Understanding an Online Privacy Notice on Food and Market Websites: What Visitors Should Know
Food and market websites are often visited with a simple goal in mind: finding a place to eat, checking what’s on offer, planning a visit, or making a purchase. Yet behind the recipes, market guides, and dining recommendations, many sites rely on data to function smoothly, measure performance, and communicate with visitors. An Online Privacy Notice is the document that lays out these practices in an organized way—what information may be collected, how it may be used, who may receive it, and what options you may have.
This article explains the key elements described in an Online Privacy Notice that applies to personal data collected on two related sites and also addresses in-person Wi‑Fi access at a market location. The aim is to translate what is stated in the notice into plain language, without adding claims beyond what the notice itself describes.
Why an Online Privacy Notice matters for food and market browsing
Even when you are only reading a page, browsing a list of vendors, or checking an event calendar, a website may still process information about your visit. The notice describes that data collection and processing can support core operations (like delivering pages and enabling shopping-cart purchases), safety and fraud prevention, analytics, and communications such as newsletters or event updates.
The notice also emphasizes that visitors are subject to important limitations and are asked to review the Conditions of Use, which govern the visit to the site. In practice, this means privacy information is only one part of the overall framework that applies when you use the website.
Who controls your data can depend on where you are
A central concept in the notice is the “data controller,” meaning the organization responsible for processing personal information collected through the site. The notice states that the identity of the data controller depends on your location and lists multiple entities that can act as data controllers, associated with different territories.
It also describes two situations that can change who controls data:
Third-party franchisees in some territories: In certain territories, third-party franchisees run the sites and are the data controllers. The notice says details of franchisees and their sites are available in a table at the end of the notice and advises visitors to consult the relevant franchisee privacy notice(s) and contact them directly for more information.
Third-party operators for some market locations: In some territories, one organization runs the site and is the data controller for the site, but a third party operates the market in that territory (an “Operator”). The notice describes that third party as the data controller for certain activities relating to the applicable market location. These parties are also specified in a table at the end of the notice, with guidance to consult their privacy notice(s) and contact them directly.
The practical takeaway is that “who to contact” and “which rules apply” may vary depending on the territory and whether a franchisee or operator is involved.
Personal data you may provide directly
The notice states that personal data may be collected when you choose to provide it through the site. Examples include:
First and last name
Physical address
E-mail address
Telephone number
It also explains that each form can vary in what it requires and collects, and that an asterisk (*) typically indicates required information. Visitors may also choose to provide additional information in fields that are not required.
If you no longer wish to receive direct marketing communications, the notice provides two options: using the unsubscribe link in the footer of every email or emailing the provided privacy address.
Information that may be collected automatically
In addition to information you actively submit, the notice describes information that may be collected by automated means. It lists several technologies and data sources used for this purpose, including cookies, non-cookie-based tokens, web server logs, tracking pixels, and web beacons.
Cookies: what they are and why they can affect site features
Cookies are described as files that websites send to your computer or other internet-connected device to identify your browser uniquely or to store information or settings in your browser. The notice explains that your browser may tell you when you receive certain types of cookies and how to restrict or disable them.
It also includes a practical warning: without cookies, you may not be able to use all site features and may not be able to purchase products that use a “shopping cart.” For visitors, this means cookie settings can affect functionality, not only advertising or analytics.
Non-cookie-based tokens
The notice describes non-cookie-based tokens as encoded URL-based identifiers that can track e-mail click-through activity or act as time-sensitive password reset keys. It states these can work when cookies are disabled or when a session has not been initiated.
Web server logs and interaction data
According to the notice, web servers may log technical and contextual information such as:
Operating system type and browser type
Domain and system settings
System language
The country and time zone where your device is located
The referring page address
The IP address used to connect to the internet
Information about interactions with the site, such as which pages you visit
The notice also states that information from your browser, such as browsing history, may be collected and used together with data gathered from forms and emails to help understand and respond to your needs.
Web beacons and tracking pixels
To control which web servers collect information, the notice says the site may place tags called web beacons—small files that link web pages to particular web servers and their cookies. Tracking pixels and web beacons are included among the automated technologies described.
Anonymous vs. personal data, and the role of “legitimate interest”
The notice states that where information gathered is completely anonymised, it will not constitute personal data. Where personal data is not anonymous, the notice describes a legal basis for processing as legitimate interest—specifically, the interest in continually evaluating personal data while operating and improving the business, ensuring products and services are relevant to the market, and doing so in a way not overridden by your interests, rights, and freedoms.
It also notes that some processing may be necessary to protect, exercise, or defend legal rights, or to comply with laws that apply.
Social media widgets on the site
The site includes social media functions such as widgets from Google, Twitter, and Facebook. The notice states these widgets may collect information about which pages you visit and the IP address of the device you use to connect to the internet. Widgets may also set a cookie to ensure the features function properly.
