COOK Privacy Notice

COOK is committed to protecting your privacy. In order to provide our services to the customer and to provide a more personalised shopping experience, we need to collect certain information from you. This Privacy Notice explains when and why we collect personal information about you as well as the types of personal data we may collect when you interact with us in-store, online or over the phone. It also explains how we’ll look after your data and keep it safe. There's a lot to digest but we want you to be fully informed about your rights, and how COOK uses your data.

We hope what's below covers everything, but if you have any questions at all, do please drop us a line at It’s likely that we’ll need to update this Privacy Notice every now and again to make sure it's accurate. We’ll let you know of any major changes, but the most up-to-date version will always be here for you to check.

About COOK

COOK is used throughout this document to refer to all businesses trading under the 'COOK' brand. COOK Trading Ltd is the parent company. A number of separate companies trade under the 'COOK' brand under a franchise agreement. For simplicity throughout this notice, ‘we’ and ‘us’ means COOK and its franchisees. When you are using the COOK website or shopping in COOK shops, COOK Trading Ltd is the data controller.


Contents of Privacy Notice:

1. Explaining the legal bases we rely on

2. How we collect your personal data

3. The type of personal data we collect

4. How and why we use your personal data

5. Protection of your personal data

6. How long will we assume your consent for mailings?

7. Length of time we keep your personal data

8. Who we need to share your personal data with and why

9. Where your personal data may be processed

10. Your rights over your personal data

11. Contacting the Regulator

12. Questions?


1. Explaining the legal bases we rely on

The GDPR law on data protection sets out a number of different reasons a company may collect and process your personal data, including:


In specific situations, we can collect and process your data with your consent - e.g. when you tick a box online or sign up in store to receive email or postal communication from COOK. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service and have given details on this below.

Contractual obligations

In some instances, we need your personal data to comply with our contractual obligations. For example, if you place an order with us, we need your address details to deliver your order and we also need to pass your details to a courier.

Legal compliance

We may be legally bound to collect and process your data. For example, if someone is involved in any criminal activity or fraud affecting COOK, we need to pass details to law enforcement.

Legitimate interest

We require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we may use your purchase history and shopping preferences to offer more personalised offers or products.


2. How we collect your personal data

There are a number of ways in which we may collect information about you:

  • When you visit our website, create an account with us and use your account to buy products

  • When you purchase products in any of our shops or over the phone

  • When you redeem vouchers from COOK on the phone, in a shop or online

  • When you sign up to any of our loyalty programmes e.g. New Parents' Discount Scheme

  • When you call our customer care team or fill in a website contact form

  • When you enter a competition or prize draw or fill in a survey

  • When you comment about or review our products

  • When you fill in any forms in store e.g. an accident report form or community discount event application

  • When you engage with us on social media

  • When you have given a third party permission to share information they hold about you with us

  • When you visit one of our shops or kitchens which may have CCTV systems that may record your image


3. The type of personal data we collect

The personal data we may collect includes your name, billing/delivery address, email address, telephone number, notes from conversations we have with you, information from voucher redemptions, your IP address, which websites you came from when visiting ours, which of our web pages you visit, any search terms you entered on our website, information gathered by cookies in your web browser, any comments or product reviews, any information that you may have told us that suggests your preferences (e.g. you may have told us that you are vegetarian) and your social media username if you communicate with us. As some COOK shops have CCTV installed, your image may be captured when you visit a shop. Please note that when you set up an account with us, your password to log in is encrypted and when you place an order, we do not hold your card details, it is collected by SagePay, our third party payment processors who use secure online capture and processing methods. If you choose to save your credit card details these will be securely held with SagePay.


4. How and why we use your personal data

When you engage with us, we want to give you the best possible experience. By collecting data about you, it allows us to offer a great and tailored service.

We use your data so we can fulfill our contractual obligations to you (such as deliver your food) but also to offer you products and promotions that are more likely to be of interest to you. The data privacy law allows this as part of our contractual obligations and legitimate business interest in understanding our customers and providing the highest levels of service. We will hold your data in our systems for as long as is necessary for each relevant activity or as long as is set out in any contract we have with you.

If you ever wish to change how we use your data, you can do so. Please refer to the 'Your rights over your personal data' section that is below.

If you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.

Here are some ways that we'll use your personal data and why:


  • To process any orders you make in a shop or on our website. If we don't collect your personal data during checkout, we won't be able to process and deliver your order and comply with our legal obligations e.g. your details are passed to a courier company or one of our franchisees so that your order can be delivered. We will keep your details for a reasonable period afterwards in order to fulfill any contractual obligation such as a refund or exchange.

