Burger-In Oy (hereinafter “We” or “Hesburger”) collects personal data from Bonus Club members (hereinafter “You” or “Customer(s)”) Hesburger is committed to processing personal data in accordance with the legislation on the protection of personal data.

As Hesburger is constantly developing its services, it may be necessary to change and update this Privacy Policy. Changes to the Privacy Policy may also be necessary when applicable legislation is amended. We will announce any updates made to the Privacy Policy. The content of this Privacy Policy should be checked on a regular basis. This page presents the currently valid version of the policy.

Why do we use Customer data?

The purposes of processing Customer data in the Hesburger Bonus Club register are as follows:

  • Providing, developing and monitoring services related to the Bonus Club
  • Customer service and customer relationship management
  • Specification and allocation of Bonus credits and Bonus Club loyalty program levels
  • Offering use of the Hesburger application to registered users and developing the application
  • Managing pre-orders and purchases made on the Hesburger application and carrying out payment transactions
  • Analysis, grouping and development of clientships
  • Marketing

The Customer’s e-mail address, telephone number and local address and the notifications in the Hesburger application may be used to send the Customer offers or updates about new products and services either we or the Hesburger chain restaurants provide, but only if the Customer consents to this. The same applies to benefits and offers communicated possibly over other digital channels.

We will carefully select from our messages those that are the most relevant to the given Customer. This is done automatically by evaluating, for example, your prior transaction history and one or more demographic attributes, such as age or place of residence. No automatic decision-making or profiling under the General Data Protection Regulation (GDPR) that might have legal ramifications for the Customer shall be made on the basis of register data.

Data processing principles

The legal basis for processing your personal data is, depending on the purpose and personal data:

  • Compliance with statutory obligations
  • Customer consent

What are the data sources?

Hesburger collects data directly from the Customer when the Customer submits a Bonus Club membership application or makes any updates to their data on the Bonus Club page of the Hesburger website or on the Hesburger application.

Hesburger obtains details on Bonus Club card use and the Customer’s purchases from the point-of-sale systems at Hesburger restaurants and on the Hesburger application.

Hesburger receives information from companies belonging to the same group of corporations or same economic consortium or from franchise operators on employees working in the Hesburger chain in order to offer employee benefits. 

What type of data is processed?

Customer personal data and contact details

These include the Customer’s first and last name, street address, postal code, place of residence, phone number, email address, date of birth, Bonus Club member number, information on any parallel memberships in a Bonus Club account, and the name and email address of a parent or guardian of a Bonus Club member under 15 years of age (minor) as well as the consent of this parent or guardian for the processing of the minor’s personal data. The user ID and password of each Customer registered on the Hesburger website are stored in the register along with information on any consent given by the Customer to direct marketing via e-mail, post or mobile phone. In order to offer employee benefits, data specifying whether the Customer is a Hesburger chain employee is saved in the register. 

Transaction information

This includes information on purchases entitling the Customer to earn Bonus points, any unused Bonus points, the Customer's Bonus Club level and the date when the level was attained.

Information related to the Hesburger application

Information on registration for the Hesburger application and related to use of the application (e.g. application registration date and time, payment card addition and deletion time and device information from the Customer’s phone, such as device ID and IP address) are stored in the register. Most of the information related to application use is saved only temporarily. 

The Customer accepts that the use of some application content requires the processing of their location data. Hesburger may process the Customer's location data to the extent required for providing the service. Following its use, the location data is deleted and will not be transferred to any third party. The use of location data can be turned on and off.

With regard to the Hesburger Gift, namely a gift card which can be sent using the application, the gift recipient’s phone number and any image material saved as a background image for the gift card are also registered.

Who has access to Customer data?

Personal data shall be transferred to the following parties to the extent required for providing our services:

1) Parties that belong to the Hesburger Group:

  • AS Hesburger, RigaBurger SIA and Hes-Pro Vilnius: for marketing purposes. These companies provide country-specific marketing in the Baltic countries;
  • Salmela-Yhtiöt Oy: for the technical maintenance and administrative services of the Bonus Club, including the maintenance and development of the Hesburger application;
  • AS Hesburger:  for maintenance and administrative services;
  • Hesburger restaurant companies (franchisees): for maintaining Bonus Club operations, such as enabling Bonus Club purchases, providing customer service and responding to customer feedback

2) External parties

  • Companies that provide IT services
  • Companies that provide marketing services, such as marketing campaigns to Customers by e-mail or through other digital channels;
  • Hesburger restaurant companies (franchisees), which do not belong to the Hesburger Group: for maintaining Bonus Club operations, such as enabling Bonus Club purchases, providing customer service and responding to customer feedback;
  • Stripe Payments Europe Limited, Ireland, which collects customer credit card information: for the purpose of managing payment transactions made on the Hesburger application. Further information concerning the privacy of data processed by Stripe is available in the Stripe Privacy Policy (stripe.com/fi/privacy);
  • Public authorities, such as law enforcement authorities: for data requests in accordance with local legislation;
  • Insurance companies: for the processing of damage claims.

