Protecting your privacy

This privacy notice describes how Riverford Organic Farmers Ltd (“We”) collect and use the personal information of our customers and prospective customers in accordance with the General Data Protection Regulation (GDPR) and other relevant legislation.

To give you the best possible organic experience we need to gather data. We want to be transparent about why we need the personal details we request when you engage with us and how we will use them.

We will protect the privacy and security of your personal information and will always take all reasonable steps within our power to keep your information safe.

Please read this policy carefully, along with our Terms and Conditions and any other documents referred to within this notice to understand how we collect, why we use, and how we store your personal information.

By providing us with your personal information, you consent to the collection and use of any information you provide in accordance with this privacy policy.

Data protection principles

We comply with the principles of data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

For the purpose of the General Data Protection Regulations (GDPR) the data controller is Riverford Organic Farmers Ltd of Wash Barn, Buckfastleigh, Devon, TQ11 0JU. As we are a franchise business, in some areas, our business partners may process data on our behalf in order to fulfil your orders.

What personal data we may collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which require a higher level of protection.

We collect information every time you interact with us. The information we may collect from these interactions may include, but is not limited to:

  1. Information you give to us

    • By filling in forms on our site (riverford.co.uk) or sites we control including our restaurants
    • By using our mobile app
    • By filling in forms at shows, events or one of our restaurants
    • By corresponding with us by phone, email, in person or otherwise
    • By subscribing to our service
    • By placing orders on our site
    • By entering competitions, promotions or surveys
    • By responding to one of our mailings

    The information we collect may include: Your name, address, email address, telephone number, payment information, login information (customers), shopping preferences including products, dietary (vegetarian, vegan) and Veg Alerts.

  2. Information we collect when you interact with our site or app

    • By filling in forms on our site (riverford.co.uk) or sites we control including our restaurants
    • By using our mobile app
    • By filling in forms at shows, events or one of our restaurants
    • By corresponding with us by phone, email, in person or otherwise
    • By subscribing to our service
    • By placing orders on our site
    • By entering competitions, promotions or surveys
    • By responding to one of our mailings
    • When you participate in social media functions (e.g. comment, share or review stories, products or blogs)
    • When you report a problem with our site or app

    The information we collect may include: Your internet protocol (IP) address, browser type and version details, time zone settings, browser plug-in types and version, your operating system and platform, the pages you visit, for how long and the actions you perform, page response times, your browser cookies (see how we use cookies), your shopping preferences and other areas of interest to you.

    Our mobile apps may access your Andriod Advertising Identifier or Apple Advertising Identifier (IDFA), however this is only a consequence of the Software Development Kits we may use, and this data is never stored by us or passed on to any third party.

  3. Information we receive from other sources

    • If you consent to hear from Riverford on other sites
    • If you subscribe to our service via one of our franchisees
    • If we require information to execute a contract
    • When you visit one of our sites or restaurants we may collect CCTV footage for security purposes only

    The information we collect may include: Your name, address, email address, telephone number, payment information, login information (customers), Payment card verification and CCTV footage.

Legal basis we rely on to collect information

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:

  1. To fulfil a service: We use your information to execute contracts or services that you have entered into. This includes communications relating to your order, deliveries and payments via phone, email and SMS (for example to let you know if a delivery is delayed or payment has failed). In order to process and fulfil your order, we may need to share your information with our franchisees (eg delivery address) and payment processors (eg to collect payment).
  2. When you consent: We may use your personal information and order history to tell you about relevant products, events, competitions and news. For example, when you sign up to a newsletter or tell us you want to hear from us by completing your preferences. You can ask us to stop sending you marketing messages by contacting us at any time. If you change your mind you can update your choices at any time by logging into your account or contacting us.
  3. If we have legitimate interest: The GDPR defines legitimate interest as a reasonable business or commercial interest for processing your personal information. For example, sending a direct mail when a product you previously ordered is back in season, improving the service we provide or to follow our ethical and environmental ethos.

How we use your information

We want to help you Live Life on the Veg and get the most of organic and ethical living. By understanding our customers, trends and behaviours, we can provide better and more relevant service.

If you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below. Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.

