (and the relevant branch company) will normally act as a Data Controller. In some cases, the third-party platform may also act as a Joint Data Controller (for example, where it collects and uses your personal data for its own purposes), or as a Data Processor (where it processes your data solely on our instructions).

Each of these providers has its own privacy policy which explains in more detail how they handle your personal data. We encourage you to read these policies:

• Vita Mojo: https://www.vitamojo.com/privacy-policy/
• Toggle: https://www.usetoggle.com/privacy-policy
• Fourth: https://uk.fourth.com/legal/privacy-policy
• Mapal: https://mapal-os.com/en/privacy-policy
• Talos: https://talos360.co.uk/policy/

When these providers act as Data Controllers, they are independently responsible for their compliance with UK GDPR.

The types of personal data processed in these systems include:

• Identity Data: name, date of birth, gender, customer ID, employee ID.
• Contact Data: address, email, telephone number.
• Financial Data: payment details (processed securely by our payment provider), bank details (for payroll).
• Transaction Data: order history, loyalty points, gift card usage, shift patterns, training records.

We retain transaction and employee records from these systems only for as long as necessary to fulfil the purposes set out in this policy and to meet legal, accounting, or reporting requirements.

The way in which these providers handle your personal data when acting as Data Controllers will be set out in their own privacy policies, which may include different retention periods and legal bases for processing.

4. How We Use Your Personal Data

We will only use your personal data for the purposes for which it was collected, or as required by law. This includes:

• Registering you as a customer.
• Processing and delivering orders.
• Managing our relationship with you.
• Administering loyalty or promotional schemes.
• Recommending products or services.
• Ensuring security and fraud prevention.
• Complying with legal obligations.

5. How We Share Your Personal Data

We may share your personal data within the Bob & Berts group or with trusted third-party service providers, such as payment processors, IT support, and marketing partners. Any sharing of personal data is carried out securely and in compliance with applicable data protection laws across Northern Ireland, England, and Scotland.

6. International Transfers

We do not transfer your personal data outside the UK. If this changes, we will implement appropriate safeguards as required by UK GDPR.

7. Your Legal Rights

You have rights under data protection laws in relation to your personal data, including:

• Right to access.
• Right to rectification.
• Right to erasure.
• Right to restrict processing.
• Right to data portability.
• Right to object.
• Right to withdraw consent.
• Right to lodge a complaint with the Information Commissioner’s Office (ICO). In Northern Ireland, the ICO can be contacted via their regional office or through the UK ICO website at ico.org.uk

8. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction.

9. Cookies and Tracking Technologies

If you use our website, we may collect information about your browsing behaviour through cookies and similar technologies. We use this data to improve our website functionality, analyse traffic, and tailor marketing. You can manage or disable cookies through your browser settings. For more details, please refer to our Cookie Policy, available on our website.

10. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

In general:

• Customer transaction records: retained for 6 years from the date of transaction (to comply with legal and accounting requirements).
• Employee records: retained for 6 years after the end of employment (to comply with employment law and potential legal claims).
• Marketing contact information: retained until you opt-out or withdraw consent, after which it will be securely deleted.
• CCTV footage: retained for up to 30 days unless required for investigation of an incident or legal proceedings.
• Website analytics data: retained for up to 26 months in aggregated, non-identifiable form.

In some circumstances you can ask us to delete your data sooner – see the “Your Legal Rights” section.