These social media functions and widgets may be hosted by a third party or directly on the site. The notice states that your interactions with these functions are governed by the privacy policies of the companies that provide them and suggests reviewing those policies if you use the features.
Data that may be acquired from third parties
Where permitted by law, the notice states personal data may be acquired from third parties. Examples include personal data shared between affiliated entities and business partners, publicly available profile information (such as preferences and interests) on third-party social media sites, and marketing lists acquired from third-party marketing agencies.
The notice also notes that personal data may be collected in other contexts and that you will be notified at the time if that occurs.
In-person Wi‑Fi at a market location
The notice includes a specific example related to in-person visits: when you log on to Wi‑Fi at a market location, you may be asked to provide your email address to access the service. The notice states that this email address may be used to send details of events and information that may be of interest to you. It indicates this may be done with your consent or based on legitimate interest where allowed under applicable laws.
How personal data may be used
The notice describes multiple purposes for using personal data. It also notes that the website/app uses one or more Google services and may gather and store information including, but not limited to, visit or usage behavior, and that visitors may be able to grant or deny consent to Google and its third-party tags for specified purposes.
Examples of uses listed in the notice include:
Responding to inquiries, including contacting you about your request, asking a question, and providing announcements about products and future events
Conducting surveys and contacting you for other reasons related to offering and improving services
Processing purchases made on the site, where collection is described as necessary to enter into a contract
Protecting against and preventing fraud, claims, and other liabilities, and complying with or enforcing legal requirements, industry standards, and policies and terms
Customizing and enhancing visits to the site, facilitating site use, collecting statistics about visits, and understanding browsing behavior
Diagnosing technical and service problems, administering the site, and identifying visitors to the site
Using clickstream data to understand time spent on pages, navigation patterns, and how the site may be tailored to visitor needs
Analytics and opt-out tools mentioned in the notice
The notice states that third-party web analytics services are used, including Google Analytics. It explains that service providers administering these services may use cookies and web beacons to analyze how users use the site, and that the information collected (including IP address) is available to those service providers, which use it to evaluate site usage.
It also references an opt-out link for Google Analytics and an industry opt-out page for controlling collection and use of web viewing data for interest-based advertising and other applicable uses by some or all participating companies. Readers are also directed to a Cookie Policy for more information about cookies used and how to control cookie settings on the site.
Advertising technology and the LiveRamp scenario described
The notice describes a scenario involving LiveRamp. When you use the website and enter your email address (for example, to log in or sign up for a newsletter), the notice states that information collected from you—such as your email (in hashed, pseudonymous form), IP address, or information about your browser or operating system—may be shared with LiveRamp and its group companies, with certain parties acting as “joint controllers” as applicable under the GDPR.
According to the notice, LiveRamp uses this information to create an online identification code that may be stored in a first-party cookie for use in online, in-app, and cross-channel advertising. The notice states this code may be shared with advertising companies to enable interest-based and targeted advertising. It also states that the code does not contain directly identifiable personal data and will not be used by LiveRamp to re-identify you. The notice references LiveRamp’s privacy policy and provides an opt-out link.
An optional ad-free, tracking-free subscription option
The notice describes an optional service called contentpass that provides ad-free and tracking-free access to the website. It states that the service is provided by Content Pass GmbH, and that if you subscribe, your contract is directly with contentpass.
To show the contentpass option when you visit the site, the notice states that contentpass is asked to process your IP address at the start of your visit. It specifies that this is the only information shared with contentpass for that purpose, and that the site remains responsible for this IP address processing.
If you sign up, contentpass is described as the data controller for all data needed to register, manage, and deliver the subscription, with a reference to contentpass’s privacy policy for details. The notice states that the legal basis for processing the IP address for this purpose is legitimate interest in offering an ad-free and tracking-free version of the site and helping meet a legal obligation to obtain valid consent where required.
When personal data may be shared, and with whom
The notice states that personal data is not sold or otherwise disclosed except as described. It outlines categories of recipients and circumstances where sharing may occur:
Group companies: Personal data may be shared with other companies in the same group, with a table listing details including countries.
Service providers: Personal data may be shared with service providers performing services on behalf of the site, such as payment service providers, analytics providers, hosting providers, and advisers. The notice states service providers are bound by legally binding agreements requiring them to use or disclose personal data only as necessary to perform services or comply with legal requirements.
Legal and safety reasons: Personal data may be disclosed if required or permitted by law or legal process (such as a court order or request from law enforcement), when disclosure is believed necessary to prevent physical harm or financial loss, in connection with investigations of suspected or actual fraud or illegal activity, and in connection with sale or transfer of all or part of the business or assets (including reorganization, dissolution, or liquidation).
International transfers and safeguards
The notice states that personal data may be transferred to recipients in countries other than the country where it was originally collected, and that those countries may not have the same data protection laws. When transfers occur (including to the U.S.), the notice states the data will be protected as described in the notice.
