Online Privacy Notice: What Visitors Should Know About Data Collection and Use

Overview of the Online Privacy Notice

This article summarizes key points from an Online Privacy Notice that applies to personal data collected on two related websites (referred to as the “Site”). The Notice explains what types of personal data may be collected, how that data may be used, and the circumstances in which it may be shared. It also outlines certain rights that individuals may have and provides ways to contact the organization about privacy practices.

The Notice also emphasizes that visitors are subject to limitations and that the Sites are governed by Conditions of Use. In practice, that means privacy terms sit alongside other rules that govern how the Sites can be used.

Who is responsible for processing personal data?

The Notice explains that the “data controller” is the organization responsible for processing personal information collected through the Site. The identity of the data controller depends on a visitor’s location. The Notice lists different data controllers for different territories, including entities associated with Portugal and the United States.

It also notes two important operational situations:

• In some territories, third-party franchisees run the Sites and act as the data controllers. The Notice indicates that details of franchisees and their sites are provided in a table at the end of the Notice, and that individuals should consult the franchisees’ privacy notices and contact them directly.

• In some territories, while one entity runs the Sites and is the data controller for the Site, a third party operates a local market venue (“Operator”). In that case, the Operator is described as the data controller for certain activities relating to that market. These third parties are also specified in a table at the end of the Notice, and individuals are directed to consult those parties’ privacy notices and contact them directly.

This structure matters because the responsible party for handling personal data requests may differ depending on where a visitor is located and which service or venue is involved.

Personal data you may provide directly

The Notice states that the Sites may collect personal data that a visitor chooses to provide. Examples include a first and last name, physical address, email address, and telephone number. The Notice describes this as information provided through the Site in contexts where a visitor submits details, such as when engaging with forms or making requests.

The Notice also explains that each form on the Site can vary in the information required and collected. In many cases, an asterisk (*) indicates required information. Visitors may choose to provide additional information in fields that are not required.

If a visitor no longer wishes to receive direct marketing communications, the Notice provides two options: using the unsubscribe link in the footer of emails or emailing the privacy address provided in the Notice.

Wi‑Fi access at a market location

The Notice includes a specific example related to Wi‑Fi access at a market location. When a person logs on to Wi‑Fi, they may be asked to provide an email address to access the service. The Notice says that this email address may be used to send details of events and information that may be of interest. It also states that this may be done with consent or based on legitimate interest where allowed under applicable laws.

Information collected automatically: cookies, tokens, and similar tools

In addition to information a visitor provides, the Notice describes information that may be collected by automated means using technologies such as cookies, non-cookie-based tokens, web server logs, tracking pixels, and web beacons.

Cookies are described as files that websites send to a computer or other internet-connected device to identify a browser uniquely or store information or settings in the browser. The Notice indicates that a browser may allow a user to learn when certain cookies are received and how to restrict or disable them. However, it also notes a practical limitation: without cookies, a visitor may not be able to use all Site features and may not be able to purchase products that use a “shopping cart.”

Non-cookie-based tokens are described as encoded URL-based identifiers that can track email click-through activity or time-sensitive password reset keys. The Notice adds that these can work even when cookies are disabled or a session has not been initiated.

What web server logs and related tools may capture

The Notice explains that web servers may log technical and usage information. Examples include operating system type, browser type, domain, other system settings, the language used by a system, and the country and time zone where a device is located. Logs may also record the referring web page address and the IP address of the device used to connect to the internet.

In terms of on-site behavior, the Notice says logs may include information about interaction with the Sites, such as which pages are visited. It also describes the use of “web beacons” (small files that link web pages to particular web servers and their cookies) to control which web servers collect information by automated means.

The Notice further states that information from a browser, such as browsing history, may be collected and used in conjunction with data gathered from forms and emails to help understand and respond to user needs.

Anonymised vs. non-anonymised information

The Notice distinguishes between completely anonymised information and personal data. It states that where information gathered is completely anonymised, it will not constitute personal data. Where personal data is not anonymous, the Notice describes the legal basis for processing as legitimate interest in continually evaluating personal data to operate and improve the business and ensure products and services are relevant to the market, where that interest is not overridden by a person’s interests, rights, and freedoms.

Social media functions and widgets

The Site is described as including social media functions such as widgets associated with Google, Twitter, and Facebook. The Notice says these widgets may collect information about which pages a visitor views on the Site and the IP address of the device used to connect to the internet. The widgets may also set a cookie to ensure the features function properly.

These social media functions and widgets may be hosted by a third party or directly on the Site. The Notice states that interactions with these functions are governed by the privacy policies of the companies providing them, and it strongly suggests reviewing those privacy policies if using the features.

