Customer Privacy Notice and Cookies and App Consent Policy

Ocado Retail Limited (“Ocado Retail”, we, us or our) is committed to protecting your privacy and the personal data entrusted to us in line with data protection laws and regulation applicable to the United Kingdom, including the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and EU GDPR.

To reassure you that we take our obligations to protect your personal data seriously, this Privacy Notice and Cookie Policy sets out the ways in which we process, share, retain and protect your information, alongside your rights as the data subject, and how you can raise a complaint if you feel we have not treated your personal data responsibly.

This Privacy Notice and Cookie Policy applies if you use or access any of our products and services, including but not limited to: shopping on any of the Ocado Retail websites (, or apps; using voice-controlled services (such as Amazon’s Alexa or Apple’s Siri); or communicating with us by phone or in writing including telephone, email, SMS, post, push notification, or via third party digital platforms (including websites or social media platforms).

Terms and definitions within this Notice:

“Controller” is defined as the organisation making the decision as to how the information is processed and for what purpose.

“Customer” refers to an individual who has registered or shopped on an Ocado Retail website (,

“Joint Controller” is defined as two or more controllers who collectively decide how the information is processed and for what purpose.

Marketing is defined as the promotion and/or selling of goods and services via methods such as: advertising, events, prize draws, competitions, gifts, vouchers, coupons, surveys, special offers and promotions. This is not an exhaustive list and may change over time.

“” is the website and application operated by Ocado Retail to supply Ocado own label, branded and Marks & Spencer products to customers.

“” is the website and application operated by Ocado Retail to provide a same day delivery service to customers operating within certain areas in west London.

“Personal data” is any information that alone, or in combination with other information, can directly/indirectly identify a living individual. This also consists of “special categories of information” which, due to its personal nature, requires further protection when processed.

“Processing” means any action undertaken on the personal data, by manual or automated means, including but not limited to collecting, recording, organising, storing, changing, accessing, using and disclosing.

“Processor” is the organisation undertaking the processing on behalf of the controller.

“Profiling” is the activity of processing personal data via automated means to analyse and make predictions about the individual.

“Specially selected partners” are third parties who have entered into a partnership with Ocado Retail aiming to jointly promote each other’s products and services. These partners have been selected based on their relevance to Ocado Retail and our customers.

Web advertising means digital marketing that is intentionally sent or displayed to you on third-party online platforms or websites (such as ads you may see on social media, Google or Bing) which we believe would be relevant to you based on your interests. It does not include marketing that we have not intentionally targeted to you specifically (such as banner ads that are randomly shown to any visitor of a third-party online platform or website) or any personalisation or recommendations we show on our websites, apps and services.

Ocado Retail Limited and/or Ocado Retail:

Apollo Court
2 Bishop Square
Hatfield Business Park
AL10 9EX

Personal data is any information relating to a living individual who can be identified directly or indirectly, often by name, customer number, location, an online identifier or other factors specific to their identity.

Personal data may include “special category data” such as personal data relating to racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, and criminal records and allegations. Whilst the primary purpose of our processing of your personal data does not include special categories of personal data, where any special categories of personal data are processed, we will at all times ensure we have a valid lawful basis for processing.

Information disclosed to us, by you, in the course of communications with us will be retained automatically as part of your correspondence and may as a result include special categories of personal data. Further protection and safeguards are placed upon sensitive information we process.

When we collect personal data from you we will indicate whether it is mandatory or voluntary — this is done on our websites and applications by using asterisks to mark mandatory fields.

Types of data we may process on you includes but is not limited to:

  • Personal details
    Name, address, email address, telephone number;
  • Order details
    Delivery address(es), order and delivery times, contact information, complaint / enquiry information, delivery photographs;
  • Payment details
    We never store your payment details in full, we only store an encrypted token that represents your payment card;
  • Account details
    Identification, purchase history and trends, account activity, log in details; and
  • Online aActivity dDetails
    Details of your operating system, browser software, IP (Internet Protocol) address and Uniform Resource Locator (URL), including the date and time of your visit.
  • Supplier details
    Name, contact details, business information and/or payment details of suppliers may be stored on our systems, or on third party systems, for the purpose of providing a service, access and fulfilling contractual obligations

We gather information from you through, for example, the use of our websites, apps, products or services. This includes tailoring the information we share with you to ensure that it is relevant, useful, timely and non-intrusive.

The information we process may be done so for a number of purposes and these are detailed, non exhaustively, under the lawful basis of processing section below.

