ZOE Privacy Policy (Amazon purchases)
Zoe wants you to understand how we use and protect your personal data. This privacy policy explains how we do so, in connection with our Website, our Daily30 supplement or any other products we offer in the European Union (Products), or if you otherwise interact with us (including when you sign up to receive our email updates). For more information on whether and when this privacy policy applies to you, see the ‘Who does this apply to’ section.
We keep our privacy policy under regular review and may update it from time to time – please check the most recent version of our privacy policy for the most up-to-date.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if the information we hold about you changes (for example, if you change your email address but would like to continue to receive emails from us).
1. Who is the controller of your data?
ZOE is made up of two different legal entities:
Zoe Limited, a company incorporated in the United Kingdom (registered address: 483 Green Lanes, London, N13 4BS)
ZOE US Inc, a company incorporated in Delaware (address: 65 Shawmut Road, Unit 6, Canton MA 02021)
Zoe Limited is the controller of personal data, responsible for processing your data. The other ZOE entity may act as a processor from time to time, as would be usual within a group of companies. As between Zoe Limited and ZOE US Inc, there is a Data Sharing Agreement in place which includes the model clauses approved for this purpose. Please contact us if you would like more information on this.
To contact us, please see the ‘How can you exercise your rights or otherwise contact us’ section.
2. Who does this privacy policy apply to?
This privacy policy will apply to you if you are accessing our website/ordering our Products from the European Union and are one of the following:
ZOE Website Users – If you visit or use our Website (even before purchasing our Products)
Amazon Purchase Customers – If you have purchased Daily30 or any other physical product from us, via Amazon
Mailing List Subscribers – If you have given us your email address or phone number to sign up to our Science and Nutrition updates, news and offers. You are only a Mailing List Subscriber if you have opted-in (or, where we’re permitted to use soft opt-in, you have not opted out) on our Website, and have not unsubscribed.
This privacy policy does not cover the practices of third parties we don’t control or personal data collected in the context of job applications or employment with us. Neither does it cover our use of your data if you are based in a different country and have purchased other services from us, or if you have participated in any of our research studies. See our Privacy Policy here if so.
3. What data do we collect?
Personal data is any information about an individual from which that person can be identified. It includes information referred to as ‘personally identifiable information’ or ‘personal information’ which are terms used by other privacy or data protection laws.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
| Type of personal data | What does this include? |
|---|---|
| Contact Data | Title, first name, last name, gender/pronouns, delivery address, email address and telephone numbers. Amazon may provide this information to us, if you purchase our Products via Amazon. You may provide this information directly to us, for example if you sign up to communications. If you interact with us through social media, this may include your social media user name. |
| Customer Support Information | Details of customer service calls automatically collected if you contact us via telephone (including talk time, location, agent who answered the call, recordings of calls); any information about queries and complaints you otherwise provide us; customer support query records from our customer service platforms. |
| Testimonials and Feedback | Any testimonials, reviews and feedback on our Products you provide to us, either in Product feedback questionnaires or interviews, Trustpilot, or otherwise. This information will be linked to your Contact Data and includes this. This could include sensitive information, such as information relating to your health, should you choose to include it. |
| Device and Technical Data | Internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, other technology on the devices you use to access our Website. This is collected automatically when you interact with our Website, communications or online adverts, sometimes via cookies or similar technologies (some of which are from third parties) (see our Cookie Policy). |
| Customer Payment Data | Payment card details you provide Amazon, if you purchase our Products from them. Amazon does not disclose your card number to us. Amazon will use your information in accordance with its own privacy policy. |
| Usage/Analytics Data | Information about how you engage with us. This includes how you use the Website, which might include length of visit, page views, website navigation paths, timing, frequency and pattern of your Website use, and any other information about how you use our Website. This is collected automatically when you interact with our Website, communications or online adverts, sometimes via cookies or similar technologies (some of which are from third parties) (see our Cookie Policy). |
Personal data about children
We do not knowingly collect or solicit Personal Data about children under 18 years of age. If you are a child under the age of 18, please do not attempt to purchase our Products or send us any personal data.