Information obtained from third parties

Where permitted by law, the Notice states that personal data may be acquired from third parties. Examples include personal data shared between affiliated entities and business partners, publicly available profile information (such as preferences and interests) on third-party social media sites, and marketing lists acquired from third-party marketing agencies.

In a separate section, the Notice reiterates that information collected from third parties will generally consist of publicly available profile information, such as preferences and interests, for example from public social media posts.

How personal data may be used

The Notice describes several purposes for using personal data. Personal data provided by a visitor may be used to respond to inquiries, contact a visitor about a request, ask a question, provide announcements about products and future events, conduct surveys, and contact a visitor for other reasons related to offering and improving services. The Notice frames the legal basis for these activities as a legitimate business interest in providing services, where that interest is not overridden by a person’s interests, rights, and freedoms.

If a visitor makes a purchase on the Site, the Notice states that personal data is collected because it is necessary to enter into a contract.

The Notice also states that personal data may be used to protect against and prevent fraud, claims, and other liabilities, and to comply with or enforce applicable legal requirements, industry standards, and policies and terms. It explains that personal data is used for these purposes when necessary to protect, exercise, or defend legal rights, or when required by law.

Using automatically collected data to operate and improve the Site

The Notice explains that personal data collected automatically through cookies, tokens, web beacons, and other automated means may be used for customizing and enhancing visits to the Site, facilitating Site use, collecting statistics about visits, and understanding how visitors browse. It also notes these data can be used to diagnose technical and service problems, administer the Site, and identify visitors.

The Notice specifically references clickstream data, describing its use to determine how much time visitors spend on pages, how they navigate through the Site, and how the Site may be tailored to meet visitor needs. The legal basis is described as legitimate interest in operating and improving the Site, where that interest is not overridden by a person’s interests, rights, and freedoms.

Google services, analytics, and consent choices

The Notice states that the website/app uses one or more Google services and may gather and store information, including information about visit or usage behavior. It indicates that a visitor may click to grant or deny consent to Google and third-party tags for specified purposes in a Google consent section.

The Notice also states that third-party web analytics services may be used, such as Google Analytics. It explains that providers administering those services may use cookies and web beacons to analyze how users use the Site. The information collected (including IP address) is available to those providers, and they use it to evaluate Site use.

The Notice includes references to tools for opting out of Google Analytics and for controlling the collection and use of web viewing data for interest-based advertising through certain participating companies. It also points readers to a Cookie Policy for more information about cookies used on the Site and for controlling cookie settings on the Site.

Contentpass: an optional ad-free and tracking-free access option

The Notice describes an optional service called “contentpass,” which provides ad-free and tracking-free access to the website. It states that this service is provided by Content Pass GmbH and that if a visitor subscribes, the contract is directly with contentpass.

To show the contentpass option when a visitor visits the site, the Notice states that contentpass is asked to process the visitor’s IP address at the start of the visit. It specifies that this is the only information shared with contentpass for this purpose and that the site operator remains responsible for this IP address processing.

If a visitor signs up for contentpass, the Notice states that contentpass is the data controller for the data needed to register, manage, and deliver the subscription. The Notice also describes the legal basis for processing the IP address in this context as legitimate interest in offering an ad-free and tracking-free version of the site and meeting legal obligations related to obtaining valid consent where required.

LiveRamp and pseudonymous identifiers for advertising

The Notice states that when a visitor uses the website and enters an email address (for example, to log in or sign up for a newsletter), certain information may be shared with LiveRamp and its group companies. The shared information may include an email address in hashed, pseudonymous form, an IP address, or information about a browser or operating system. The Notice describes certain parties as acting as “joint controllers” where applicable and as defined in the GDPR.

According to the Notice, LiveRamp uses this information to create an online identification code that may be stored in a first-party cookie for use in online, in-app, and cross-channel advertising. The Notice says this may be shared with advertising companies to enable interest-based and targeted advertising. It also states that the code does not contain directly identifiable personal data and will not be used by LiveRamp to re-identify an individual.

The Notice indicates that individuals have the right to withdraw consent or opt out of the processing of personal data at any time through the opt-out mechanism described there.

When personal data may be shared

The Notice states that personal data is not sold or otherwise disclosed except as described. It outlines several categories of recipients and circumstances where sharing may occur:

• Affiliates within the same group of companies (the Notice references a table listing other group companies and where they are located).

• Service providers performing services on behalf of the organization, such as payment service providers, analytics providers, hosting providers, and advisers. The Notice states that service providers have legally binding agreements requiring them to use or disclose personal data only as necessary to perform services or comply with legal requirements.

• Disclosures required or permitted by law or legal process, including court orders or requests from law enforcement agencies.

• Disclosures believed necessary or appropriate to prevent physical harm or financial loss.

• Disclosures connected to investigations of suspected or actual fraudulent or other illegal activity.

