Costa Express Privacy Notice

We respect your data and your privacy is important to us. Costa Express Limited is the Costa entity for businesses who operate Costa Express machines and the Costa coffee self-vending machines.

This Privacy Notice explains what personal data we collect and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.

You have the right to object to some of the processing which Costa Express carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

Costa Express Limited’s registered office is 3 Knaves Beech, Loudwater, High Wycombe, Buckinghamshire, HP10 9QR.

  1. Summary of how we use your data and your rights
  2. Information we collect from you
  3. Information we receive from third parties
  4. How we use information and the legal basis
  5. Data sharing
  6. International transfers
  7. Cookies and similar technologies
  8. Data retention
  9. Your rights
  10. Contact details
  11. Which Costa entity is the controller?

1. Summary of how we use your data and your rights

We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes.

We will use your data to comply with laws and regulations. We may use your data to prevent and detect crime, such as fraud.

You have the right to object to some of the processing Costa Express carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

When you give consent, you are able to withdraw that consent at any time, for instance by emailing [email protected]. You can also email [email protected] to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data.  Please see “Your rights” for more information.

Our Costa Express website uses cookies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings.  Please see our Cookie Notice for more information.


If you are using the Costa Limited websites, checking Costa Express machine locations online, visiting Costa owned stores, or contacting Costa Customer Services please see the Privacy Notice and Cookie Notice for Costa Limited for more information.

Costa Express is part of the Whitbread group of companies.  For details of the group see “Data sharing”. Data is shared within the Whitbread group when Whitbread Group plc and Costa Limited provide support, advisory, IT, and other services to Costa Express.


2. Information we collect from you

We collect information when you contact us or we contact you about Costa Express, including when you apply for a Costa Express machine, if you have a site visit from us, if we call you or you call us.

In particular:

  • We keep information you give us directly about you and your business, such as contact details (including name, email, address and telephone number), comments and opinion, level of interest in Costa Express machines, and financial, sales and payments information about your business.

  • We record and analyse interactions with you including in person visits, calls, forms you complete, web visits.

  • We keep details of your Costa Express business account, including Costa Express machines leased to you.

  • If there is an incident, we may need to log information about it, however, Costa Express only keeps pseudonymised information. (Incidents reported into Costa from consumers are directed to Costa Customer Services, which is run by Costa Limited.)

  • If you engage with Costa Express online via our website our cookies will capture your IP address and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.

  • If you visit us we may record your details, including your car registration number.


3. Information we receive from third parties

We may receive your information from other people. This can happen when:

  • You work for a business which has leased a Costa Express machine and they give us your contact details for us to organise your training on the Costa Express machine.

  • You work for a service partner who provides a deployment and collection service for Costa Express machines and your employer provides your contact details to us so that we can automatically contact you about this service.

  • You complete a contact form through another organisation, such as a trade show.

  • Your details are on the Experian business database and you allow Experian to share them with other businesses.

  • Our Costa Express machines automatically send us information related to machine maintenance and operation including a machine identifier which relates to your Costa Express business account.

  • Information from the Costa Express machine is kept as part of your Costa Express account information.


4. How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as:

  • To fulfil a contract we have with you;

  • When it is in our legitimate interest;

  • When you consent to it; or

  • To comply with the law.

A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. For more information on this assessment please contact [email protected].

We have set out below how and why we may use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.


When you indicate your interest in a Costa Express machine, apply for an Express business account, or have an Express business account, we use your information to enter into or fulfil our contract with you.


We take information to communicate with you, check your identity, take payment, and provide products and services, including maintaining the machine and organising the training for it.

To run our business and pursue our legitimate interests, we use your information.

Our legitimate interests include keeping records, keeping our records up to date, fulfilling our legal, compliance and other contractual duties, to contact you about a business account which you own or work for, or help maintain including machine maintenance, improving our site, apps and services, developing new products and services, and telling you about them and conducting market research.

Further details of our legitimate interests:

To run and promote our business, we use your information:

  • To provide and improve our products and services and to respond to you if you contact us.

  • To contact you where you indicate an interest in Costa Express or if you are included in a database of potential business customers.

  • To understand you better and evaluate your interest in Costa Express and other information you provide to us or which we learn through your interactions with us.