For individuals located in the EEA or Switzerland, the notice states that applicable legal requirements for adequate protection for transfers outside the EEA and Switzerland will be followed. It also notes that you may request a copy of the safeguards in place by contacting the organization as described in the “How To Contact Us” section.
How long information may be kept
Retention depends on the purpose for which personal data was collected. In general, the notice states personal data is kept as long as necessary to fulfill the purposes for which it was collected, then deleted unless there is a legal requirement to retain it or it must be retained to comply with legal obligations (including tax and accounting purposes). The notice also states that, subject to applicable legal requirements, personal data is typically retained according to the practices described in the notice.
Rights and choices can vary by region
The notice makes clear that rights and options vary by location, and it includes several region-specific sections.
EEA and Switzerland: If you are located in the EEA or Switzerland, the notice states you may have rights in relation to personal data held about you. It indicates you can contact the organization by email or as described in the “How to Contact Us” section to exercise those rights. It also states you have the right to lodge a complaint with the data protection supervisory authority in your country.
California privacy rights described in the notice
The notice includes a dedicated section for California residents under the California Consumer Privacy Act (CCPA). It states that the CCPA provides additional rights to know, delete, and opt out, and requires businesses to provide notices and means to exercise those rights.
It lists categories of personal information collected in the past 12 months as described by the CCPA and explains that information may be obtained directly from you (such as from forms you complete or products and services you purchase) or indirectly (such as by observing actions on the website). It also states that personal information may be disclosed to certain third parties for a business purpose, with contracts requiring confidentiality and limiting use to performing the contract.
The notice states it does not generally sell personal information as the term is traditionally understood. However, it adds that to the extent advertising technology activities (including programmatic advertising) are considered a sale under the CCPA, categories of personal information may have been sold in the preceding 12 months to business partners such as programmatic advertisers and data aggregators.
It states an option appears when you click “Do Not Sell My Information,” which restricts data from being sold. It also states the personal information of minors known to be under 16 is not sold without affirmative authorization.
For California residents, the notice describes the right to request deletion and the right to know certain information about data practices in the preceding 12 months. To exercise these rights, the notice provides a request link and an email address, and it explains that you must specify which right you are exercising and provide proof of California residency and identity. It outlines identity verification steps, response timelines (endeavoring to respond within 45 days, with possible extension), and circumstances under which requests may be denied.
It also states that certain sensitive information will not be disclosed even if collected (such as Social Security number, driver’s license number, certain financial account numbers, and account passwords or security questions and answers).
The notice further describes the right to opt out of the sale of personal information and indicates requests can be made via “Do Not Sell My Information” or by email. It notes requests may be submitted through a designated agent with appropriate documentation. Finally, it states that visitors will not be discriminated against for exercising CCPA rights, while also noting that certain financial incentives (such as discounts or deals for newsletter sign-up) may be offered under the CCPA with terms and opt-in consent, which can be revoked.
California’s “Shine the Light” law is also addressed, describing a process for requesting details about certain information sharing for direct marketing purposes, including what to include in the request and where to send it.
Nevada opt-out rights mentioned
The notice states that Nevada residents have the right to opt out of the sale of certain personal data to third parties who intend to license or sell that personal data. It provides instructions to exercise this right by email with a specific subject line and required identifying details.
Updates and how to contact the organization
The notice states it may be updated periodically and without prior notice to reflect changes in personal data practices or relevant laws. Updated versions will be posted, and the notice indicates it will show when it was most recently updated.
For questions, comments, or requests related to how personal data is collected, used, or disclosed—or to update information or preferences—the notice provides contact options by email and postal mail addresses for customer care and data protection officer contacts. It also notes that for European citizens, an appointed nominated representative for EU personal data can be contacted via the same privacy email address.
What visitors can reasonably expect
Reading a privacy notice can feel abstract, so it helps to summarize the practical expectations described:
Expect a mix of information you provide (such as contact details) and information collected automatically (such as IP address, device details, and browsing interactions) to be processed to run and improve the site.
If you connect to on-site Wi‑Fi, you may be asked for an email address, and it may be used to send event details and other information of interest, depending on consent or legitimate interest where allowed.
Advertising and analytics tools may be used, including Google Analytics, and the notice provides opt-out resources and points to cookie controls.
If you want fewer ads and less tracking, an optional subscription service is described as providing ad-free and tracking-free access, with specific data handling roles explained.
Your rights and options can vary by location, with specific sections addressing EEA/Switzerland rights and California and Nevada privacy rights.
Ultimately, the notice positions privacy as a set of choices and obligations that can change based on region, technology settings (like cookies), and how you interact with the site—whether you are simply browsing, signing up for emails, making a purchase, or using Wi‑Fi at a market location.