• Disclosures in the event of a sale or transfer of all or a portion of the business or assets, including reorganizations, dissolutions, or liquidations.

International transfers of personal data

The Notice states that personal data may be transferred to recipients in countries other than the country in which it was originally collected, and that those countries may not have the same data protection laws. It says that when personal data is transferred to recipients in other countries (including the U.S.), it will be protected as described in the Notice.

For individuals located in the European Economic Area (EEA) or Switzerland, the Notice states that applicable legal requirements will be followed to provide adequate protection for transfers of personal data outside the EEA and Switzerland. It also notes that individuals may request a copy of the safeguards in place by contacting the organization as described in the “How To Contact Us” section.

How long personal data may be retained

The Notice states that the retention period depends on the purpose for which personal data was collected. In all cases, personal data is kept for as long as necessary to fulfill the purposes for which it was collected. After that, the Notice states that personal data will be deleted unless it must be retained to meet legal requirements or to comply with legal obligations (including, for example, tax and accounting purposes).

Rights for individuals in the EEA and Switzerland

The Notice states that if a person is located in the EEA or Switzerland, they may have certain rights in relation to personal data held about them. It also notes that individuals may contact the organization by email (or as described in the contact section) to exercise those rights, and that individuals have the right to lodge a complaint with the data protection supervisory authority in their country.

Additional information for California residents

The Notice includes a section describing additional disclosures for California residents under the California Consumer Privacy Act (CCPA). It states that the CCPA provides additional rights to know, delete, and opt out, and requires businesses collecting or disclosing personal information to provide notices and means to exercise those rights. The Notice also explains that certain terms under the CCPA may be broader than their common meaning.

The Notice lists categories of personal information collected in the past 12 months as described by the CCPA and explains that information may be obtained directly from individuals (such as from forms completed or products and services purchased) or indirectly (such as by observing actions on the website). It also states that personal information is used for one or more business purposes described in the Notice.

The Notice states that personal information may be disclosed to certain third parties for a business purpose and that when such disclosure occurs, a contract is used that describes the purpose and requires confidentiality and limited use.

It also states that while personal information is not generally sold as the term is traditionally understood, certain advertising technology activities (such as programmatic advertising) may be considered a sale under the CCPA. For the preceding 12 months, it lists categories of personal information that may have been sold in that context and says an option is provided to request that personal information not be sold via a “Do Not Sell My Information” link.

The Notice states that the personal information of minors known to be under 16 is not sold without affirmative authorization.

For California residents, the Notice describes how to exercise rights by submitting a request through a specified request link or by email. It explains that the request should specify which right is being exercised and the scope of the request, and that proof of California residency and identity is required. The Notice describes identity verification steps and notes that requests may be denied under certain circumstances, including where disclosure would create security risks. It also outlines response timing, the 12-month lookback period for disclosures, and a non-discrimination commitment for exercising CCPA rights. The Notice adds that certain access and data portability rights are not provided for B2B personal information or employment-related personal information collected from California-based employees, job applicants, contractors, or similar individuals.

The Notice also references California’s “Shine the Light” law and provides instructions for submitting such a request, including what to include and how requests must be labeled.

Additional information for Nevada residents

The Notice states that Nevada residents have the right to opt out of the sale of certain personal data to third parties who intend to license or sell that personal data. It explains that this right can be exercised by emailing the provided privacy address with a specific subject line and including a name and the email address associated with the account.

Updates to the Notice

The Notice states that it may be updated periodically and without prior notice to reflect changes in personal data practices or relevant laws. It also indicates that an updated version will be posted and that the Notice will show when it was most recently updated.

How to contact the organization about privacy

The Notice provides contact options for questions or comments about the Notice or issues relating to how personal data is collected, used, or disclosed, or to request updates to information or preferences. It provides an email address for contact and includes postal addresses for customer care in the United Kingdom for both the publication and the market entity. It also provides a postal address for contacting the Data Protection Officer for each entity.

For European citizens, the Notice states that a nominated representative has been appointed and can be contacted via the same privacy email address.

Key takeaways for everyday site use

• Personal data may be collected when a visitor provides it through forms, inquiries, purchases, or Wi‑Fi access at a market location.

• Technical and behavioral data may be collected automatically through cookies, tokens, web beacons, tracking pixels, and server logs, including IP address and page interactions.

• Third-party services may be involved for analytics and advertising-related functions, and social media widgets may collect certain information governed by their own privacy policies.

• Individuals in certain regions (including the EEA/Switzerland, California, and Nevada) may have specific rights and opt-out options described in the Notice.

• The Notice provides mechanisms to unsubscribe from marketing emails and to submit privacy-related requests via email and other specified channels.

Overall, the Notice presents a framework for how personal data may be handled across the Sites, including collection methods, typical operational uses, sharing practices, and region-specific rights and processes.