Privacy policy

  1. Introduction

This Privacy Policy explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe.

We know that there’s a lot of information here but we want you to be fully informed about your rights, and how the Zorbas Group uses your data.

We hope the following sections will answer any questions you have but if not, please do get in touch with our Data Protection Officer using the details set out below.

Contact Details

Data Protection Officer

  1. Zorbas & Sons Ltd

51 Armenias Street, 2006 Strovolos, Nicosia

e-mail address: dpo@zorbas.com.cy

Tel: 22871700

You have the right to make a complaint at any time to the Office of the Commissioner of Data Protection (DPA), the competent authority in Cyprus for data protection issues (www.dataprotection.gov.cy).

Changes to the Privacy Policy and your duty to inform us of changes

This version was last updated in October 2019

It’s likely that we’ll need to update this Privacy Policy from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.

  1. Controller

When you are using the websites of Zorbas Bakery, Pralina Confectioneries, Pralina Experience, Zorbas Catering, Akai Restaurant and the my Bakery Club and my Sweet Experience programs and the my Bakery Club and my Sweet Experience applications, or are providing any information in relation to the my Bakery Club loyalty and my Sweet Experience programs, A. Zorbas & Sons Ltd is the data controller.

This privacy policy is issued on behalf of A. Zorbas & Sons Ltd – which will hereinafter be referred to as ‘the Group’. The Group includes the company A. Zorbas & Sons Ltd and Zorbas Catering and the following business names: Pralina Confectionaries, Pralina Experience, my Bakery Club loyalty, my Sweet Experience, my JOY, Coffee Berry, Mageirio, A. Zorbas & Sons Ltd is the data controller.

For simplicity throughout this policy, ‘we’ and ‘us’ means A. Zorbas & Sons Ltd and the business names.

 

  1. What personal data we collect about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer the following personal data about you:

  • your name and surname, gender, date of birth, billing/delivery address, orders and receipts, email and telephone number. For your security, we’ll also keep an encrypted record of your login password.
  • Details of your interactions with us through our stores, online, through the telephone centeror by using one of our apps.

    For example, we collect the order forms you submit when you are shopping in our stores. In addition, we collect notes and may record our conversations with you, details of any complaints or comments you make, details of purchases you made, voucher redemptions and/or gifts in competitions we run web pages you visit and how and when you contact us.

  • Details of your shopping preferences and purchases.
  • Details of your visits to our websites or apps, and which site you came from to ours.
  • Personal details which help us to recommend products of interest.

    We’ll only ask for and use your personal data collected for recommending items of interest and to tailor your shopping experience with us. Of course, it’s always your choice whether you share such details with us.

  • Information on payments by card and/or cheques and/or other means.
  • Your comments and product reviews.
  • Your image may be recorded on CCTV when you visit a shop or car park of the Group.
  • Your car number plate may be recorded at some of our car parks.
  • To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered.
  • Information gathered by the use of cookies in your web browser: internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites and our apps.
    Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
  • Marketing and communication data including your preferences in receiving marketing from us and from third parties and communication preferences.
  • Your own photos when you participate in competitions and/or draws organized by the Group and/or when you are present at any event organized by the Group or third parties which are sent to our employees for the purpose of submitting an order.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate data on how you use our websites, products and services to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

If you fail to provide personal data

Where we need to collect personal data under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

  1. How is your personal data collected

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us personal data about you by filling in application forms, applying for our products and services, or by corresponding with us by post, phone, email or otherwise. This includes, inter alia, personal data you provide when you:
  • apply for our products or services;
  • purchase products or services from us;
  • create and use an account on our website or on my Bakery Club and my Sweet Experience applications;
  • join one or our loyalty schemes (e.g. my Bakery Club and my Sweet Experience);
  • a contract you have entered into with the Group is executed;
  • request marketing information or messages to be sent to you;
  • enter a competition, prize draw, promotion, prize program or fill in a survey or questionnaire or free prizes are provided by us to you;
  • contact us to give us some feedback and/or comments and/or recommendations or to submit queries or complaints;
  • comment on and/or review our products and services;
  • engage with us on social media;
  • download and use one of our apps;
  • book any kind of appointment with us;
  • fill in any forms. For example, if an accident happens in store, you may be asked to provide your personal data;
  • submit any report or complaint or claim. For example, if you have made any complaint or comment or recommendation in relation to our products or services, you may be requested to provide your personal data;
  • when you use our shops which usually have CCTV systems operated for the security of both customers and the Group. These systems may record your image during your visit;
  • when you apply for sponsorship and/or assistance by our Group or offer your services in an activity of the Group on a voluntary basis;
  • complete the questionnaire through the websites myzorbas.com.cy and mypralina.com.cy;
  • enter into an agreement with us for the provision of your services or products to us;
  • are present at an event organized by the Group.
  • Automated technologies or interactions. As you interact with our websites, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy which is published on our websites for further details.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties (and public sources).
  • Technical Data from the following parties:

(a)  analytics providers such as Google based outside the EU];

  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services based in or outside the EU;
  • Information and/or photographs of natural persons when a third person submits an order for our products and/or services. For example a third person may give us a photograph of yourself for the purpose of placing it on a birthday cake, or may give us your information for delivery of our products.
  • Information by persons which submit complaints and/or reports and/or claims on your behalf, for example lawyers,
  • Associates of ours with whom we have entered into service agreements.
  1. How we use your personal data

We will use your personal data for the following purposes:

  • Management and/or execution of your orders and providing products and services to you;
  • Business relationship: managing and administering our relationship with you personally, your company or organisation including keeping information records about business contacts, services, billing and payments;
  • Operating and administering our relationship with you perating and managing our website and services provided to you, communicating and interacting with you and notifying you of any changes to our website or services;
  • Managing your loyalty accounts (e.g. my Bakery Club and my Sweet Experience);
  • Management and/or investigation of complaints, reports and claims of ours by the Group;
  • Communication: sending marketing communications (including by email, SMS, post, through our apps, social media, online advertising) relating to our products and services, sending invitations for events organized by the Group;
  • Advertising and promoting our products and services, invitations to events an competitions organized by the Group;
  • Site security: to provide security to our offices and other premises and management and investigation of accidents reported to have happened on the Group’ premises
  • Ensuring necessary hygiene standards on the Group premises;
  • Online security: protecting our information assets and technology platforms from unauthorised access or usage and to monitor for malware and other security threats;
  • Monitoring your online browsing and in-store behavior and your use of the loyalty cards to help us better understand you as a customer and provide you with personalized offers and services;
  • Financial management: managing and administering the payment of our invoices and the fulfilment of your financial obligations towards us;
  • Managing suppliers: who deliver services to us, including processing payments, accounting auditing billing and collection;
  • Managing IT systems and provision of security: managing and administering our IT systems and ensuring that we have adequate security measures in place and preventing internet fraud;
  • Statistical analysis and/or sample checks by the Group;
  • Management of claims for compensation in the event of accidents on our premises;
  • Legal proceedings: establishing, exercising and defending legal rights/claims and/or settling of claims;
  1. Our reasons for using your personal data

We will process your personal data for the following reasons:

  • Processing is necessary in connection with a contract which we have entered into with you; For example, if you order an item from us for home delivery, we’ll collect your address details to deliver your purchase, and pass them to our courier.
  • Processing is necessary for to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. Our legitimate interests are listed in the next section. For example, we will use your purchase history to send you or make available personalised offers. We also combine the shopping history of many customers to identify trends and ensure we can keep up with demand, or develop new products/services;
  • You have given us your consent for the processing of your personal data (for example when you tick a box to receive email newsletters). We shall rely on consent as a legal basis for processing your personal data in relation to communicating with you with respect to the republication of your publications on social media, the announcement and informing you in relation to new products and/or competitions. You may withdraw your consent at any time by contacting our Data Privacy Officer using the contact information provided at the beginning of this policy.
  • This is necessary to comply with legal or regulatory obligations to which we are subject to: For example, we can pass on details of people involved in fraud or other criminal activity affecting the Group to law enforcement.

We have legitimate business interest in:

  • Providing and promoting our products, services and events;
  • Managing our business and relationship with you or your company or organisation;
  • Understanding and responding to inquiries and client feedback;
  • Ensuring the quality or our products and services;
  • Improving our services and offers; 
  • Improving our customer service and developing our relationship with our customers;
  • Receiving information from companies in the Group of companies for shared clients;
  • Enforcing our terms of engagement and website and other terms and conditions;
  • Ensuring our IT and communication systems and premises are secure;
  • Checking the income and expenses of the Group;
  • Protecting our legal rights against third parties;
  • Ensuring invoices are paid.
  1. How and why do we use your personal data?

We want to give you the best possible customer experience. One way to achieve that is to get the richest picture we can of who you are by combining the data we have about you.

We then use this to offer you promotions, products and services that are most likely to interest you. In the case of loyalty scheme members, we’ll also offer you relevant rewards.

The data privacy law allows this as part of our legitimate interest in understanding our customers and providing the highest levels of service.

Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights over my personal data’ section below.

Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some products and services you’ve asked for.

Here’s how we’ll use your personal data and why:

  • To process any orders that you make by using our websites, apps, over the phone, by email or in store. If we don’t collect your personal data during checkout, we won’t be able to process your order and comply with our obligations under the contract with you.

For example, your details may need to be passed to a third party to supply or deliver the product or service that you ordered and we may keep your details for a reasonable period afterwards.

  • To respond to your queries, refund requests and complaints. Handling the information you sent enables us to respond. We may also keep a record of these to have in the event of any future communication with us and to demonstrate how we communicated with you throughout. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with the best service and understanding how we can improve our service based on your experience.
  • To protect our business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account. We’ll also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest.

For example, by checking your password when you login and using automated monitoring of IP addresses to identify possible fraudulent logins from unexpected locations.

  • To protect our customers, premises, assets and Group from crime, we operate CCTV systems in our stores and car parks which record images for security. We do this on the basis of our legitimate business interests.
  • To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate business interests. This also helps to protect our customers from fraud.
  • To ensure our premises maintain the necessary hygiene standards.
  • If we discover any criminal activity or alleged criminal activity through our use of CCTV, fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim to protect the individuals we interact with from criminal activities.
  • With your consent, we will use your personal data, preferences and details of your transactions to keep you informed by email, web, text, telephone and through our stores about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on.

    Of course, you are free to opt out of hearing from us by any of these channels at any time.

  • To send you relevant, personalised communications by post in relation to updates, offers, events and competitions, services and products. We’ll do this on the basis of our legitimate business interest.

    You are free to opt out of hearing from us by post at any time.

  • To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Policy, product recall notices, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
  • To display the most interesting content to you on our websites or apps, we’ll use data we hold about your favourite brands or products and so on. We do so on the basis of your consent to receive app notifications and / or for our website to place cookies or similar technology on your device.

For example, we might display a list of items you’ve recently looked at, or offer you recommendations based on your purchase history and any other data you’ve shared with us.

  • To administer any of our prize draws or competitions which you enter, based on your consent given at the time of entering.
  • To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests.

For example, we’ll record your browser’s Session ID to help us understand more when you leave us online feedback about any problems you’re having.

  • To comply with our contractual or legal obligations to share data with law enforcement.

For example, when a court order is submitted to share data with law enforcement agencies or a court of law.

  • To send you survey, questionnaire and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps us to make products or services which better meet your demands and taste.

    Of course, you are free to opt out of receiving these requests from us at any time by updating your preferences in your online account

  • To build a rich picture of who you are and what you like, and keep our business decisions up to date, we’ll combine data captured from across the Group, third parties and data from publicly-available lists as we have described in the section What Sort of Personal Data do we collect? We’ll do this on the basis of our legitimate business interest.

For example, by combining this data, this will help us personalise your experience and decide which inspiration or content to share with you. We also use anonymised data from customer purchase histories to identify trends in different areas of the country. This may then guide which products we display in particular stores.

  • For my Bakery Club and my Sweet Experience loyalty schemes, to decide which information to show you, with the help of computer algorithms. We do so on the basis of your consent when you become a loyalty scheme member of my Bakery Club or my Sweet Experience.

For example, if you consent through our apps, we may use your shopping preferences to offer you tailored rewards.

  • To protect our legal interests and rights.
  • For managing claims by you in the event of an accident on our premises.

For example, in the event of a claim being submitted by you in relation to an accident or damage to you or your property by the Group, information in relation to your physical and mental health will be used so as to inform the competent insurance company which will evaluate your claim.

Sometimes, we’ll need to share your details with a third party who is providing a service (such as call centers or delivery couriers). We do so to maintain our customer relationship with you. Without sharing your personal data, we’d be unable to fulfil your request.

  1. Combining your data for personalised direct marketing−

We want to bring you offers and inform you of actions and/or promotions that are most relevant to your interests at particular times. To help us form a better, overall understanding of you as a customer, we combine your personal data gathered across the Group as described above, for example your shopping history at both Zorbas bakeries and Pralina Confectioneries and Pralina Experience. For this purpose, we also combine the data that we collect directly from you with data that we obtain from third parties to whom you have given your consent to pass that data onto us.

  1. How we protect your personal data

We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.

We secure access to all transactional areas of our websites and apps using ‘https’ technology.

Access to your personal data is password-protected, and sensitive data such as payment card information) is secured to ensure it is protected.

We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.

