Privacy Policy

This is the Privacy Policy for Chestnut Bakery and its affiliates (collectively referred to as “Chestnut Bakery.”, “we,” “us,” or “our”). By submitting any information to us in connection with our Services, you acknowledge and agree that we may process (that is, collect, access, use, disclose, and conduct other related activities) your Personal Information as described in this Privacy Policy.

Purpose of this privacy policy

Your privacy is important to us. We are committed to protecting your Personal Information and we want you to understand how we collect, process, use, disclose, and protect it. This privacy policy (“Privacy Policy”) is intended to inform you of the types Personal Information that we may collect from, or be provided about, you through our websites, including (collectively, the “Site”), branded mobile applications (the “Mobile App”), in-restaurant wireless internet service, or at the point of sale, and the rights you have. For the purposes of this Privacy Policy, the Site, Mobile App, in-store wireless internet service, and the point of sale are collectively referred to as the “Services.”

In this Privacy Policy, we use the terms Personal Information and Anonymous Information to describe the types of information that might be collected during your interactions with the Services. “Personal Information” means information that can be used to identify a particular individual or user of the Services, including, for example, your name, address, telephone number, email address, user name, and any other information about you that is associated with or linked to any of the foregoing information, such as your IP address or geographic location information. “Anonymous Information” means information that is not associated with or linked to your Personal Information and that cannot be used to identify an individual. We use Personal Information and Anonymous Information only as described in this Privacy Policy.

We collect and process the Personal Information of various categories of people who interact with us, who are mostly people who come to our restaurants, use and fill forms on our website, or order food via an online platform or app.

Our Services are not intended for children and we do not knowingly collect Personal Information relating to children. For more information, please refer to the “Children” section below.

This Privacy Policy applies to all Personal Information we obtain and process through the Services as explained in more detail in this notice. It is important that you read this Privacy Policy together with any other privacy notices that we may provide on specific occasions when we are collecting or otherwise processing Personal Information about you so that you know how and why we are using it. This Privacy Policy supplements those other notices and is not intended to override them.

Types of personal information we collect

The types of Personal Information that we will collect and use will depend on various circumstances, for example, your relationship with us, how you are interacting with us, and whether you are ordering through a third party service provider whose privacy policy may apply to that transaction. The information collected may include, for example:

  • identity information, such as your name, initials, gender, age, and the month, day, and occasionally year of your birth;
  • contact details, such as your email address, delivery address, billing address, mailing address, and phone number(s);
  • account user name and other account identifiers;
  • communication preferences and registration information;
  • transaction history, for example, the details of individual or aggregate orders, orders per location, last four digits of your credit card number, whether food was picked up or delivered, etc.;
  • browsing technical information, for example, IP address, login data, browser type and version, operating system, and other technology on the devices you use to access our website. For more information, please see the “Cookies and Automatic Data Collection: Do Not Track” section below;
  • device technical information, for example, the MAC address, geographic location information, and assigned IP of devices used to access in-store wireless internet; and,
  • any other Personal Information we may obtain through you interacting with us through the Services.


Except as described above, we do not collect, store, process, or receive credit card numbers from our Partners (as defined in the “How we Collect Personal Information” section below) or otherwise. This type of information may be collected by our Partners and subject to their privacy policies.

How we collect personal information

We obtain Personal Information in a variety of ways, sometimes through a platform that is owned, operated, or “powered by” third-party partners or service providers (collectively, our “Partners”). In connection with your interactions with us through the Services, we may collect Personal Information from you or from other sources. This information may be Personal Information that you directly provide to us, such as information that you provide when you visit the Services, or information that is passively or automatically collected from you, such as information collected from your browser or device. This information may either be Personal Information or Anonymous Information, depending on the collection source.

In some instances, Chestnut Bakery may also collect information from third party sources, upon whom we rely to provide the Services. We use both business partners and service providers, such as payment processors and analytics providers, to perform services on our behalf. Some of these Partners may have access to information about you that we may or may not otherwise have (for example, where you sign up directly with that provider) and may share some or all of that information with us. In response to public health guidance or mandates from government authorities, we may collect health information from our customers as we are required or deem appropriate to provide a safe space for you and our employees.

