Privacy
Policy
Effective date: 20/08/2025 • Version: 1.0
This Privacy Policy explains how Golden Crust Enterprises Ltd ("Golden Crust", "we", "us") collects, uses, shares and protects your personal data when you use our website, planned mobile app, WhatsApp/SMS/email marketing, in store services, and related tools (together, the "Services").
We are a UK based company. We comply with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
1) Who we are & how to contact us
Controller: Golden Crust Enterprises Ltd Registered office: 160 Eureka Park Upper Pemberton, Kennington, Ashford, England, TN25 4AZ
Company number: 15076823
Email: privacy@goldencrust.co.uk
Data Protection Lead: N/A
You can contact us at the details above for any privacy questions or to exercise your rights.
2) Scope
This policy covers:
• Our website and any microsites we operate.
• Our planned mobile/loyalty app.
• WhatsApp Business, SMS, email and in app push messaging we send to you.
• Point of sale redemption of offers/coupons and customer service.
• CCTV on our premises (see §12).
3) What data we collect
We collect the following categories of personal data:
• Identity & contact: name, mobile number, email (if provided), preferred language.
• Marketing preferences & consent logs: channel (WhatsApp/SMS/email), timestamps, source (e.g., QR poster), opt in/opt out history.
• Transaction & redemption data: purchase history at our tills, coupon/code issued, code status (issued/redeemed/expired), store/time, staff ID processing the redemption.
• Birthday (optional): day and month only for birthday offers.
• Device & usage data (website/app): cookie IDs, analytics events, IP address, browser type, pages viewed, referral source.
• Support content: messages you send us (e.g., WhatsApp chats) and our replies.
• CCTV footage (see §12).
We do not collect special category data and we do not knowingly collect data of children under 16 for marketing. If you believe a child has signed up, contact us and we will remove their data.
4) How we collect your data
• Directly from you: when you scan our QR and send JOIN on WhatsApp, submit a web form, redeem a coupon, or contact support.
• Automated: via cookies/SDKs in our website/app (see §11).
• From our systems: from our point of sale and inventory systems to issue/validate single use offers and for aggregated reporting.
5) Why we use your data (purposes & legal bases)
Purpose Examples Legal basis
Provide our Services Account creation (if any), send welcome message, issue and validate single use coupons Contract or legitimate interests (to operate our services)
Marketing messages WhatsApp/SMS/email offers, birthday messages, reminders Consent (you can withdraw anytime)
Service communications Operational notices about redemptions, changes to terms, safety recalls Legitimate interests or legal obligation
Security & fraud prevention Rate limiting redemptions, anti abuse checks, store incident review Legitimate interests
Analytics & improvement Measuring campaign performance, website/app analytics Consent for non essential cookies/SDKs; legitimate interests for aggregate, privacy safe metrics
Legal & compliance Tax/VAT records, PECR/GDPR compliance Legal obligation
You may opt out of marketing at any time: reply STOP on WhatsApp/SMS or use the unsubscribe link in email. Service messages that are not marketing may still be sent where necessary.
6) WhatsApp, SMS and email specifics
• WhatsApp Business: When you initiate chat (e.g., by sending JOIN after scanning our QR), you create a 24 hour service window. For future marketing updates, we use approved WhatsApp templates and your prior consent. You can opt out by replying STOP or by using WhatsApp’s block tools.
• SMS: We use a UK virtual number or approved sender ID. Reply STOP (or CANCEL) to unsubscribe; we keep a suppression list to honour your choice.
• Email: Each email includes a one click unsubscribe link.
For welcome/birthday offers we issue single use codes tied to your phone number or account to prevent sharing. Codes have an expiry date and can be redeemed once.
7) Sharing your data (processors & partners)
We do not sell your personal data. We share limited data with trusted providers who help us run our Services, for example:
• Messaging platforms: WhatsApp (Meta), and/or our messaging provider (e.g., Twilio/Vonage/MessageBird) to deliver messages.