The lawful basis we rely upon to process your personal data may differ for each processing activity. Dependent upon the purpose for processing as detailed below, and the business area processing your data, one of the following lawful basis of processing may apply:

  • Article 6 (1) (a) GDPR Consent:
    • Telephone marketing to numbers registered on the Telephone Preference Service List;
    • Automated phone marketing;
    • SMS reminders concerning deliveries and services;
    • Direct mail marketing to Customers on the Mail Preference Services List;
    • Electronic marketing of third party products and services;
    • Sending push notifications, where your device requests an affirmed action;
    • Reposting images you have tagged Ocado Retail in on your own social media;
    • Contacting Marks & Spencer on your behalf in regards to an enquiry or complaint relating to a Marks & Spencer product or service;
    • For use of cookies where consent is required;
    • Sharing or publishing of personal data where required; and
    • To process any personal data for other purposes where your consent has been freely given, specific and informed.
  • Article 6 (1) (b) GDPR Performance of a contract:
    • Registering you as a customer;
    • Providing a service and processing your orders and returns;
    • Arranging deliveries and collections;
    • Processing payments and transactions;
    • To respond to complaints, rights requests and enquiries;
    • To provide online account management, subscription and related services;
    • To fulfil any agreed terms and conditions such as for use of our website, our app or entering a competition; and
    • Contacting or registering suppliers for the purposes of accessing, using and keeping suppliers up to date on data insights and related services, and further processing required to meet the terms and conditions of membership to any services.
    • To meet any other contractual obligation.
    • Processing third party information for the purposes of providing a service, administering access and fulfilling contractual obligations
  • Article 6 (1) (c) GDPR Legal Obligation:
    • To allow us to comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies or authorities, or pursuant to legal proceedings;
    • To maintain records to meet legal, audit, regulatory and tax requirements;
    • To help us defend legal claims, or to exercise legal rights;
    • To contact affected Customers and process personal data in connection with product recalls, other similar product quality issues and product liability purposes;
    • To comply with our legal obligations in connection with the sale of age restricted products;
    • Prevention and detection of fraud, crime and anti-money laundering;
    • Suppression lists and managing communication opt-out requests;
    • To meet government legal guidance, such as track and trace for Covid 19; and
    • To meet any other legal or regulatory obligation.
  • Article 6 (1) (f) GDPR Legitimate interests: These include:
    • Training, communications and awareness, including for use of internal employee engagement.
    • Audit, quality control, performance management and monitoring;
    • Market research, management information, data aggregation and product performance, either for own purposes, or for the purposes of collaboration partners, or assisting the wider retail industry;
    • Understanding and publishing trends, customer behaviours and other data insights, and/or to improve usefulness and content of our websites, apps, products and services, and/or to promote products and services either for own or third party purposes;
    • To develop, communicate and deliver the most relevant products and services (including loyalty or benefit schemes to the advantage of the customer) and gain a wider understanding of our Customers;
    • To monitor the use of our websites and apps, and to ensure data security, data loss prevention and improve its facilities;
    • To process feedback, and customer engagement and determine the effectiveness and performance of our products and services;
    • To communicate with and provide a service to customers via a chatbot
    • Reviewing, deleting and publishing reviews made directly or via third parties;
    • To transfer, migrate or move data for the purposes of developing and maintaining IT infrastructure and services.
    • To personalise, target and improve your experience of our products and services;
    • Direct marketing of our own products and services;
    • Data shares for the purposes of marketing or promotional activities;
    • To share hashtag data and other Personal Data with influencers and other collaboration partners such as the Guardian, Disney, Nigella, ITV and Channel 4 for trend analysis and other contracted promotional services;
    • Tracking activity on our websites, apps and third party platforms (such as Social Media) to provide a more personalised online experience;
    • Linking with social media and digital platform sites and services, for example, for advertising purposes;
    • Data shares for the purposes of buying media content and benefiting from data insights gained through use of data clean rooms;
    • Operating and improving our products, services, websites, mobile applications and other digital assets as well as developing new products and services; and
    • Processing for competitions, promotions and other marketing purposes.
    • Providing guidance and advice in relation to your food profile and item selections
    • Recording of telephone calls to the customer hub to provide assistance to you and performance manage employees

We may process Personal Data where necessary under Article 6 (1) (d) GDPR where necessary in order to protect the vital interests of a data subject or of another natural person.

We share and publish promotional and PR articles online which sometimes include insights and statistics gathered from analysing, for example, our customers’ shopping and browsing behaviour (such as products purchased and pages visited). Any insights and statistics we publish will always be presented in an aggregated and anonymised form.

Any insights and statistics we publish or share with third parties, whether for any financial gain, or not, will always be presented in an aggregated and anonymised form. For example, the data that may be provided to our suppliers to assist them in their sales performance and forecasting will never include personal identifiable information.

We do not tend to ask for, or process, “special category data” about visitors to our websites/apps or our customers or suppliers for our primary purposes of providing our products and services. However, we may process information regarding a disability or vulnerability to facilitate us in providing our service in an appropriate way and to make such reasonable adjustments as may be required.