We use the following third-party services in order to provide the best user experience to you:

  • when you order online via the Site your identity and registration information will be processed by us, and your contact details will also be collected so we can communicate with you about your order if required.
  • when you order via one of our delivery Partners (for example, Deliveroo), a subset of your identity and contact information will be processed by us so we can fulfil your order. These services will maintain their own privacy policies.
  • when you use the Mobile App your identity, contact information, and registration information will be processed by us. 
  • when you use our in-store wireless internet service, we will ask to collect identity and contact information, as well as marketing preferences. Further to this, technical information about the device you use will also be captured to facilitate the service. In-store wireless internet service is provided by third-party partners and will be subject to Privacy Policies that are presented as part of the connection process.
  • when you post information on or through our website or send us emails or other communications. In addition, when you visit or use this website, we may automatically gather and store certain technical information about your usage. For more information, please see the “Cookies and Automatic Data Collection: Do Not Track (DNT)” section below.
  • we collect the online usernames of those who leave reviews of our food or stores on online platforms.
  • when you otherwise provide us with your Personal Information.

In addition to the categories of information described above, Chestnut Bakery may also collect aggregated information or other Anonymous Information that does not directly identify you.

We encourage you to review the privacy policies for each third-party service provider or Partner so that you are informed about the information they may collect and use about you.

Cookies and Automatic Data Collection; Do Not Track (DNT)

As described above, we may use automatic data collection technology to collect certain information about your devices and browsing patterns. We use cookies on the Site that automatically collect information about you. “Cookies” are a small data file that are stored on your computer’s hard drive by your browser while you are using the Site. We use these cookies to improve our website functionality and the overall experience of our customers, as described in greater detail below. The information gathered and stored is utilized anonymously and does not contain anything that can identify users personally.

We use both session cookies (which expire once you close your browser window) and persistent cookies (which stay on your computer until they expire or until you delete them) to provide you with more personal and interactive experiences on the Site. Persistent cookies can be removed by following the help directions for your internet browser. If you choose to disable all or most cookies, some areas of the Site may not function properly.

For the Chrome web browser, please visit this page from Google:

For the Internet Explorer web browser, please visit this page fromMicrosoft:

For the Firefox web browser, please visit this page from Mozilla:

For the Safari web browser, please visit this page from Apple:

For any other web browser, please visit your web browser’s official web pages.

You can learn more about cookies here:


Network Advertising Initiative: 

In addition to cookies, Chestnut Bakery uses “pixels” to enable certain cookies or advertisements on the Site and to track the number of times a link or advertisement is served on a webpage. A pixel is a tiny, 1×1 image that is loaded when you visit our Site, but instead of calling up an image, it causes a cookie or application to be downloaded. Pixels can be used to track user activities, track the number of times a user has viewed a particular link or advertisement, track and optimize website traffic, display advertisements, keep track of advertising commissions, and otherwise collect data for online marketing and website analysis. As with cookies, our Site utilizes both session pixels and persistent pixels.

We also use cookies and tracking/marketing pixels for four general purposes: (1) to ensure the functionality, optimization, and ease of use of our Site; (2) to ensure and maintain the security of our Site; (3) to collect anonymous, statistical data regarding how visitors interact with the Site; and, (4) for marketing purposes.

The cookies that we use for functionality and security purposes are considered necessary cookies, without which the Site would not function properly. These cookies allow some of the basic functions of our Site to work properly, such as remembering your preferences as you navigate the Site. In addition, these cookies help us secure the Site by preventing cross-site request forgery attacks and by throttling excessive request rates.

We also use cookies to collect statistical information regarding how visitors interact with our Site and to track repeat visits to our Site. While these cookies collect information regarding how you use our Site in order to help us understand site flow and improve the Site, all such statistical data is anonymous and does not personally identify you.

Finally, we use both cookies and pixels on our Site for marketing purposes, including: to check whether your browser supports the use of cookies, to deliver general advertisements from third party advertisers, to present targeted advertisements to particular Site visitors, to track the particular advertisements that have been displayed to you, to track your browser activity across devices and marketing channels, to track the actions you take after viewing an advertisement in order to measure the efficacy of the advertisement, and to display particular advertisements in order to re-engage visitors that are likely to convert to customers based on those visitors’ online behavior across websites.

We also use Google Analytics on our Site to collect usage data, to analyze how users use the Site, and to provide advertisements to you on other websites. This information is anonymous and does not include personal information. Please visit the following website for information about how you can opt out of having Google Analytics collect data from you when you are using the Site: 

Any automatically collected information is statistical, aggregated, or Anonymous Information and does not include personal information.

Please note that our Site is not configured to accept and respond to web browser Do Not Track (DNT) signals. As such, if you would like to exercise your privacy rights, we encourage you to do so by submitting a request using the methods described below.