What we use your data for and the legal basis which applies

  1. Service

    • To process your orders and services requested from us
    • To respond to your queries, complaints or refund requests
    • To keep a record of your relationship with us and your information up to date
    • To process payments
    • To remind you of your order cut-off deadline to enable you to place, amend or cancel an order
    • To let you know when you have an unconfirmed order in your basket.
    • To let you know about changes to your order or deliveries
    • To let you know about changes to our service (eg delisting products)
    • To check if you’d like to keep your account open after a period of no orders.
    • To contact you by phone if we notice unusual activity in your account such as a significantly larger order than your regular order
  2. Consent

    • To invite you to events and cookery classes and process your bookings
    • To tell you the contents of next week’s boxes so that you can plan your weekly grocery shop
    • To tell you about relevant new products and services you may be interested in based on your buying history
    • To tell you when a product you have purchased in the past is back in season
    • To administer competitions and promotions
    • To keep you informed about the ethical and environmental work you are supporting (eg being fair to farmers)
  3. Legitimate interest

    • To protect our website and our customers (eg to investigate phishing or fraudulent activity)
    • To exclude you from online advertising and avoid unnecessary spend on marketing
    • To develop and improve our systems (eg pages you visit to investigate any problems you encounter with our site)
    • To send you requests for feedback via surveys to help improve our service
    • To build a picture of who are current customers are and what they like, to inform our business decisions (eg to identify food trends or locate potential new customers in different areas of the UK)
    • To ensure the content on our site or app is presented effectively for your device and is secure
    • To measure and understand advertising effectiveness through research and analysis
    • To automatically customise the contents of our website, emails or other channels based on the data we hold about you (for example showing you strawberries if you previously purchased them)
    • To contact you if we notice unusual activity in your account such as a significantly larger order than your regular order
    • To contact you if you cancel all orders to understand your reasons for leaving Riverford
    • To contact you periodically if you choose to keep your account open but without placing an order, for up to 36 months. All calls are screened against the TPS (Telephone Preference Service)

Note that if you purchase a gift for someone from Riverford, we will need their personal details (for example name and address) in order to process the order and delivery. However, we will never contact them for any other purpose other than to process your gift.

Who we share your information with

Sometimes we may share your data with trusted third parties for the legal bases defined above (service, legitimate interest and consent).

An additional basis of ‘legal compliance’ applies here. We have a duty to pass on information to law enforcement agencies, if we become aware of people involved in fraud, non-payment or other criminal activity.

We may also be legally bound to share your data in the future if Riverford is subject to sale or asset transfer.

Who we share your data with, how we protect it and your rights.

  1. Our business partners and franchisees in order to fulfil our contract with you. Data is accessed from centrally maintained systems. No personal information is sent across the open internet.

  2. We use an external email platform provided by MAPP to fulfil our service and marketing communication needs. MAPP adheres to the GDPR when processing data for customers operating within the EU.

    Use of a third party email provider is necessary and legitimate for us to execute the service you sign up for with Riverford. MAPP provide the following statement about how your data is protected:

    Mapp applies effective security safeguards to protect your Personal Information and therefore complies with and is partly certified against ISO 27001. ISO 27001 is the international standard for information security management and defines the requirements for the introduction, operation, monitoring, and continual improvement of an effective information security management system (ISMS). It systematically ensures that an organization implements and maintains commercially reasonable and industry standard technical and organizational safeguards to preserve the security of (Personal) Information.

  3. We use Trustpilot to gather independent online reviews. Your name and email address may be sent to Trustpilot . This method ensures that Trustpilot delete your information after 30 days.

    In accordance with the GDPR, Trustpilot automatically delete your personal details after 30 days. If you leave a review, Trustpilot becomes the controller of that information under the terms of their own privacy policy.

  4. Online advertisers and platforms such as (Google, Twitter, LinkedIn and Facebook) to show you relevant information about our products. The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional information) email addresses to protect your privacy. This transfer is a bulk process so neither Riverford, or the third party, has sight of any individual’s data.

    Read more about how ads are displayed on each platform and how to control your data:

  5. Online advertisers and platforms to exclude current customers from seeing advertising (to save money). The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional.

    As an ethical business that uses profits to invest back into protecting the environment, it is our legitimate interest to take all reasonable steps to avoid unnecessary cost.