  • Our customer care team need to be able to respond to your queries, complaints or process a refund so we need your contact information in order to respond. We will keep a record of your information including notes on how we communicated with you and what was discussed. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with remarkable customer service and it helps us improve this service to you.

  • We keep your personal data to maintain, update and safeguard your account and to protect our business and your account from fraud or other illegal activities. We'll also monitor your browsing activity in order to identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest.

  • For example, by checking your password when you login and using automated monitoring of IP addresses to identify possible fraudulent log-ins from unexpected locations.

  • When you place an order with us, your card details are collected by our third party payment processors SagePay who use secure online capture and processing methods. This helps to protect you from fraud. We do this on the basis of our contractual and legitimate business interests.

  • In some locations we use CCTV to protect our customers, premises, assets and staff from crime. We do this on the basis of our legitimate business interests.

  • If we discover any criminal activity or alleged criminal activity through our use of CCTV, fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim to protect the individuals we interact with from criminal activities.

  • With your consent, we will use your personal data, preferences and details of your transactions to keep you informed about relevant products and tailored special offers, discounts, promotions, competitions and events by email and post. As ever, you can always opt out of hearing from us through these channels at any time.

  • To comply with our legal obligations, we will send you communications required by law or which are legally necessary e.g. significant updates to this Privacy Notice, product recall notices and legally required information relating to your orders. These messages are to inform you about changes to the service we provide you and will not include any promotional content and so do not require prior consent when sent by email or phone.

  • If you enter a competition or prize draw run by us we will use your information to contact you in the event of you winning based on your agreement to the terms and conditions of the competition at the time of entry. The personal data relating to your competition entry will be anonymised after 3 months, unless you are drawn as a winner in which case the terms and conditions of the competition may require a longer period of retention for marketing purposes.

  • Our monthly prize draw for £500 for our mailing list subscribers is for our new subscribers to email or postal who sign up in-store or online and for current subscribers who shop in-store and online. On signing up you are agreeing for us to use your personal data in accordance with the terms and conditions of the competition, the most recent version can be found here.

  • Introduce a friend - we may capture your email address for the purposes of issuing you with an introductory voucher to use COOK. Your email address will only be stored for the duration that the voucher is valid and can be removed from our systems on request at any time.

  • To display the most interesting content to you on our website we’ll use data we hold about your product purchases and so on. We do so on the basis of your consent for our website to place cookies or similar technology on your device. e.g, we might display a list of items you’ve recently looked at, or offer you recommendations based on your purchase history and any other data you’ve shared with us.

  • We use your data to develop, test and improve our systems and products. We’ll do this on the basis of our legitimate business interests. e.g. customer research to improve our product range, survey feedback etc.

  • To comply with our contractual or legal obligations to share data with law enforcement.

  • To help us form a great understanding of you as a COOK customer and what you like, we combine your personal data gathered across COOK as described above, for example your shopping history online and instore, so that we can offer promotions and products that are relevant to your interests or local to you and where we have your consent, send you more relevant, personalised communications by post and email in relation to updates, offers, services and products. We’ll do this on the basis of our legitimate business interest.


5. Protection of your personal data

    The security of your personal data is very important to us and we take a lot of care to handle and store it as best we can and in line with new legislation as we know it is important to you as well as us.

    Here are some ways we secure your data:

  • The security of your personal data is very important to us and we take a lot of care to handle and store it as best we can and in line with new legislation as we know it is important to you as well as us.

  • Here are some ways we secure your data:

  • We use encrypted https links between our web server and your browser which means that all data passed between you and us cannot be intercepted.

  • We do not store your card details ourselves, but instead utilise SagePay, who are a PCI compliant payment processing provider for all orders placed online and over the phone.

  • All personal data is stored and encrypted in Microsoft's Data Centres in the United Kingdom.

  • We monitor and check our data security systems for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.


6. How long will we assume your consent for mailings?

After your initial consent to sign up to our mailings, we assume you still want to hear from us if you're engaging with COOK by opening our emails, visiting the website, placing an order from us or re-registering in-store. If you haven't done any of these things for a period of three years, we'll get in touch to reconfirm that you still want to hear from us. If we can't re-establish contact with you, we will opt you out of further communication.

If you've given us consent to receive postal communications, we often only send out menus and vouchers to our most active customers so we would encourage you to regularly re-register in-store to re-confirm that you still want to hear from us.