The full names and locations of Hesburger restaurant companies can be found on the Hesburger website.

Transfer of data outside the European Union and transfer protection measures

As Hesburger uses subcontractors to process personal data, data is also processed outside the European Union (EU) or European Economic Area (EEA). If employee data is transferred outside the EU or EEA, we ensure that the data is given adequate protection, for example, by agreeing on statutory data protection measures in accordance with data protection legislation, such as by means of Standard Contractual Clauses (SCC) approved by the European Commission.

Data security

Hesburger employs technical and organisational measures to protect personal data against unauthorised access, transfer, deletion or other processing that may compromise data security. The register is kept in electronic form. Use of the register, altering data and processing can be done only using multilevel user identification by means of an encrypted application. Only appointed persons responsible for maintaining and managing the system are allowed to use the register. Register data is protected against external access and use of the register is monitored.

How long do we save the Customer data?

Personal data is saved as long as it is necessary. By default, information is stored for as long as the Customer is a Bonus Club member. The data shall be deleted within one month after the membership ends, with the exception of data Hesburger is statutorily required to store for a longer period of time.

If the Bonus account has not been used for two years, the Customer’s membership shall be terminated and the personal data related to that membership shall be deleted.

With regard to the Hesburger Gift, the phone number of the gift recipient shall be deleted if the recipient is not and will not become a Bonus Club member, which is a requirement for redeeming the Hesburger Gift.

Joint controllership with Facebook

When Hesburger maintains social networking pages on Facebook, Hesburger and Facebook Ireland Limited are joint controllers of the user data for the Hesburger pages. Facebook processes personal data in accordance with the privacy policy of its own, available at www.facebook.com/privacy/. Facebook is primarily responsible for compliance with data protection legislation and the fulfilment of data security and the rights of those registered with its services. Hesburger processes data based on legitimate interest.

Through Facebook, Hesburger gains access to a registered Facebook user’s public data, such as data about the user name and profile picture. We process this data only for purposes of our own, such as telling you about new products and services and for marketing, receiving customer feedback, purchasing advertising from Facebook, and measuring the reach of advertisements.

The Customer’s rights

The Customer may exercise the rights specified below by contacting Hesburger by mail or email.

Right of access

The customer has the right to check their own data in the Bonus Club register. To do so, the Customer can log in to the Bonus Club website or Hesburger application.

Right to request error rectification

The Customer has the right to request that incorrect or incomplete data be corrected. The Customer may correct inaccurate or incomplete data by logging in to the Bonus Club website or Hesburger application. If the error cannot be corrected on the website or application, the Customer should contact Hesburger.

Right to erasure

The customer has the right to request that their personal data be deleted from the Bonus Club register ("Right to be forgotten"). However, if the Customer wishes to remain a Bonus Club member, not all data can be deleted. At the Customer's request, Hesburger shall make every effort to delete the data without undue delay, except in cases where there are legal reasons for denying the deletion of data.

Right to restrict and oppose processing

The Customer has the right to restrict and oppose the processing of their personal data. When the Customer has submitted a request, Hesburger may no longer process the Customer's personal data, unless there is a legal reason for doing so. Restricting the processing of personal data may limit or prevent the Customer’s access to the Bonus Club services. 

The Customer has the right, at any time, to object to all direct marketing associated with the Bonus Club, including profiling for direct marketing purposes. The Customer can change the direct marketing settings by logging in to the Bonus Club website or to the Hesburger application. All Bonus Club marketing e-mails also include the option of unsubscribing.

Right to transfer data from one system to another

The Customer has the right to receive their personal data in a structured and commonly used form, in which the customer is able to transfer the data to the controller of another personal data register.

Right to file a complaint

If you feel that your privacy has been violated, you may file a complaint with the applicable authority in the EU member state where you reside. Detailed information on National Data Protection Authorities can be found here:


Who is the controller of your personal data and where can you contact them?

Burger-In Oy
Business ID: FI20319676
Linnankatu 34
20100 Turku

Update version 07.07.2022