Should we identify suspected criminal activity such as fraudulent claims, transactions or the use of stolen payment card details we will document the suspected criminal activity and may take appropriate action, including refusing to accept orders, make payments or give refunds. We may also report the incident to the relevant bank or payment card issuer, the police or other appropriate authorities.

Should we process information defined as “special category” the following lawful basis for processing may be relied upon:

  • Article 9 (2) (a) GDPR Explicit Consent:
    Your permission has been granted and documented directly to us.
  • Article 9 (2) (f) GDPR Establishing, exercising or defending a legal claim:
    Such as litigation against a business, supplier or fraudulent person.
  • Article 9 (2) (g) Reasons of substantial public interest (with a basis in law).
  • Article 9 (2) (h) Health or social care (with a basis in law).
  • Article 9 (2) (i) Public health (with a basis in law).
  • Article 9 (2) (j) Archiving, research and statistics (with a basis in law).

Where we rely on conditions (h), (i) or (j) above, we commit to meeting associated conditions in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.

Where we rely on the substantial public interest condition in Article 9 (2) (g) above, we commit to meeting one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.

We may also process criminal conviction data under:

  • Schedule 1, Part 3, Paragraph 33 DPA 2018 Legal claims:
    In connection with legal, or potential legal proceedings, obtaining legal advice or establishing, defending and /or exercising legal rights.

We may collect and process your personal data for humanitarian purposes, such as the monitoring of epidemics and their escalated spread (Recital 46) and in compliance with those purposes as defined by the appropriate authority/government under the lawful basis of “public interests” in order to protect our customers and employees.

Where child data is processed, for example within a marketing campaign or activity, processing of child data will only be undertaken with the appropriate consent, where required.

Health data may need to be processed, for example when querying or processing regards to allergies, and the processing of health data will only be undertaken with the appropriate consent where required. Food profiles are food preferences and are not intended to capture health data.

Biometric data may be processed for the purpose of uniquely identifying a natural person, for example, to access our apps. The processing of biometric data will only be undertaken with the appropriate consent, where required.

Information about you may also be provided to us indirectly by:

  • Consumer profiling experts, such as Experian
    These organisations provide demographic or other profiling data, to help us better understand how consumers’ lifestyles or shopping behaviours may be affected by factors such as their age, or the area in which they live.
  • Personal Assistant services
    For example, Amazon’s Alexa or Apple’s Siri provide us with details of the voice requests you have made in connection with your account so we can fulfil the orders you place with us, understand your shopping experience, and improve the related services that we offer.
  • Customer review websites, such as Trustpilot
    Information relating to feedback and reviews, which may contain your name or username is provided to assist Ocado Retail in improving our services.
  • ‘Trusted Sources’:
    • Credit / Default Agencies;
    • Financial Institutions;
    • Third-party services or suppliers who may have sought your consent;
    • Collaboration partners and affiliates directly or via platform agencies, such as Marks and Spencer, the Guardian, MOB Kitchen, Channel 4, ITV and SKY;
    • Media buying platforms who may have sought your consent;
    • Social media and other third party online platforms/services such as Facebook; Ambassadors or Influencers; and
    • to and visa versa.

Ocado Retail may share personal data or engage with third parties, for example, to meet legal obligations, fulfil contractual terms, or promote our products and services. Whenever we use or disclose your information, we put in place measures to keep it secure, and make sure it is protected as far as is reasonably possible. Third parties may include:

  • Other companies within Ocado Retail;
  • Payment card processors and service providers for the purpose of debit//credit card transactions;
  • Customer analytics and data insights companies;
  • Marketing and advertising agencies;
  • Social media platforms and digital platforms and users, such as influencers and ambassadors;
  • Post, courier, drivers or other delivery services;
  • Surveyors and researchers;
  • Web and app designers;
  • Tax, customs and excise authorities;
  • Regulators, courts and government agencies;
  • Public agencies, fraud and crime prevention and screening bodies/authorities;
  • Third parties assisting in the Fulfilment of competition terms and conditions;
  • Collaboration partners such as the Guardian, MOB Kitchen ITV and Channel 4;
  • Media buying and data clean room agencies;
  • IT, information security and facility providers; and
  • Shareholders or key stakeholders, such as Ocado Holdings Limited and Marks and Spencer Holdings Limited and their group companies.

Any insights and statistics we publish or share with third parties, whether for financial gain or not, will always be presented in an aggregated and anonymised form. For example, the data that may be provided to our suppliers to assist them in their sales performance and forecasting will never include personal identifiable information.

In the event Ocado Retail sells, merges or transfers our business, brands or assets, your information, if associated, may be passed to the acquirer and, as such, will be subject to the acquirer’s own Privacy Policy. The information, however, will remain subject to the obligations as outlined in this Privacy Notice and Cookie Policy.