  6. We use Facebook’s services to identify people similar to our current customers. This is the most cost-effective way for us to show Facebook users matching that profile messages about Riverford and gain new customers. The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional information) email addresses to protect your privacy. This transfer is a bulk process so neither Riverford, or the third party, has sight of any individual’s data.

    As an ethical business that uses profits to invest back into protecting the environment, it is our legitimate interest to take all reasonable steps to acquire new customers whilst avoiding unnecessary cost.

  7. We use Experian’s services to identify areas of the UK where we may find people similar to our current customers. This enables us to plan and optimise franchise and delivery areas to reduce cost and minimise impact on the environment. Information is shared via Experian’s secure document upload service. Experian protects your information over the internet by using a secure web server, which allows web browser programs to interact with Experian’s web server via an encrypted session.

  8. Selected business partners you consent to hear from (for example when we run joint competitions with companies matching our ethics). If you enter a joint competition and tick a box agreeing that our partner can send you promotional information directly, we will share your information via the legal basis of consent which will be gained each time you enter a competition.

    The third party will have their own Privacy Policy

We only provide third parties with the information they need to perform the exact services we specify in our contract with them and we never sell your data to third parties. We work closely with them to ensure that your privacy is respected and protected at all times. If at any time we stop using third party services, any information held by them will either be deleted or rendered anonymous.

Where we keep your information

The data that we collect from you is stored within the European Economic Area ("EEA"). We take all reasonable steps necessary to ensure that your data is treated securely and in accordance with this privacy policy. Where we share your data with third parties, that information may be held outside of the EU but remains under the jurisdiction and strict principles of the GDPR.

All information you provide to us is stored on our secure servers, except payment card information. To maintain the highest level of security, we never store or have visibility of your card details. We use a method called client-side encryption to take your card details. This means that your card details are encrypted on your device before they are sent to Riverford. This encrypted data is sent to our payment provider (WorldPay) ensuring that we are never able to see your card details.

Our payment provider gives us a ‘token’ which can only be used to take payment from your card to a Riverford bank account. If this token were stolen, it would be of no value to anyone else; it can only be used by Riverford to take a payment from your card.

All transactions and communication between your browser and our website are encrypted using the Transport Layer Security (TLS) protocol which is standard in modern web browsers. Where you have chosen a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. Do not share your password with anyone and change it regularly.

From time to time, our website may contain links to third party websites. If you follow a link to any of these websites, please note that they will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

How long we keep your data for

We will hold your personal information on our system for as long as is necessary for the processing of our contractual obligations with you or when you give consent for us to keep your account open.

We keep your account open for a period of 37 months after your last order or last delivery. During this time, we will continue communicating with you as outlined by this policy unless you actively close your account or update your preferences.

At 36 months after your last order, we will email you to check if you’d like to keep your account open and continue hearing from us. If you do not respond, we will remove your details from our active database and you will no longer receive any communication from us. If your account is closed either as part of our retention or as a request under Article 17 of the General Data Protection Regulation your personal information will be held securely on a deactivated basis for the remainder of our legal obligations to meet government financial and audit regulations for a maximum of 7 years unless there is an extended legal basis to retain for longer. Should you wish to become a Riverford customer in the future, you will be prompted to set up a new account.

Your rights and how to activate your rights

  • To ask us not to process your data for marketing purposes

  • To ask us to erase all of the personal information we hold about you (Right to Erasure also known as the right to be forgotten) (Article 17 GDPR)

    • Email datasecurity@riverford.co.uk
    • Write to Riverford Data Security & Compliance Officer, Riverford Organic Farmers Limited, Buckfastleigh, Devon, TQ11 0JU

    The GDPR requires us to act upon the request within one month of receipt.

  • To request access to all of the information we hold about you (Article 15 GDPR)

    • Email datasecurity@riverford.co.uk
    • Write to Riverford Data Security & Compliance Officer, Riverford Organic Farmers Limited, Buckfastleigh, Devon, TQ11 0JU

    The GDPR requires us to act upon the request within one month of receipt.

  • To ask us not to process your data for the purpose of our legitimate interest. We will action your request unless we believe the legitimate interest overrides your circumstances

Changes to this policy

This policy was last updated on 17th September 2020.

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Got a question?

If you have any questions that haven’t been covered, please contact our Data Protection and Compliance Officer who will be pleased to help you:

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.