Use of your personal information

We will only use your Personal Information for the purposes for which it has been provided to us. Generally, we will process your Personal Information in order to:

  • fulfill your order;
  • identify sales trends and monitor store performance;
  • administer our rewards program, which is made available through the Mobile App and only available in the United Kingdom;
  • present the Site to you;
  • provide you with Chestnut Bakery related information, promotions, offers, products, or services that you request from us or that you have consented to receive;
  • promote Chestnut Bakery via email direct marketing if you have shared your email when interacting with the Services and have agreed to receive marketing messages, which you may opt out of at any time;
  • fulfil any purpose for which you provide Personal Information;
  • provide customer support;
  • notify you about changes to our Site, our Terms and Conditions, or this Privacy Policy and to send you security alerts, confirmations, and other administrative messages;
  • respond to law enforcement requests and as required by applicable laws, rules, court order, or governmental regulations;
  • fulfill any other purposes with your explicit consent.

We may also use your Personal Information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent.

We will not perform any automated decision-making processes involving the information that we collect.

If you provide feedback on any of our products or services, we may use such feedback for any purposes, provided that we will not associate such feedback with your Personal Information. We will collect any information contained in your feedback and will treat the Personal Information in such communication in accordance with this Privacy Policy.

Direct Marketing and Other Communications

We may periodically engage in direct marketing if you have opted-in to receive it. You will be able to opt out at any time by following the instructions included in every email sent to you via the “Unsubscribe” link contained in the email footer.

You may not opt out of non-promotional communications from us, including confirmation messages regarding successful order requests. Please note, regardless of your communication preferences, we may continue to communicate with you regarding changes to our Terms and Conditions or Privacy Policy, data breaches, or other significant information related to your Personal Information for as long as it is retained by us.

Changing the purpose for which we use your personal information

We will not collect additional categories of Personal Information or use the Personal Information that we have collected for materially different, unrelated, or incompatible purposes without providing you notice.

We will only use your Personal Information for the purposes for which it has been provided to us, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose and GDPR-compliant.

How we share and disclose personal information

We may need to share your Personal Information with other organizations from time to time, but to the extent required by applicable law, rule, or governmental regulation, we will maintain responsibility for what they do with your Personal Information and how it is processed. We require all third parties to respect the security of your Personal Information and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Information for their own purposes and we only permit them to process your Personal Information for specified purposes and in accordance with our instructions. For example, we may share your information:

  • with service providers who process Personal Information for us, including those providing IT and system administration services and hosting;
  • to meet legal requirements and to comply with any court order, law, or legal process, including to respond to any government or regulatory request or valid discovery requests or subpoenas and to enforce and protect our rights, including to enforce this Privacy Policy, our Terms and Conditions, and other agreements between you and us;
  • if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Chestnut Bakery, our employees, our customers, or others;
  • to provide information to our representatives and advisors, including our attorneys and accountants, to help us comply with legal, accounting, and security requirements; and,
  • to organizations with which, or people with whom, we may be involved in the provision of any services to you in support of our business, for example email marketing platforms, customer relationship management systems, or store management platforms.

We may also share your Personal Information for any other purpose as disclosed at the time of collection, or when we have otherwise obtained consent.

Please note that this Privacy Policy is not intended to limit our ability to share or disclose Anonymous Information or aggregated, pseudonymized, or deidentified information.

How we protect your personal information

We have put in place appropriate technological and organizational security measures to help prevent your Personal Information from being accidentally lost, used, altered, accessed, or disclosed in an unauthorized way. In addition, we limit access to your Personal Information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Information on our instructions and subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

The safety and security of your information also depends on you. If you choose, or are provided with, a user name, password, or any other piece of information as part of our security procedures, you must treat such information as confidential, and you must not disclose it to any other person or entity. You also acknowledge that your account is personal to you and agree not to provide any other person with access to the Services, or any portion thereof, using your user name, password, or other security information. You agree to notify us immediately of any unauthorized access to or use of your user name or password or any other breach of security. You also agree to ensure that you exit from your account at the end of each session. You should use particular caution when accessing your account from a public or shared computer or device so that others are not able to view or record your password or other personal information. You are entirely responsible for maintaining the confidentiality of the information you hold for your user name, password, or other information related to your account. You may be held liable for losses incurred by us as a result of your failing to keep your login information secure and confidential.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information when it is received by us, we cannot guarantee the security of your Personal Information transmitted to our Services. Any transmission of Personal Information is at your own risk. We are not responsible for any circumvention of any privacy settings or security measured related to the Services.