Social media, digital platforms and collaboration partners

Ocado Retail may share your Personal Data (largely hashed mobile numbers and email addresses and IP addresses) with certain social media and digital platforms including but not limited to Facebook, Instagram TikTok, Nextdoor, YouTube, Snapchat, Twitter, Pinterest, Verizon and DV360 (Google), to allow us to build our campaigns through their platforms.

Ocado Retail may share you personal data with these platforms for the purposes of:

  • Identifying you on a social media or digital platform so that we can advertise products we think would be of interest to you, based on the information we hold about you and your social media profile;
  • Understanding the performance and return of our marketing activities on a social media platform, and to optimise the efficiency of marketing activity;
  • Helping a social media platform serve non Ocado Retail customers targeted marketing about our products and services on the social media platform, based on whether their profile matches those of our Customers; and
  • Aiming to prevent you being targeted for the promotion of our products and services on your social media account, and where possible on social media and digital platforms, if you have opted out of Ocado Retail marketing.

We also process Personal Data for the purposes of collaboration partnerships. We aim to utilise agencies' platforms which allow us to utilise “clean data rooms” to ensure collaborative partners never have access to your Personal Data.

In most circumstances Ocado Retail and the social media, digital platform or collaboration partners are Joint Data Controllers for this Processing and both parties have entered into a written agreement that sets out their respective responsibilities for carrying out the Processing in a GDPR compliant manner. This includes a requirement for Ocado Retail to provide our Customers with details of the Processing we carry out (as detailed above) and an acknowledgment that the social media and digital platforms will be responsible for enabling Data Subjects' GDPR rights for any Personal Data it stores after the joint Processing.

You have the right to opt out of data shares or processing with social media, digital platforms and collaboration partners. To exercise your right to object you can email

Marketing preferences and any valid right to object to data shares with social media, digital platforms and collaboration partners are at all times respected.

For further information about how a social media or digital platform processes your personal data, including the legal basis they rely upon, and the ways you can exercise your rights over the data they hold about you please visit their privacy notice that can be found on their website/s or within their application/s.

We work with third party partners who help us to identify any social media posts in which we have been tagged. If your tagged post includes an image we would like to reuse then we may post a comment asking if you would be happy to give your consent for us to potentially reuse it, we will only ever reuse or retweet content you have posted about us on social media if we have both asked for, and received, your consent. You can withdraw your consent at any time by emailing

If you make a comment about Ocado’s services on one of our social media posts then we may add our own comments in response. If you have provided negative feedback then we may post a comment encouraging you to message us directly to discuss further.

Marks and Spencer

Ocado Retail has entered into a partnership with Marks and Spencer to provide their products via our delivery service. We provide information relating to our customers to a contracted and independent third party who combines our data securely with that of Marks and Spencer, to produce an output to identify whether we share mutual customers, allowing us to enhance our marketing; operate a smooth, mutually beneficial relationship; and better understand our customers. No personal data such as names or contact details are directly shared with Marks and Spencer for this purpose.

Should you have a query or complaint regarding a Marks and Spencer product or service, we kindly ask that you contact them directly. However, should you require our assistance we ask that you provide us with written permission for us to pass your information to Marks and Spencers in order to deal with this.

We know how important it is to protect and manage your personal data and we take the security of your personal data seriously, by implementing technical and organisational measures to protect its integrity and privacy.

Our security measures

Our websites use Secure Sockets Layer (SSL) encryption technology to protect the transfer of your information to and from our websites ( and Our web page URLs will start with https and a padlock will be displayed in front of the URL bar to show that we always encrypt the information that you send us.

We maintain and enforce physical, electronic, and procedural safeguards in connection with the collection, storage and disclosure of your personal data. However, whilst we take appropriate technical and organisational measures to ensure the protection of your personal data, we cannot guarantee the security of all personal data that you transfer over the internet to us in every circumstance, for example, if we suffer a sophisticated cyber-attack.

Our security procedures mean that we may occasionally request proof of identity before we disclose personal data to you, including in relation to a request by you for the data we hold on you (a subject access request).

Keeping your payment details secure

We are committed to ensuring the protection of your payment card details and are compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Payments made via our sites are processed and managed by specialist payment card companies which are not part of Ocado Retail. We only store and display the first six and last four digits of your payment card number, the card type and the card expiry date. The full payment card number is never stored on any of our systems and is only stored and processed by a payment card processing company approved by us.

We keep an encrypted authentication token to represent your card and this token is transmitted to the relevant payment card processing company during the order processing.

We use 3D Secure to provide additional fraud protection and to protect your payment card from unauthorised use. During the checkout process, you may be asked by 3D Secure to provide your Verified by Visa or Mastercard Secure Code password.