If we learn we have collected personal data from a child under 18 years of age, we will delete that information as quickly as possible. If you believe that a child under 18 years of age may have provided personal data to us, please contact us at dpo@joinzoe.com.
Data that is not personal data
Personal data does not include data that can no longer be linked with identifiable individuals, for example by aggregation of data about multiple individuals. We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. Where we de-identify personal data, we commit to maintain and use the deidentified information in deidentified form and not attempt to reidentify it.
We may use such anonymous data for our lawful business purposes, including to analyze, build and improve our Products/services and other future products and services, and promote our business, provided that the data remains anonymous. We do not delete anonymous data on any particular timetable. You may assume that we could keep it indefinitely.
4. What do we use your personal data for (including the lawful bases we rely on)?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Legitimate interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. The legitimate interests we rely on include:
Developing and improving our Products, Website and other services
Obtaining professional legal advice, gathering information/evidence and resolving issues with customers
Providing good customer service
Managing our IT security, network and infrastructure
Managing our business operations effectively
Marketing our brand, Product and other services to grow engagement and sales
Understanding our customer behavior and customer views to improve our Products, services and associated strategies
Legal obligation. Where we need to comply with a legal obligation.
Contract. Where we need to perform the contract we are about to enter into or have entered into with you, such as supplying you with Products you have ordered from Amazon.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, we can’t deliver our Products to you if we don’t know your delivery address). We will notify you if this is the case.
Purposes for using your data
We have set out below a description of all the ways we may use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Why are we processing the data? | Who does this apply to? | What types of data are we processing for this purpose? | What is our GDPR lawful basis (UK/EU residents)? |
|---|---|---|---|
| To supply you with physical goods (e.g. when you order our Products on Amazon) | Amazon Purchase Customers | Contact Data; Account Data | Article 6: Performance of contract |
| To provide you with customer support and quality assurance, and to manage our relationship with you, including sending you order updates, changes to our terms and conditions, receiving feedback, handling complaints, and providing support on our Products (including via our chatbot) | Amazon Purchase Customers | Contact Data; Account Data; Customer Support and Feedback Information | Article 6: Contract; Legitimate interests; Legal obligation (transactional emails) |
| To carry out marketing and promotional activities (see the ‘Marketing and Communications’ section below), including: (1) Direct marketing (including sending you ongoing science and nutrition updates, news and offers, inviting you to join our webinars, abandoned cart reminders, and maintaining our suppression list); (2) Marketing through our social media channels; (3) Marketing to referrals; (4) Reach out to you to ask if we can use your Testimonials and Reviews | Mailing List Subscribers; Amazon Purchase Customers | Contact Data; Account Data; Device and Technical Data; details of purchases made; Usage/Analytics Data; Testimonials and Reviews | Article 6: Legitimate interests (if we’re legally required to, we will obtain your opt-in consent, but this is not our lawful basis - see 'Marketing and Communications' section) |
| To carry out analytics and use feedback to develop and improve our Products, services, marketing, customer service, relationships and experiences | ZOE Website Users; Mailing List Subscribers | Contact Data; Account Data; Device and Technical Data; Usage/Analytics Data; Customer Support Information; Testimonials and Reviews | Article 6: Legitimate interests |
| To build, manage, maintain and improve our technology infrastructure, including our Website (including providing functionality, analyzing performance, troubleshooting and fixing errors and improving usability/effectiveness, managing security) | ZOE Website Users | Device and Technical Data | Article 6: Legitimate interests |
| To manage our business and finance operations and administration (including auditing; internal communications between employees in the UK and US; preventing fraud; managing investors and driving the success of the company; accurate reporting and administration) | ZOE Website Users; Amazon Purchase Customers; Mailing List Subscribers | All data | Article 6: Legitimate interests; legal obligation |
| To investigate complaints/incidents with our Products and resolve legal disputes/claims | Amazon Purchase Customers | All data | Article 6: Legitimate interests |
| To ensure we are complying with data protection laws and responding to your requests (including on Cookies and data subject requests) | All users/customers (Services or Products); Study Participants | Contact Data; Device and Technical Data; any data requested via access request | Article 6: Legal obligation |
5. How do we use cookies and similar technologies?
Our Website uses cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser, tell us how and when you visit and use our Website, analyze trends, learn about our user base and operate and improve our services. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone or similar device when you use that device to access our Website. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s). These third parties may also receive some information about you, and use this information for their own purposes.