How long personal information is kept

We will only keep your Personal Information for as long as necessary to fulfil the purposes for which we collected it or to enable us to comply with our legal obligations or enforce our legal rights.

Generally, the length of time we keep your Personal Information will depend on the type of Personal Information and the purpose for which we are processing it. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.

At the end of the retention period, we will either delete your Personal Information from our systems completely, or anonymize it so it can be used without identifying you and without the ability to be re-associated with you in the future, such as by aggregating the information.

You can contact us if you would like further information about our retention policy or to request we delete your personal information by using the information in the “Contact Us” section below.

Links to third party websites and social media

The Services may offer social sharing features and other integrated tools, such as the Facebook, Twitter and Pinterest buttons (e.g., “Like,” “Tweet” and “Pin It”), which let you share actions you take on the Services with other media. Your use of these features may enable the sharing of information outside of Chestnut Bakery and, potentially, with the public. If you click on a link to a third-party website or use a third-party service (including, without limitation, those listed above), you will leave the Services and go to the website or service you selected.

Because we cannot control the activities of third parties, we cannot accept responsibility for any use of your personal information by such third parties except as required by applicable law, rule, or governmental regulation. If you visit a third-party website that is linked to on the services or in any other Chestnut Bakery communication, you should consult that website’s privacy policy before providing any personal or other information. We also encourage you to review the privacy policies of any other service provider from whom you request services.

Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. We have no control over, do not review, and cannot be responsible for, these outside websites or their privacy practices. Please be aware that the terms of our Privacy Policy do not apply to these outside websites. 


The Services is not intended for and we do not knowingly request or gather personal information from users who are under the age of 13. If personal information is gathered from a child under the age of 13 and we learn that the personal information is the information of a child under the age of 13, we will make the effort to delete the information. If you, as a parent or guardian of the child, believe that we might have personal information from a child under the age of 13 or the applicable minimum age in your jurisdiction, please contact us at, and we will delete the personal information from our records within a reasonable period of time. Please note that you may have to reach out to our Partners separately to delete the personal information from their records.

British and EU/EEA Privacy Rights

We will only use your Personal Information in compliance with the law. Most commonly, where:

  • consent has been obtained. For example, we rely on consent when sending special offers on your birthday. You have the right to withdraw your consent at any time and can find out more about your right to withdraw your consent in our “Your Rights and Choices” section.
  • it is necessary for our legitimate interests (or those of a third party), and those interests do not override your interests or fundamental rights. You can find out about your right to object to our processing of your Personal Information when we rely on our legitimate interests in our “Your Rights and Choices” section.
  • we need to perform a contract we are about to enter into or have entered into with you. For example, if you place an order with us or a delivery partner, we need to process your Personal Information in order to fulfil that contract.
  • we need to comply with a legal or regulatory obligation. For example, we may be required to share your Personal Information with any legal or regulatory authority to which we are subject.

If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

The Personal Information we hold about you needs to be accurate and up-to-date in order to comply with applicable privacy and data protection laws. Please contact us at to let us know of any changes to your Personal Information so that we can correct our records.

Personal Information Rights

In addition to the rights outlined in the “Your Rights and Choices” section, EU, EEA, and British citizens have the below additional rights:

  • Object to processing of your Personal Information where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to our processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes.
  • Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in any of the following scenarios: (a) if you want us to establish the accuracy of the Personal Information retained about you; (b) where our use of your Personal Information is unlawful but you do not want us to erase it; (c) where you need us to hold the Personal Information even if we no longer require it as you need it to establish, exercise, or defend legal claims; or, (d) you have objected to our use of your Personal Information but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

If you wish to exercise any of the rights set out above, please contact us at


Please contact us in the first instance if you have a concern about how we are dealing with your Personal Information, though EU and British citizens in the UK are entitled to complain at any time to the Information Commissioner’s Office (ICO) at

Changes to this Privacy Policy

This Privacy Policy may change from time to time so please check it periodically. Any significant changes will be posted on our website, and we may also send notice of any such updates via email if you have provided your email address to us.

Contact us

If you have any questions about this Privacy Policy, how we collect or process your Personal Information, or would like to submit a request to exercise your legal rights, please contact us using the details below. 

Email address: 

Postal address: 11 Dover Street, Mayfair, London, United Kingdom, W1S 4LH