Protecting your password

It is important to keep your password secure to prevent fraudulent use of your account. Never disclose your password to anyone else, and especially to anyone who requests it from you by telephone or email; we’ll never do this (more information below). You should avoid using the same password for other websites, because if their systems are hacked, the hackers will also be able to access your account.

Avoid using common terms for your password such as "password" or "123456"; hackers know the most popular passwords and will try to access accounts using these. Instead, try to use a combination of letters and numbers that means something to you so it’s easy to remember but difficult to guess.

Personal security and identity fraud

Using public WiFi networks can be risky, and hackers may try to capture your online transactions and personal data. You should only connect to networks that you trust. If you use a shared computer, make sure that you log out once you have finished using a website or application.

Criminals and fraudsters may attempt to steal your personal data using a technique known as ’phishing’. This is where criminals send bogus emails that appear to be from Ocado Retail but are actually fake. These emails often deceive people into giving away their personal data (such as usernames and passwords) under the guise of updating security details, and contain a link to false websites asking you to input your account details.

We will never ask you to provide your personal data via email. If you receive an email like this that claims to be from us and contains a link to an external website, or a request for you to enter any personal data, treat it as suspicious and do not enter any personal data, even if the page appears legitimate. If you suspect that your account details are subject to such fraudulent activities, please let us know by calling our Contact Centre.

We retain your personal data only for as long as is necessary to support the purposes laid out in the "Lawful basis of processing" section, for our business interests and/or to comply with our legal, regulatory and contractual obligations.

If you wish to understand specific retention schedules please contact:

Closing your Ocado Retail account(s)

Please note that all of your Ocado Retail accounts are linked, so if you wish to close one account, this will result in all of your Ocado Retail ( and accounts being closed. Alternatively, your accounts can remain active and we can ensure that you are removed from all relevant marketing communications from any given account. For further information, please contact our Contact Centre. Should you wish to re-register at a later date you will be required to use a new email address.

Our operations are based in the UK and the Personal Data that we collect from you is processed, stored, and used within the UK, and other countries such as in the European Economic Area (EEA) and third party territories including the US.

For any transfer of Personal Data outside the UK or EEA,namely to third party territories and known as a “restricted transfer”, we aim to apply a similar level of protection by following requirements set out in data protection legislation.

We may make a restricted transfer if the receiver is located in a third country or territory or is an international organisation, covered by UK “adequacy regulations”.

UK “adequacy regulations” set out in law that the legal framework in that country, territory, sector or international organisation has been assessed as providing ‘adequate’ protection for individuals’ rights and freedoms for their personal data.

If there are no UK ‘adequacy regulations’ about the country, territory or sector for the restricted transfer, the transfer is subject to meeting ‘appropriate safeguards’.

Appropriate safeguards as detailed in the UK GDPR, are to ensure both us and the receiver of the restricted transfer are legally required to protect your rights and freedoms in respect of your Personal Data.

We undertake transfer risk assessments on all restricted transfers which take into account the protections contained in that appropriate safeguard, and the legal framework of the destination country (including laws governing public authority access to the data).

Restricted transfers are only made if we have entered into a contract with the receiver incorporating standard data protection clauses, such as EU SCC accompanied by a UK Addendum or an IDTA as recognised or issued in accordance with the UK data protection regime.

We also have the ability to rely on the derogation under Article 49 of the GDPR (when the transfer relates to the performance of a contract and for your benefit), and where you provide permission for the transfer to go ahead.

You can exercise certain rights in regards to the data we hold on you:

  • The right to receive a copy of the information we hold about you
  • The right to have inaccurate information corrected or incomplete information completed
  • The right to have your information erased
  • The right to have the processing of your information restricted
  • The right to withdraw your consent or object to processing reliant upon legitimate interests
  • The right to have your information transferred to another organisation or yourself in a machine readable format
  • The right to request human intervention in regards to automated decision making

The applicability of these rights is dependent upon our purpose and the lawful basis of processing relied upon. There may be reasons why the above rights may be limited in some circumstances. For example, we can refuse to provide information if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required to retain by law, have compelling legitimate interests to keep, or need to access in order to fulfil our legal obligations. In such situations, we would only use your information for these purposes and not use or share your information in other ways. We will always protect your privacy and retain any personal data in accordance with the section entitled ’Data Retention’.

How to exercise your rights and timescales

You can exercise your rights either verbally or in writing. However, if you submit a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail.

We have an obligation to respond within one month of receiving your request. However, we also have the ability to extend the response time by two months should we determine the request is complex and requires additional time and resources to respond. If this is the case you will be informed of the extended response date, alongside an explanation, within the original one-month time frame.