• Analytics & website tools: privacy centric analytics and tag managers.
• Point of sale & coupon validation: systems we use to issue/validate single use codes.
• IT/security & hosting: cloud hosting, backups, DDoS protection.
Each acts under a written data processing agreement and only on our instructions.
8) International transfers
Some providers may process data outside the UK (e.g., EEA/US). Where this occurs, we rely on adequacy decisions, the UK International Data Transfer Agreement (IDTA) or SCCs plus additional safeguards, as required by law.
9) Data retention
We keep data only as long as needed for the purposes above:
• Marketing contacts & preference logs: while you remain active and for up to 24 months after last interaction; consent evidence retained up to 6 years to demonstrate compliance.
• Coupon/transaction records: normally 6 years for accounting/audit.
• Website analytics: as per cookie/tool settings (typically 26 months or less).
• CCTV: usually 30 days, unless kept longer to investigate an incident (see §12).
We anonymise or securely delete data when no longer needed.
10) Your rights
You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal). You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk, but please contact us first so we can help.
11) Cookies & similar technologies
We use cookies/SDKs to: (i) make our site/app work; (ii) remember preferences; (iii) measure performance. Non essential cookies run only with your consent. You can change your choices at any time in our Cookie Banner/Settings. See our Cookie Policy for details.
12) CCTV on premises
We use CCTV in and around our stores for security, safety, and loss prevention.
• Legal basis: legitimate interests (protecting staff, customers, and property).
• Signage: clear notices are displayed at entry points.
• Retention: typically 30 days unless required longer for an incident.
• Access: footage may be shared with law enforcement when legally required.
13) Protecting your data
We use appropriate technical and organisational measures: encryption in transit; access controls; role based permissions; staff training; suppression lists for opt outs; and regular audits. No system is 100% secure; if we detect a breach likely to risk your rights, we will notify you and regulators as required by law.
14) Third party links
Our Services may link to third party sites or services (e.g., mapping, social). Those sites have their own privacy policies; please review them.
15) Changes to this policy
We may update this policy from time to time. The latest version will always be available on our website and will show the effective date. If changes are material, we will notify you via our Services (e.g., a message or banner).
16) Quick ways to control your data
• WhatsApp/SMS: reply STOP to unsubscribe.
• Email: click Unsubscribe in any email.
• All channels: email privacy@goldencrust.co.uk to request access/erasure or to change preferences.
Optional annex — Summary for staff (not public)
• Always include opt out (STOP/unsubscribe) in messages.
• Issue one single use code per phone; validate before serving.
• Never collect year of birth for marketing.
• Log consent source + timestamp.
• If a customer asks about their data, direct them to privacy@goldencrust.co.uk.
Effective date: 20/08/2025 • Version: 1.0
This Privacy Policy explains how Golden Crust Enterprises Ltd ("Golden Crust", "we", "us") collects, uses, shares and protects your personal data when you use our website, planned mobile app, WhatsApp/SMS/email marketing, in store services, and related tools (together, the "Services").
We are a UK based company. We comply with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
1) Who we are & how to contact us
Controller: Golden Crust Enterprises Ltd Registered office: 160 Eureka Park Upper Pemberton, Kennington, Ashford, England, TN25 4AZ
Company number: 15076823
Email: privacy@goldencrust.co.uk
Data Protection Lead: N/A
You can contact us at the details above for any privacy questions or to exercise your rights.
2) Scope
This policy covers:
• Our website and any microsites we operate.
• Our planned mobile/loyalty app.
• WhatsApp Business, SMS, email and in app push messaging we send to you.
• Point of sale redemption of offers/coupons and customer service.
• CCTV on our premises (see §12).
3) What data we collect
We collect the following categories of personal data:
• Identity & contact: name, mobile number, email (if provided), preferred language.
• Marketing preferences & consent logs: channel (WhatsApp/SMS/email), timestamps, source (e.g., QR poster), opt in/opt out history.