  1. For how long we will keep your personal data

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

Some examples of customer data retention periods:

Orders
When you place an order, we’ll keep the personal data you give us for 2-3 months, except where such data is required to be kept for a longer period for the purpose of protecting and defending the legal rights of the Group.  

Inactive accounts
If you’ve not used your account for more than 12 (twelve) months, it will be flagged as inactive and we’ll contact you to ask whether you want to keep it open. Unless you reply to say ‘yes’, we’ll close the account and delete or anonymise the personal data associated with it. 

Photos

It is possible that we may receive photos of you when you participate in a competition and/or draws organized by the Group and/or when you are present at an event organized by the Group or third parties which are sent to our employees for the purpose of submitting an order.

The specific personal data shall be kept only for as long as it is necessary for the purpose for which they were collected. 

Complaints and reports.

When you make a complaint or report, we shall keep the personal data which you give us until the full investigation and settlement of the matter, except where such data is required to be kept  for a longer period for the purpose of defending the legal rights of the Group.

Information from closed circuit surveillance systems.

The pictures and material recorded by the closed circuit surveillance systems in the stores and/or the premises of the Group are automatically deleted upon the expiration of 10-15 days from their recording, except in cases where the material is necessary for the purpose of investigating events and/or offences. In such cases the material is kept until the completion of the investigation.

It is possible that we may keep your personal data for as long as it is necessary so as to comply with any legal, tax, accounting and other obligations of the Group. It is further possible that we may keep your personal data in the event of a complaint or if we have good reason to believe that the data may be useful in a court dispute or other court process.    

  1. With whom we share your personal data

We sometimes share your personal data with trusted third parties. 

For example, operation of call centre, delivery couriers, to handle complaints, to help us personalise our offers to you, to carry out investigations and so on. 

Here’s the policy we apply to those organisations to keep your data safe and protect your privacy: 

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

  • IT companies who support our website, our apps and other business systems.
  • Companies providing server and information storage services.
  • Operational companies such as delivery couriers and operation of call centres.
  • Direct marketing companies who help us manage our electronic communications with you.
  • Research companies for carrying out research.
  • Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites. See our Cookies Policy for details.
  • Data insight companies to ensure your details are up to date and accurate. 
  • Data base management companies for the purpose of maintaining archives in relation to the client base of the My Bakery Club and My Sweet Experience programs.

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

  • With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.
  • For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
  • We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
  • We may, from time to time, expand, reduce or sell the Group and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Policy.
  1. Where your personal data may be processed

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).

Protecting your data outside the EEA

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.

We may transfer personal data that we collect from you to third-party data processors in countries which are outside the EEA, such as the USA.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our Data Protection Officer.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Policy.

  1. What are your rights over your personal data?

An overview of your different rights

You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.
  • The correction of your personal data when incorrect, out of date or incomplete.
  • The deletion of the data we hold about you, in specific circumstances. For example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end. 
  • A computer file in a common format (e.g. CSV or similar) containing the personal data that you have previously provided to us and the right to have your information transferred to another entity where this is technically possible.
  • Restriction of the use of your personal data, in specific circumstances, generally whilst we are deciding on an objection you have made. 
  • That we stop processing your personal data, in specific circumstances. For example, when you have withdrawn consent, or object for reasons related to your individual circumstances.
  • That we stop using your personal data for direct marketing (either through specific channels, or all channels).
  • That we stop any consent-based processing of your personal data after you withdraw that consent.
  • Review by a Group of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).

You can contact us to request to exercise these rights at any time by contacting our Data Protection Officer.

If we choose not to action your request, we will explain the reasons for our refusal. 

Your right to withdraw consent

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

Where we rely on our legitimate interest

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. 

We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Direct marketing

You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Policy. 

If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

  1. How can you stop the use of your personal data for direct marketing?−

There are several ways you can stop direct marketing communications from us:

  • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular division.
  • In our apps, you can manage your preferences and opt out from one or all of the different push notifications by selecting or deselecting the relevant options in the ‘Settings’ section.
  • Write to us at: Data Protection Officer, A. Zorbas & Sons Ltd., 51 Armenias Street, 2006 Strovolos, Nicosia.
  • E-mail address: dpo@zorbas.com.cy
  • Call us at 80000600 or 22871700.

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.

  1. Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Office of the Commissioner of Personal Data.

You can contact them by calling 22818456 or go online to http://www.dataprotection.gov.cy

  1. If you have any questions on the Privacy Policy

We hope this Privacy Policy has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, please contact our Data Protection Officer who will be pleased to help you:

Data Protection Officer
A. Zorbas & Sons Ltd

51 Armenias Street,

2006 Strovolos, Nicosia