The quickest and easiest way to make a data subject right request is to contact us directly by emailing

To exercise a data subject right you can further email us at this includes but is not limited to the following requests:

  • To provide you with more information if required, on how we process your personal data
  • To request access to personal data where you have the right to access a copy of the personal data we hold about you. We utilise an online portal to provide data to you, in a machine-readable format. Personal data is information that relates to an identified or identifiable individual. Personal data must relate to you. Therefore, not all data is personal data, we are however happy to provide you with information held and feasible to retrieve with regards to your engagement and any account with us, that is not exempt from disclosure.
  • To inform us personal data we hold on you is incorrect or incomplete, so we can help you update it. In most instances you can update your personal data online within your account.
  • To withdraw consent at any time where we have asked for it, but this will not affect any processing that has already taken place. For processing for marketing purposes refer to the section entitled ?Marketing Preferences?.
  • To object to certain processing activities which use your personal data, in particular where the processing is based on legitimate interests as outlined in the section entitled ?Lawful Basis of Processing?. For processing for marketing purposes refer to the section entitled ?Marketing Preferences?.
  • To ask us to delete, remove, or stop using your personal data if there is no need for us to keep it. You can also ask us to restrict the use of your personal data in certain circumstances. These rights are known as the ?right to object,? the ’right to erasure’ and the ’right to restrict processing’. Should you request your data be deleted outside of our retention period, you will need to use a different email address, if you decide to re-register as a customer with us, as your old email address will no longer be valid. You may be unable to continue using our services if you require us to stop using your personal data, since this information is necessary for us to accurately fulfil and provide our services.

Identity Verification

We will only process a data subject rights requests where we are satisfied that ID verification has been successful, and you are the one asking for your personal data to be processed. We will not process personal data where we are in doubt of the identity of the requestor. You may be asked to prove your identity when making a subject rights request.

Requests made by third parties

In line with our privacy practices and to protect your rights and freedoms, we are unable to process a data subject rights request made by a third party (such as Rightly) where; there is doubt that the third party has the appropriate authority to act on your behalf; and where we are not satisfied adequate evidence has been provided in support of identity verification. We would always aim to ensure that a third party has the appropriate consent or authority to act on your behalf, and most significantly that you are fully aware that the third party has made contact specifically with us (Ocado Retail Limited), regarding exercising your data subject rights.

Before we can process a data subject rights request made by a third party on your behalf, we require as a minimum from the third party:

  1. a copy of an identity document for you; and
  2. evidence of your address; and
  3. a physically signed authority by you; or a verbal authority provided directly to us from you and noted on your account; and if provided electronically the authority is to come directly from your email address that matches our records.

We will not access or process your personal data without being confident we are acting on your specific instructions.

If required, identification will be requested within the one-month time frame and only limited to what is necessary for confirmation, such as a copy of your driving licence, passport or utility bill. Once the ID has been confirmed we will then process your request.

If your request cannot be processed, due to legal obligations or the non-applicability of rights, we will inform you of this, along with the reasons as to why your request cannot be carried out. Should we refuse to comply with a request we will inform you of this within the one-month time frame and provide an explanation outlining our justification, our internal complaints procedure and your right to complain to a supervisory authority and to enforce your rights through a judicial remedy.

We market and promote and offers, gifts and other marketing promotions about our products and services, and those of our specially selected partners, via a range of communication channels in line with the Privacy and Electronic Communications Regulation (PECR), the Data Protection Act 2018 and UK GDPR.

We rely upon our legitimate interests to market our products and services via:

  • Live telephone calls to numbers not listed on the Telephone Preference Service
  • Direct mail marketing to individuals not listed on the Mail Preference Service
  • Email, SMS and other electronic mail to individuals whose information has been obtained via the use of soft opt-in

For both and, we also rely on legitimate interests as a means to market to all of our customers, regardless of the service you used (either and/or

We rely on consent to market our products and services via:

  • Live marketing calls to numbers listed on the Telephone Preference Service (with consent)
  • Direct mail marketing to individuals listed on the Mail Preference Service (with consent)
  • Automated phone calls
  • Push notifications as controlled from your device

We also rely on consent where we may market to you about our specially selected partners via electronic mail, SMS and push notifications. Consent is further obtained, where required, to utilise cookies for marketing purposes.

We will only ever send you marketing we believe is beneficial and specifically relevant to you, or where you have given your consent. You can change your marketing preferences at any time for what you receive from us, and how your receive it by:

  • Using the marketing preferences found by going to “Account Settings” and then selecting “Marketing Communications” on the relevant Ocado Retail website ( or
  • Clicking on the unsubscribe link contained in marketing emails
  • Utilising opt out functionality on SMS
  • Emailing us at for any personal data shares for marketing purposes where valid
  • The option to receive push notifications are managed by you through the App and/or your device.
  • For changes to your cookie preferences see our Cookie Policy below.