Most browsers have a 'Do Not Track' or ‘Global Privacy Control’ feature that lets you tell websites you don't want to have your online activities tracked. If you choose to activate these, our Marketing Cookies will be deactivated. Please note that if you do this, we don’t know who you are within our systems, and your opt-out will apply only to information collected through Cookies on the specific browser from which you opt-out. If you delete or reset your Cookies, or use a different browser or device, you will need to reconfigure your settings.
For more information about our use of Cookies, please see our Cookie Policy. To manage your cookie consents, click ‘Cookie preferences’ at the bottom of our website.
6. How do we manage marketing and communications (including your right to opt-out)?
Amazon does not share your contact details with us for marketing purposes, so this only applies to you if you are a Mailing List Subscriber.
We may email or SMS you from time to time about our Products, services, offers, promotions, rewards, and events offered by us, provide news and information that we think will be of interest to you (such as our ongoing science and nutrition emails), or invite you to provide feedback on our Products.
We use your Contact Data to send you these communications. We may also use your Contact Data, Device and Technical Data or Usage/Analytics Data to form a view on what we think may be of interest to you so that the communications we send are most relevant to you.
Third Party Advertising
Amazon does not share your information with us for marketing purposes, so this only applies to you if you are a ZOE Website User or a Mailing List Subscriber.
We may work with third parties such as Meta (Facebook and Instagram), TikTok and Google Ads to show you adverts for our Products and optimize our marketing campaigns (Advertising Partners).
To facilitate this, we may share Contact Data, Device and Technical Data and Usage/Analytics Data. However, your name, email, and phone will be hashed. Hashed means using a code instead of your actual details – the Advertising Partner will not be able to convert these codes back to your original data, but if you have separately given them this information (e.g. if you have a Facebook account), they will be able to match the two sets of hashed data. This data is either collected and shared automatically using Cookies (see the ‘Cookies and similar technologies’ section above), or at our prompt via other tools.
We only share your data for these purposes if your marketing Cookies are ‘on’ when you visit our Website or you’re opted-in to receive marketing communications from us.
This information may used for the following purposes:
To measure the effectiveness of our marketing campaigns – the Advertising Partners match the data with your actions if you have seen one of our ads (e.g. if you have visited our Website after seeing an ad). This helps us analyze which ads or campaigns are most effective and informs our marketing strategy.
To help us identify the right audience for our ads – the Advertising Partners analyze the data, identify common characteristics, and then target ads to users with similar characteristics. This helps us show ads to people who are more likely to be interested in our brand and Products.
To show you ads and offers personalized and relevant to you – if you have separately given your data to the Advertising Partner, it may combine this with the data we share with it to identify you and show you ads that are relevant to you.
For the purposes of the GDPR, we are separate or joint controllers with the Advertising Partners of at least some of this information (both the third party and we determine the purposes and means of the processing of your data - either jointly or separately). This is because the Advertising Partners make use of some of this information for their own purposes.
For further information on how the Advertising Partners use personal data, including the legal bases they rely on and the ways to exercise your rights against them, please see their respective privacy policies. We also have an agreement with these third parties setting which of us is responsible for particular obligations under GDPR. Please contact us if you would like to see this or if you would like more information.
Opt-out and marketing preferences
You can always opt out of receiving emails by unsubscribing via the “unsubscribe” link contained in the email. You can opt out of push notifications by changing the settings on your device or in your Account. Opting out of these emails or notifications will not end the transmission of service-related emails that are necessary to your use of our service.
You can opt out of receiving marketing SMS by replying "STOP" to any SMS notification you receive from ZOE. This will stop ALL SMS notifications (including service-related notifications).
If you unsubscribe, we will need to keep just enough information on file to make sure we respect your preferences in the future.