• Transaction & redemption data: purchase history at our tills, coupon/code issued, code status (issued/redeemed/expired), store/time, staff ID processing the redemption.
• Birthday (optional): day and month only for birthday offers.
• Device & usage data (website/app): cookie IDs, analytics events, IP address, browser type, pages viewed, referral source.
• Support content: messages you send us (e.g., WhatsApp chats) and our replies.
• CCTV footage (see §12).
We do not collect special category data and we do not knowingly collect data of children under 16 for marketing. If you believe a child has signed up, contact us and we will remove their data.
4) How we collect your data
• Directly from you: when you scan our QR and send JOIN on WhatsApp, submit a web form, redeem a coupon, or contact support.
• Automated: via cookies/SDKs in our website/app (see §11).
• From our systems: from our point of sale and inventory systems to issue/validate single use offers and for aggregated reporting.
5) Why we use your data (purposes & legal bases)
Purpose Examples Legal basis
Provide our Services Account creation (if any), send welcome message, issue and validate single use coupons Contract or legitimate interests (to operate our services)
Marketing messages WhatsApp/SMS/email offers, birthday messages, reminders Consent (you can withdraw anytime)
Service communications Operational notices about redemptions, changes to terms, safety recalls Legitimate interests or legal obligation
Security & fraud prevention Rate limiting redemptions, anti abuse checks, store incident review Legitimate interests
Analytics & improvement Measuring campaign performance, website/app analytics Consent for non essential cookies/SDKs; legitimate interests for aggregate, privacy safe metrics
Legal & compliance Tax/VAT records, PECR/GDPR compliance Legal obligation
You may opt out of marketing at any time: reply STOP on WhatsApp/SMS or use the unsubscribe link in email. Service messages that are not marketing may still be sent where necessary.
6) WhatsApp, SMS and email specifics
• WhatsApp Business: When you initiate chat (e.g., by sending JOIN after scanning our QR), you create a 24 hour service window. For future marketing updates, we use approved WhatsApp templates and your prior consent. You can opt out by replying STOP or by using WhatsApp’s block tools.
• SMS: We use a UK virtual number or approved sender ID. Reply STOP (or CANCEL) to unsubscribe; we keep a suppression list to honour your choice.
• Email: Each email includes a one click unsubscribe link.
For welcome/birthday offers we issue single use codes tied to your phone number or account to prevent sharing. Codes have an expiry date and can be redeemed once.
7) Sharing your data (processors & partners)
We do not sell your personal data. We share limited data with trusted providers who help us run our Services, for example:
• Messaging platforms: WhatsApp (Meta), and/or our messaging provider (e.g., Twilio/Vonage/MessageBird) to deliver messages.
• Analytics & website tools: privacy centric analytics and tag managers.
• Point of sale & coupon validation: systems we use to issue/validate single use codes.
• IT/security & hosting: cloud hosting, backups, DDoS protection.
Each acts under a written data processing agreement and only on our instructions.
8) International transfers
Some providers may process data outside the UK (e.g., EEA/US). Where this occurs, we rely on adequacy decisions, the UK International Data Transfer Agreement (IDTA) or SCCs plus additional safeguards, as required by law.
9) Data retention
We keep data only as long as needed for the purposes above:
• Marketing contacts & preference logs: while you remain active and for up to 24 months after last interaction; consent evidence retained up to 6 years to demonstrate compliance.
• Coupon/transaction records: normally 6 years for accounting/audit.
• Website analytics: as per cookie/tool settings (typically 26 months or less).
• CCTV: usually 30 days, unless kept longer to investigate an incident (see §12).
We anonymise or securely delete data when no longer needed.
10) Your rights
You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal). You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk, but please contact us first so we can help.
11) Cookies & similar technologies
We use cookies/SDKs to: (i) make our site/app work; (ii) remember preferences; (iii) measure performance. Non essential cookies run only with your consent. You can change your choices at any time in our Cookie Banner/Settings. See our Cookie Policy for details.