To unsubscribe from postal marketing and telephone marketing please complete this online form

To unsubscribe from postal and telephone marketing please email or utilise the form on found here

You can choose to consent to receive PUSH notifications within your device settings. Consenting to PUSH notifications includes marketing communications. We are under no legal obligations to provide you with service PUSH notifications, and if you choose to not consent to PUSH notifications, you will have to rely on text or email updates for service reminders.

If you decide to opt out or unsubscribe from marketing communications it could take up to 72 hours to process the update through our systems, legally we are entitled to one month to process a data subject right request, however we most often action much sooner. Whatever you choose, you may still receive non-marketing related messages and other important service information. We may also ask you to confirm or update your marketing preferences if there are changes in law, regulation, or business strategy or structure where lawful to do so.

Objecting to one channel of marketing or Ocado Retail brand (such as and may not automatically opt you out of other marketing channels or brands. To check you are opted out of all marketing channels and brands, you can email:

Ocado Retail brand websites or services may provide links to third-party applications, products, services, or websites for your convenience and information. If you access those links, you will leave the Ocado Retail brand website. Ocado Retail brand does not control those third-party websites or their privacy practices, which may differ from our own. We do not endorse or make any representations about third-party websites. The personal data you choose to provide to or that is collected by these third parties are not covered by this policy. We encourage you to review the privacy policy of any website you interact with before allowing the collection and use of your personal data.

We may also provide social media links that enable you to share data with your social networks and to interact withOcado Retail on various social media sites. Your use of these links may result in the collection or sharing of data about you, depending on the feature. We encourage you to review the privacy policies and settings on the social media sites with which you interact to make sure you understand the data that may be collected, used, and shared by those sites.

If you are not satisfied with our use of your personal data or our response to any request made by you in relation to your personal data, you have a right to make a complaint to the Information Commissioner at:

Information Commissioner?s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545745 (national rate)


The ICO currently recommends you contact them within 3 months of your last contact with us and advises you to contact them once the company’s complaints process has been exhausted.

When you visit an Ocado Retail website ( or or use one of our related apps, we apply our own and third-party cookies and similar technologies (for example, pixels, SDKs and tracking URLs) to identify your device, personalise and improve your customer experience and, where appropriate, serve you relevant advertisements.

This Cookie and App Consent Policy provides information regarding our use of cookies and similar technologies on our websites ( or, the SDKs on our apps and the choices you have in regards to either of these.

What are Cookies?

Cookies (or similar such as SDKs) are small files that are placed on your computer, mobile phone, tablet or other device when visiting a website or application. Cookies and SDKs assist in the performance and end user experience by remembering preferences and choices, identifying traffic and remembering your selections, such as the items you place in your basket.

We have two main categories of cookies: essential and non-essential.

Essential cookies (Strictly necessary)

Summary: These cookies let you log in, access your Account Settings and use all services. These also include essential functional and performance cookies/SDKs. These can’t be disabled as they are strictly necessary for the functioning and acceptable user performance of our websites/apps.

These cookies are essential in order to enable you to move around our website and app and use its features, including accessing secure areas. Without these cookies, any services on our website or app you wish to access cannot be provided. These essential functional cookies are needed for services to be provided whereas essential performance cookies allow us to monitor the performance of necessary activity - for example, information security purposes.

Strictly necessary cookies are necessary for the website or app to function. You can set your browser to block or alert you about these cookies, however this is likely to affect your user experience as certain parts of the site or app will not be able to function. These cookies do not store any personally identifiable information.

Non-essential cookies

Performance and Analytics cookies
Summary: These collect, analyse and report information on the performance of our websites/apps. With them, we can fix any errors or make improvements on any not-so-easy-to-navigate pages. In addition to this we use third-party web analytics software on our websites/apps to help us understand how well our website and promotional content are performing. These cookies are only processed with your consent.

We set cookies that help us assess the performance of our online and TV advertising campaigns. For example, these cookies will record whether a customer visited the website/app or made a purchase after viewing one of our adverts. These can include third party cookies set by online advertising platforms including but not limited to Facebook, Bing and Pinterest.

Analytics cookies
Analytics cookies collect information about how you and other visitors use our websites or apps. This can be anything from which pages you go to most often or if you get error messages from web pages. We use data from these cookies to help test designs and to ensure a consistent look and feel is maintained on your visit to our websites or apps. In addition to this we use third-party web analytics software on our websites and apps (such as Google Analytics) to help us understand, for example, how well our website is performing.

Functional cookies
Summary: These cookies allow this website/app to remember your preferences and settings to make your experience quicker and easier every time you return to shop (e.g. your username, text size, font style and much more). These cookies are only processed with your consent.

These cookies allow our website/app to remember choices you make (such as your username, language, or the region you are in) and provide enhanced personal features. These cookies can also be used to remember settings such as changes you have made to text size, fonts, and other parts of the web page that you can customise.