You can opt out of your personal data being used for marketing purposes by some Advertising Partners by adjusting your preferences in the settings in your account with them. You can also opt out of our sharing of your data for those purposes by contacting us, or opting out of marketing Cookies and unsubscribing from marketing emails.
There are also a number of organizations that allow you to opt out of advertising more generally, for example: http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
Please note that opting out of data sharing for advertising purposes may not stop you from seeing ads, but it may make them less relevant to your interests. Similarly, if you are not opted-in to cookies on our Website, nor signed up to our mailing list, you may still see our ads (but we did not use your information to direct them at you).
7. How might we disclose your personal data?
In addition to disclosing data to our group company in the US (ZOE US Inc) we may disclose your personal data to the parties set out below for the purposes set out in this privacy policy (or if the law otherwise allows it), who act on our behalf (as ‘processors’ of your data):
Suppliers and service providers including hosting and other technology and communication providers, analytics providers, CRM, system administration services, security and fraud prevention consultants, support and customer service vendors and payment processors and other payment option providers.
Delivery and fulfillment providers we use to send you our Products.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow these third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may also disclose your personal data to the following parties who act as ‘controllers’ of your data (they determine the purposes/means of the processing):
If you are a ZOE Website User or Mailing List Subscriber and where you have consented to marketing Cookies or for us to use your email for marketing purposes: Advertising Partners, such as Meta (see ‘Marketing and Communications’ section above).
User research partners who help us with user research on our Products.
HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
Auditors and professional advisers including lawyers, bankers, auditors and insurers. (In all cases these will be advisors under a professional duty of confidence.)
8. How do we keep your data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
9. How long do we keep your personal data for?
We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
For example:
We keep information we use to supply you with our Products for a period of 6 years after your last purchase from us. This is necessary for us to be able to resolve any legal disputes that may arise.
We routinely delete our web server logs after 90 days, unless we are aware of any serious problem that requires investigation (for example fraud or a hostile attack to our systems), in which case we may preserve any information necessary for that investigation for as long as it is needed. Once the investigation is concluded, we will delete the data.
10. What are your legal rights?
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Note that in limited situations, we may not be able to comply with your request for specific legal reasons. If that is the case, we will still respond to notify you of such a decision.
The rights in this section apply to you regardless of where you are resident. However, you may have additional rights, depending on where you are resident. These additional rights are set out in the Addendums below. Please read the applicable Addendum in addition to this Privacy Policy.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
Only you or a personal legally authorized to act on your behalf may make a verifiable request relating to your personal data. We may need to request specific information from you to help us confirm your identity (or, if using someone to request on your behalf, your written permission to do so), and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Please provide us with sufficient detail to allow us to understand, evaluate and respond to your request. If we do not have this, we may contact you to ask you for further information in relation to your request to speed up our response.
We will only use Personal Data provided in a request to verify your identity and complete your request. You do not need an account to submit a request.
Time limit to responding
We try to respond to all legitimate/verifiable requests within one month. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Your rights
You have the rights to:
Request access to your personal data (commonly known as a data subject access request). You can request information about what personal data we process about you (including the purposes for collecting it, how and to whom we have disclosed it), to access this personal data and to receive a copy of it.
Request correction of the personal data that we hold about you, if you believe that your personal data is inaccurate.
Request erasure of your personal data.
Object to processing of your personal data. For example, if we process it for direct marketing.
Request restriction of processing of your personal data, in some circumstances. For example, you have the right to request the restriction of your personal data if you contest the accuracy of your personal data and we need some time to verify such accuracy.
Request the transfer of your personal data to you or to a third party.
11. How can you exercise your rights or otherwise contact us?
You can contact us or submit a request as follows:
To access or erase your data: use our form at https://privacy.zoe.com/zoe.
To exercise any of your other rights, or to ask for more information about this privacy policy or our use of your data: email us at dpo@joinzoe.com.
For more general enquiries: please contact us at hello@joinzoe.com.
For data protection matters in the EU, you can also contact our EU representative: GDPREP.ORG, Suite 10357, 5 Fitzwilliam Square, Dublin 2 , Ireland, D02 R744, info@gdprep.org