12) CCTV on premises
We use CCTV in and around our stores for security, safety, and loss prevention.
• Legal basis: legitimate interests (protecting staff, customers, and property).
• Signage: clear notices are displayed at entry points.
• Retention: typically 30 days unless required longer for an incident.
• Access: footage may be shared with law enforcement when legally required.
13) Protecting your data
We use appropriate technical and organisational measures: encryption in transit; access controls; role based permissions; staff training; suppression lists for opt outs; and regular audits. No system is 100% secure; if we detect a breach likely to risk your rights, we will notify you and regulators as required by law.
14) Third party links
Our Services may link to third party sites or services (e.g., mapping, social). Those sites have their own privacy policies; please review them.
15) Changes to this policy
We may update this policy from time to time. The latest version will always be available on our website and will show the effective date. If changes are material, we will notify you via our Services (e.g., a message or banner).
16) Quick ways to control your data
• WhatsApp/SMS: reply STOP to unsubscribe.
• Email: click Unsubscribe in any email.
• All channels: email privacy@goldencrust.co.uk to request access/erasure or to change preferences.
Optional annex — Summary for staff (not public)
• Always include opt out (STOP/unsubscribe) in messages.
• Issue one single use code per phone; validate before serving.
• Never collect year of birth for marketing.
• Log consent source + timestamp.
• If a customer asks about their data, direct them to privacy@goldencrust.co.uk.
This Privacy Policy explains how Golden Crust Enterprises Ltd ("Golden Crust", "we", "us") collects, uses, shares and protects your personal data when you use our website, planned mobile app, WhatsApp/SMS/email marketing, in store services, and related tools (together, the "Services").
We are a UK based company. We comply with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
1) Who we are & how to contact us
Controller: Golden Crust Enterprises Ltd Registered office: 160 Eureka Park Upper Pemberton, Kennington, Ashford, England, TN25 4AZ
Company number: 15076823
Email: privacy@goldencrust.co.uk
Data Protection Lead: N/A
You can contact us at the details above for any privacy questions or to exercise your rights.
2) Scope
This policy covers:
• Our website and any microsites we operate.
• Our planned mobile/loyalty app.
• WhatsApp Business, SMS, email and in app push messaging we send to you.
• Point of sale redemption of offers/coupons and customer service.
• CCTV on our premises (see §12).
3) What data we collect
We collect the following categories of personal data:
• Identity & contact: name, mobile number, email (if provided), preferred language.
• Marketing preferences & consent logs: channel (WhatsApp/SMS/email), timestamps, source (e.g., QR poster), opt in/opt out history.
• Transaction & redemption data: purchase history at our tills, coupon/code issued, code status (issued/redeemed/expired), store/time, staff ID processing the redemption.
• Birthday (optional): day and month only for birthday offers.
• Device & usage data (website/app): cookie IDs, analytics events, IP address, browser type, pages viewed, referral source.
• Support content: messages you send us (e.g., WhatsApp chats) and our replies.
• CCTV footage (see §12).
We do not collect special category data and we do not knowingly collect data of children under 16 for marketing. If you believe a child has signed up, contact us and we will remove their data.
4) How we collect your data
• Directly from you: when you scan our QR and send JOIN on WhatsApp, submit a web form, redeem a coupon, or contact support.
• Automated: via cookies/SDKs in our website/app (see §11).
• From our systems: from our point of sale and inventory systems to issue/validate single use offers and for aggregated reporting.
5) Why we use your data (purposes & legal bases)
Purpose Examples Legal basis Provide our Services Account creation (if any), send welcome message, issue and validate single use coupons Contract or legitimate interests (to operate our services) Marketing messages WhatsApp/SMS/email offers, birthday messages, reminders Consent (you can withdraw anytime) Service communications Operational notices about redemptions, changes to terms, safety recalls Legitimate interests or legal obligation Security & fraud prevention Rate limiting redemptions, anti abuse checks, store incident review Legitimate interests Analytics & improvement Measuring campaign performance, website/app analytics Consent for non essential cookies/SDKs; legitimate interests for aggregate, privacy safe metrics Legal & compliance Tax/VAT records, PECR/GDPR compliance Legal obligation
You may opt out of marketing at any time: reply STOP on WhatsApp/SMS or use the unsubscribe link in email. Service messages that are not marketing may still be sent where necessary.