Targeting cookies
Summary: These cookies are used to show you more relevant adverts and are usually placed by third parties with our permission.These cookies are only processed with your consent, and may involve the processing of offline personal data, in order to be able to understand what targeted advertisements will be of interest to you. If these are disabled, you’ll still see our adverts, they just won’t be as relevant to you.

These cookies are used to deliver adverts more relevant to you and your interests, including the ads we display on our websites and apps, and on third party advertising platforms such as Facebook. They are also used to limit the number of times you see an advertisement, where you see the advert, and may help measure the effectiveness of a marketing campaign. They are usually placed by third parties (such as advertising networks or platforms) with the website operator's (our) permission. Targeting cookies are only processed with a user’s consent.

They remember that you have visited a website and this information is shared with the advertiser or processor that helps us deliver the advertising. Some targeting cookies include having to process offline or account information to fulfil the purpose of the cookie, meaning in order to provide you with advertisements relevant to you, personal data we hold about you may need to be processed so we can best understand your interests and what adverts would be of the most value for you to see.

If you do not consent to targeting cookies, you will still see adverts, however, these will not be targeted and so may not be relevant to you.

We have enabled Google Analytics Data Collection for Advertising Features, including Remarketing and Advertising Reporting Features. These features enable us to make use of data from users who have chosen to allow Google to associate their web and app browsing history with their Google account in order to personalise the ads we may show in Google Search and Display Advertising. This helps us provide more relevant messaging to our users. This also provides us with demographic and interest information at an aggregate level that helps us to understand our users better.

We have enabled ID synchronisation cookies with The Trade Desk. Cookie syncronisation enables The Trade Desk to sync cookie IDs, which allows advertisers to be able to find visitors to this site on other web properties for targeted advertising purposes. You may see this cookie as

In order to assess the performance of advertising campaigns we may use a cookie to share information, for example with SKY when arriving on our landing page through use of a SKY QR code. This cookie may collect digital identifiers such as IP addresses and User IDs which help us record whether you visited the website or made a purchase after viewing the relevant advert. By consenting to Targeting cookies you will agree to us placing and sharing such cookies.

Social media extensions
These technologies allow you to share what you've been doing on our websites on social media, such as Facebook and Twitter. For example, by clicking the 'Facebook Like' icons that may appear on our product pages. Although we enable these tools to be displayed on our websites so that you may interact with them, if you choose to do so, they are not within our control.

If you post, comment, indicate interest, or share personal data, including photographs, to any public forum, social network, blog, or other such forum, please be aware that any personal data you submit can be read, viewed, collected, or used by other users of these forums, and could be used to contact you, send you unsolicited messages, or for purposes that neither you nor Ocado Retail have control over. Ocado Retail is not responsible for the personal data you choose to submit in this manner. Please refer to the relevant third party privacy policies for how these functionalities work.

App (SDKs) Consent

When utilising Ocado retail applications (Ocado.Com and we and our partners utilise technology similar to the cookies used on our websites as explained above. These components are called software development kits (SDKs) and perform various activities such as facilitating the use of our app and allowing us to understand our users’ behaviour to improve performance. SDKs may also be used to personalise experiences and deliver more targeted marketing. SDKs can process personal identifiers like device ID and location, whilst some SDKs may be able to track other personal identifiable information such as usernames and email addresses.

Managing Cookies and SDKs
As with cookies we are lawfully required to obtain an app user’s consent for use of certain SDKs. We do so through the same consent management platform that allows you to manage your cookie preferences on our websites.

Within the consent preference centres you can choose which non-essential components are set on our websites and apps. Essential components are always set to active. You may need to ensure your preferences are selected for each device and/or website or application you visit.

You can update your app consent preferences at any time within the app by selecting “App Consent under Account Settings”. You will need to ensure you have the latest version of the app downloaded to your device to access your “App Consent” preference centre.

You can update your website cookie preferences anytime at:

You can find out more about how we categorise our cookies and SDKs, a description of the categories and which components require consent within the consent management platform, or by emailing us at

To find out more about cookies please visit: or see which contains further information about behavioural advertising and online privacy.

To opt out of Google Analytics for Display Advertising and customize Google Display Network ads please go to

Should you require any assistance to further understand what cookies are utilised on our website and similarly, what SDKs are utilised on our apps, you can email

We may review and amend the contents of this Privacy Notice and Cookie and App Consent Policy from time to time therefore we recommend you check it regularly.

If you have questions regarding the contents of this Policy, or wish to exercise any of your rights described within, you can contact our Data Protection Officer by email or by post:


Post: Data Protection Officer, Ocado Retail Limited, Apollo Court, 2 Bishop Square, Hatfield Business Park, Hatfield, Herts, AL10 9EX.