7. Length of time we keep your personal data

We only keep your data for as long as is necessary for the purpose it was collected. After that period, your data is deleted or anonymised and for example aggregated with other data to be used for business planning and analysis.

For instance, if you placed an order with us, we keep your details for 7 years and after that it is anonymised.

If we don't see you in-store or online for a period of seven years, we will automatically anonymise your account details.

If you have been issued with a voucher through our 'Introduce a Friend' scheme we'll record the voucher code against your email address until the code expires, at which point if you have not ordered or visited in store your data will be anonymised.


8. Who we need to share your personal data with and why

At times we need to share your personal data with trusted third parties e.g. COOK franchisees, delivery couriers, IT companies, mailing houses, credit card processing services and so on. We only provide what they need and they cannot use your data for anything other than the purposes that they have your data for. Your data is deleted or rendered anonymous if we stop working with them.

We want your customer journey with COOK (from ordering to fulfilment of your order, or to signing up to our mailing list in a shop and receiving your menu) to be as smooth as possible. We use the following companies who will process your personal data as part of their contracts or terms and conditions with us:

  • Web and Customer Analytics - for monitoring the volume, details and actions of visitors to our website, emails and social media interactions where opted in

  • Social Media Platforms - for personalising ads into your news feeds (which you can opt out of on their platform)

  • Cloud Hosting Providers - we use cloud-based systems to host our website, customer and order database

  • A print management company who helps us send postal mailings out to you if you are signed up

  • Website monitoring company for improving our customer experience

  • Courier (delivery) companies for our national home delivery service

  • Email and text messaging marketing software

  • Online reviews company

  • Postcode and routing software - where we map your postcode to plan our home delivery van's route

  • Live chat system

  • COOK Franchisees - who process personal data in order to fulfill Click & Collect or Home Delivery orders 

Please note that from time to time, we need to change the specific company we use to provide a particular service. We will commit to you that if we add a new type of third party we will let you know, but if a specific supplier of a list service changes (e.g. the courier company) then we will update this list of suppliers but we will not inform you of that change where it is a like-for-like service.


Sharing your data with third parties for their own purposes:

We will never sell or trade your contact details with any third parties, unless you have given us your consent to do so e.g. if you enter a holiday competition and tick a box agreeing that the travel company can send you promotional information directly.

There are some instances where we may have to share your information based on our legal obligations, for instance:

• Fraudulent activity in our shops or online systems

• If the police/government ask us to disclose information we may be required to share your personal data with them, however we would assess this sort of request very carefully

• For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies

For further information please email

9. Where your personal data may be processed

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA), such as Australia or the USA.

Protecting your data outside the EEA

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA.

For example, this might be required in order to fulfil your order, process your payment details or provide support services.


We will only send data to third-party data processors outside of the EEA or who also use sub-processors outside of the EEA if there is sufficient contractual provisions and protective measures in place. (Note: this replaces the previous statement about being compliant with the EU-US Privacy Shield specification until such time that a replacement international agreement is in place).


Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.



10. Your rights over your personal data

You have a choice as to whether or not you receive marketing information from us and you can withdraw your consent from specific communication channels at any time.


How can you stop the use of your personal data for direct marketing?

There are several ways you can stop direct marketing communications from us:

    • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails

    • If you have an account, log in into your account on our website at, visit the ‘My Account’ area and change your preferences

    • Contact our Customer Care team at

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated. We estimate no longer than 2 weeks for email and 8 weeks for postal communications.


Requesting access and making changes to your personal data

You also have the right to access and rectify mistakes in the data we hold about you at any time.

These requests will be handled on a case by case basis and we estimate will be processed in no longer than 1 month depending on our legitimate business interests, legal and contractual obligations. If we refuse your request we will explain to you the reason for our refusal.

You can also make any changes to your personal information by updating your online account at, or by contacting our Customer Care team on

In order to keep your information confidential, we will ask you to verify your identity before proceeding with any requests. If there is a third party acting on your behalf, we will check that they have your permission to act.


Legitimate Business Interests

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.


11. Contacting the Regulator

If you are at all unhappy about the handling of your data, you can send a complaint to the Information Commissioner’s Office by calling 0303 123 1113 or go online to

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.


12. Questions?

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, email us at, or write to us at Care Team, The COOK Kitchen, Eurolink Way, Sittingbourne, Kent ME10 3HH.

10% OFF

Sign up to our newsletter and we'll email you a voucher code for 10% off your first online order