6) WhatsApp, SMS and email specifics
• WhatsApp Business: When you initiate chat (e.g., by sending JOIN after scanning our QR), you create a 24 hour service window. For future marketing updates, we use approved WhatsApp templates and your prior consent. You can opt out by replying STOP or by using WhatsApp’s block tools.
• SMS: We use a UK virtual number or approved sender ID. Reply STOP (or CANCEL) to unsubscribe; we keep a suppression list to honour your choice.
• Email: Each email includes a one click unsubscribe link.
For welcome/birthday offers we issue single use codes tied to your phone number or account to prevent sharing. Codes have an expiry date and can be redeemed once.
7) Sharing your data (processors & partners)
We do not sell your personal data. We share limited data with trusted providers who help us run our Services, for example:
• Messaging platforms: WhatsApp (Meta), and/or our messaging provider (e.g., Twilio/Vonage/MessageBird) to deliver messages.
• Analytics & website tools: privacy centric analytics and tag managers.
• Point of sale & coupon validation: systems we use to issue/validate single use codes.
• IT/security & hosting: cloud hosting, backups, DDoS protection.
Each acts under a written data processing agreement and only on our instructions.
8) International transfers
Some providers may process data outside the UK (e.g., EEA/US). Where this occurs, we rely on adequacy decisions, the UK International Data Transfer Agreement (IDTA) or SCCs plus additional safeguards, as required by law.
9) Data retention
We keep data only as long as needed for the purposes above:
• Marketing contacts & preference logs: while you remain active and for up to 24 months after last interaction; consent evidence retained up to 6 years to demonstrate compliance.
• Coupon/transaction records: normally 6 years for accounting/audit.
• Website analytics: as per cookie/tool settings (typically 26 months or less).
• CCTV: usually 30 days, unless kept longer to investigate an incident (see §12).
We anonymise or securely delete data when no longer needed.
10) Your rights
You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal). You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk, but please contact us first so we can help.
11) Cookies & similar technologies
We use cookies/SDKs to: (i) make our site/app work; (ii) remember preferences; (iii) measure performance. Non essential cookies run only with your consent. You can change your choices at any time in our Cookie Banner/Settings. See our Cookie Policy for details.
12) CCTV on premises
We use CCTV in and around our stores for security, safety, and loss prevention.
• Legal basis: legitimate interests (protecting staff, customers, and property).
• Signage: clear notices are displayed at entry points.
• Retention: typically 30 days unless required longer for an incident.
• Access: footage may be shared with law enforcement when legally required.
13) Protecting your data
We use appropriate technical and organisational measures: encryption in transit; access controls; role based permissions; staff training; suppression lists for opt outs; and regular audits. No system is 100% secure; if we detect a breach likely to risk your rights, we will notify you and regulators as required by law.
14) Third party links
Our Services may link to third party sites or services (e.g., mapping, social). Those sites have their own privacy policies; please review them.
15) Changes to this policy
We may update this policy from time to time. The latest version will always be available on our website and will show the effective date. If changes are material, we will notify you via our Services (e.g., a message or banner).
16) Quick ways to control your data
• WhatsApp/SMS: reply STOP to unsubscribe.
• Email: click Unsubscribe in any email.
• All channels: email privacy@goldencrust.co.uk to request access/erasure or to change preferences.
Optional annex — Summary for staff (not public)
• Always include opt out (STOP/unsubscribe) in messages.
• Issue one single use code per phone; validate before serving.
• Never collect year of birth for marketing.
• Log consent source + timestamp.
• If a customer asks about their data, direct them to privacy@goldencrust.co.uk.