Burger-In Oy (hereinafter “Hesburger”) collects personal data from Bonus Club members (hereinafter “You” or the “Customer” or “Customers”). Hesburger is committed to processing personal data in accordance with the legislation on the protection of personal data.

As Hesburger is constantly developing its services, it may be necessary to change and update this Privacy Policy. Changes may also be based on amendments to data protection legislation. We will announce any updates made to the Privacy Policy. We recommend checking the Privacy Policy on a regular basis. This page presents the most recent version.

Why Do We Use Customer Data?

The personal details and transaction information of Customers are used to provide and develop the Bonus Club service, including the Hesburger application. This service involves the specification and allocation of Bonus credits, Bonus Club levels and Bonus benefits based on the Customer’s bonus purchases. Such processing has a legal basis, requiring the Customer’s consent for us to be able to perform our side of the Bonus Club agreement.

Using the transaction information and demographic data, we also perform statistical customer profiling and analysis. This is based on our legitimate interest to improve and grow our business.

The Customer’s e-mail address, telephone number and local address and the notifications in the Hesburger application may be used to send the Customer offers or updates about products and services either we or the Hesburger chain restaurants provide, but only if the Customer consents to this.

If the Customer accepts receiving direct marketing, we will carefully select from our messages those that are the most relevant to the given Customer. This is done automatically by evaluating the Customer’s transaction history and one or more demographic attributes, such as age or place of residence. This is called profiling.

We use customer data for profiling and direct marketing due to our legitimate interest in the growth and development of our services, as well as our desire to make our communication to Customers as relevant as possible.

What Are the Data Sources?

Hesburger collects data directly from the Customer upon the submission of a Bonus Club application or a subsequent update of the said data on the Bonus Club page of the Hesburger website or through the Hesburger application.

Hesburger obtains details on the Customer’s purchases and Bonus Club card use from the point-of-sale systems at Hesburger restaurants and through the Hesburger application.

What Type of Data Is Processed?

The customer’s personal details

These include the Customer's first and last name, street address, postal code, place of residence, phone number, e-mail address, date of birth and information on any parallel member. Members under 15 years of age are required to submit the name and e-mail address of a parent or guardian,as well as the consent of this parent or guardian for the processing of the child’s personal data.

The user ID and password of each Customer registered on the Hesburger website are saved along with information on the Customer’s consent to direct marketing via e-mail, post or mobile phone. In order to offer employee benefits, data specifying whether the Customer is a Hesburger employee is saved in the register.

Transaction information

This includes information on purchases entitling the Customer to Bonus points, any unused Bonus points, the Customer's Bonus Club level and the date when the level was attained.

Information related to the Hesburger application

Information  available through the Hesburger application (e.g. application registration date and time, payment card addition and deletion time and device information from the Customer’s phone, such as device ID and IP address) are saved. Most of the information related to application use is saved only temporarily.

The Customer accepts that access to some of the application content requires the processing of the Customer’s location data. Hesburger may process this data to the extent required for providing the service. After that, the location data is deleted without being transferred to any third party. Location data access can be turned on and off.

Who has Access to Customer Data?

Personal data will be transferred to the following parties to the extent required for providing our services:

1) Parties that belong to the Hesburger Group:

  • AS Hesburger, RigaBurger SIA, Hes-Pro Vilnius: for marketing purposes. These companies provide country-specific marketing in the Baltic countries;
  • Salmela-Yhtiöt Oy: for the technical maintenance and administrative services of the Bonus Club, including the maintenance and development of the Hesburger application;
  • AS Hesburger: for maintenance and administrative services;
  • Hesburger restaurant companies (franchisees): for operational purposes, such as enabling Bonus Club purchases, providing customer service and answering customer feedback;

2) External parties:

  • Companies that provide Hesburger application maintenance and development;
  • Companies that provide marketing services, such as direct marketing campaigns to Customers by e-mail or post;
  • Hesburger restaurant companies (franchisees), which do not belong to the Hesburger Group: for operational purposes, such as enabling Bonus Club purchases, providing customer service and answering customer feedback;
  • Stripe Payments Europe Limited, Ireland, which collects customer credit card information: for the purpose of managing payment transactions carried out through the Hesburger application. Further information concerning the privacy of data processed by Stripe is available in the Stripe Privacy Policy (stripe.com/fi/privacy);
  • Public authorities, such as law enforcement authorities: for data requests based on local law;
  • Insurance companies: for processing claims.

The full names and locations of Hesburger restaurant companies can be found on the Hesburger website.

If employee data is transferred outside the European Union (EU) or European Economic Area (EEA), we will ensure that the data is given adequate protection, for example, by agreeing on statutory data protection measures in accordance with data protection legislation, such by means of Standard Contractual Clauses (SCC) approved by the European Commission and/or based on the EU-US Privacy Shield framework.

The following recipients may process personal data outside the EU/EEA: SendGrid Inc. (distribution of marketing emails: Customer name and email address).

Data Security

Hesburger uses technical and organisational measures to protect personal data against unauthorised access, transfer, deletion or other processing that may compromise data security. The data is saved electronically and it can be accessed, altered or processed only by means of a multilevel encryption scheme. Only authorised persons responsible for the maintenance and management of the system are allowed access to the data. The data is protected against external access and all access to it is monitored.

How Long Do We Save Customer Data?

Customer data is saved as long as the Customer is a Bonus Club member. The data will be deleted within one month after the membership ends. If the Bonus account has not been used for two years, the Customer’s membership is terminated and the personal data related to that membership is deleted.

The Customer’s Rights

The Customer can exercise the rights specified below by sending an e-mail or letter to Hesburger.

Right of access

The Customer has the right to check their data in the Bonus Club records. To do so, the Customer can log in on the Bonus Club web page or to the Hesburger application.

Right to request error rectification

The Customer has the right to request the rectification of any inaccurate data. The Customer may correct such inaccuracies either by logging n on the Bonus Club web page or through the Hesburger application. If the error cannot be corrected on the web page or through the application, the Customer should contact Hesburger.

Right to request data deletion

The Customer has the right to request the deletion of their personal data from the Bonus Club records (i.e. the right to be forgotten). If the Customer wishes to continue their Bonus Club membership, not all of the data can be deleted, however. Hesburger will delete the requested data without undue delay unless there is a legitimate reason not to grant the request.

Right to restrict processing

The Customer has the right to restrict the processing of their personal data. If the Customer requests a restriction, Hesburger will no longer process the Customer’s personal data unless there are legitimate reasons to do so. A restriction may limit or prevent the Customer’s access to the Bonus Club services, however.

At any time, the Customer has the right to object to all direct marketing associated with the Bonus Club, including profiling for direct marketing purposes. To change the direct marketing settings, the Customer can log in at the Bonus Club website or to the Hesburger application. All Bonus Club marketing e-mails also include the option of unsubscribing.

Right to transfer data between systems

The Customer has the right to obtain their personal data in an organised and generally accepted format to enable its submission to some other personal data registry.

Right to lodge a complaint

If the Customer believes that their privacy rights have been breached, they may lodge a complaint with an authority of the EU country of their habitual residence. A list of national data protection authorities along with their contact details is available here:

Who Manages Customer Data and Provides Related Customer Service?

Burger-In Oy
Business ID: 2031967-6
Linnankatu 34
20100 Turku, Finland