  • To maintain your business account and Costa Express machines.

  • To record call centre communications, including incoming and outgoing calls and emails, for staff training, quality improvement purposes and establishing facts.

  • When we monitor Costa websites.

  • To analyse information received from Costa Express machines so we can link the information from them to your business account.

  • To contact you to arrange for you to deliver or collect a machine, if you are engaged by your employer for this service.

To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law we may:

  • Monitor Costa Express business accounts, record calls, emails, information from Costa Express machines and any other interaction with you.

  • Use other organisations to check the validity of the credit or debit card details you use to pay (for further details see “Data sharing” below) or the suitability of any credit or payment terms offered to your business.

To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:

  • We keep records and pass your data to Whitbread Group plc and our insurers when necessary (for further details see Data sharing below).

  • We monitor, and record call centre communications, including incoming and outgoing calls and emails.

  • We may verify your identity.

  • We keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.

  • We may contact you to arrange training if you are responsible for a Costa Express machine.

  • We may contact you to arrange delivery and collection of Costa Express machines where your employer gives us your details for this purpose.

We may, if you give us consent

  • Use cookies on the website and app, including analytic cookies.  For more details see our Cookie Notice.

  • Use data for other purposes where we explain that purpose when we ask for your consent.

When you give consent, you are able to withdraw that consent at any time by contacting us, for instance by emailing [email protected]. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.

Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time.  You can opt out of marketing by emailing [email protected].

When the law requires us to process your data we will do so. This can include

  • Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.

  • When you exercise your rights under data protection legislation, including when you ask to subscribe or unsubscribe from our marketing communications.


5. Data Sharing

Costa Express Limited is part of the Whitbread group of companies. Details of the Whitbread group can be found on our corporate website at www.whitbread.co.uk. The group includes Whitbread Group plc and Costa Express Limited.


Costa Limited shares data within the Whitbread group when Whitbread Group plc provide us with support, advisory, IT, and other services.

For some activities Costa uses third party service providers, for instance for our machine deployment and collection.  When these service providers ask for information to fulfil their service obligations we may share information with them, such as the correct contact details to organise machine collection.

We use third party providers for the following services:

  • Costa Express machine deployment and collection

  • Insurance

  • IT development, support, maintenance and hosting, including the provision of applications and website hosting

  • Payments’ processing and banking services to enable you to pay by credit or debit card or by direct debit

If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers.  Your information will be passed to the new owners and you would be notified.

Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.


6. International transfers

Sometimes we may need to send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA’).  For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.

If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some countries have been deemed adequate by the EU.

  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.

  • Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.

  • Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.

For our service provider in India, who has restricted access to some data to provide us with IT support and maintenance services, we rely on contractual measures.  For further details on the mechanisms used please contact [email protected].


7. Cookies and similar technologies

Our website, apps and marketing emails use cookies and similar technology. Full information is in our Cookie Notice which includes information on how to adjust your browser settings to accept or reject cookies.


8. Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site, where required by law or to protect legal rights. We keep our business account records for ongoing analysis. Payment information is kept in line with tax law and audit requirements.

If you unsubscribe from marketing communications we keep a record of this request indefinitely to ensure we do not send you direct marketing again.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.


9. Your rights

You have rights over your personal data.

You can:

  • ask for a copy of your information;

  • ask for information to be corrected;

  • ask for information to be erased or deleted;

  • ask for us to limit or restrict processing;

  • object to us processing your data, in particular, where we use the data for direct marketing, including profiling for direct marketing purposes.  The right to object does not apply if we must process the data to meet a contractual or legal requirement;

  • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep information.  We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.  On occasion there may be a compelling legitimate interest to keep processing data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below.  To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.

You have a right to complain to an EU data protection authority.  This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office (the “ICO”).


10. Contact details

To exercise any of your rights or to withdraw consent you can email: [email protected].

For any queries relating to data protection please contact [email protected] or by writing to them at Privacy Officer, Porz Avenue, Whitbread Court, Dunstable, Beds LU5 5XE.

If we make any changes or updates to this notice we will communicate these.


11. Which Costa entity is the controller?

The controller for your information is Costa Express Limited, 3 Knaves Beech, Loudwater, High Wycombe, Buckinghamshire, HP10 9QR.