Skip to content
Back to home page

Heineken Corporate Privacy Policy

We respect your privacy and are committed to protecting your personal data. Amongst other things, this privacy policy covers our processing of personal data when you visit this website (i.e. www.heineken.co.uk) and tells you about your privacy rights and how the law protects you.

This privacy policy is provided in a layered format so you can click through to the specific areas set out below.

Heineken UK Limited ("we", "us", or "our") is part of the Heineken group and we are the controller of your personal data. Personal data is any information about an individual from which that person can be identified. If you have any questions about this privacy policy or our processing activities, we can be contacted as follows:


  • Mail: 6 St. Andrew Square, Edinburgh, EH2 2BD, marked for the attention of the Privacy Officer;

         or

 

It is important that you read this privacy policy together with our cookie policy and any terms of use that apply to the services or website which are presented to you. This privacy policy supplements the other policies and is not intended to override them.

  • What is covered by this privacy policy?

This privacy policy describes how we look after your personal data collected when you engage with us including when you (i) visit our corporate website and our Star Retailer website; (ii) apply to become/become a customer of ours; (iii) act as a personal guarantor for one of our customers; (iv) purchase our products or services; (v) register your interest in or join the Star Retailer Scheme; (v) contact us via email or telephone with an enquiry or complaint; (vi) take part in a customer competition or activation; (vii) visit one of our sites and are captured on our CCTV; and/or (viii) attend one of our events or an event that we sponsor ("Engagement"). 

  • What is not covered by this privacy policy?

If you are a customer who submits orders through eazle, please review the privacy policy available on the eazle website, which describes how we look after any personal data collected through that website. 

If you are a consumer and we are processing your personal data for marketing purposes or because you have taken part in a consumer competition or activation or you’ve visited a venue in which we sponsor the Wi-Fi services, please review our Heineken and Star Pubs Consumer Privacy Policy.

We collect different categories of information which we have grouped together as follows:

Identity Data – name, username, title, date of birth, wholesaler account number or similar identifier;
Contact Data – billing address, delivery address, email address and telephone number;
Financial and Transactional Data - credit history, bank account and card payment details, and details about payments as well as products and services purchased from us;
Image Data – images captured by CCTV at one of our sites;
Call Recording Data – data captured when you contact us by telephone;
Profile Data – preferences, feedback, survey responses and interests;
Technical and Usage Data – information about how you use our products and website(s) (including your IP address and details about the devices you use to access our website(s)). Please review the cookie policy on the relevant website for further information on this;
Marketing and Communications Data – preferences in receiving customer (B2B) marketing and communications from us and information in terms of engagement with email communications;
Location Data – GPS-based location information from your use of our website via your smartphone(s), tablet(s) or other devices;
Photo and Video Data – photos and/or video footage of you captured when you attend any events hosted or sponsored by us (your attention will be drawn to any photography or filming that is taking place, and your consent will be obtained where required); and
Inferred Data – which is inferred or derived from the data we collect, for example inferences about your interests based on your Identity Data, Technical and Usage Data, Profile Data or Location Data.

 

We also collect, use and share Anonymised Data such as statistical or demographic data which is not reasonably likely to reveal your identity (directly or indirectly). For example, we may receive aggregated usage data detailing the percentage of users accessing a specific website or visiting venues where we supply our products. If we combine or connect Anonymised Data with other data so that it can directly or indirectly identify you, the combined data is 'personal data' which will be used in accordance with this privacy policy.

We do not knowingly:
Process any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health or genetics and biometric data). Nor do we process any information about criminal convictions and offences; or
Collect personal data relating to children. We have age verification processes on our website to ensure we do not market our products or brands to anyone under the age of 18.

You have various rights regarding our use of your data, see section 10 for more detail.

 

We collect the above categories of personal data about you for the following purposes (more specifically described in Annex 1):

To onboard you as a customer or member of the Star Retailer Scheme;
To communicate with you;
To administer our business and perform contracts with you;
To maintain and optimise our website;
To improve our products and services;
To enable you to partake in a customer promotion and for prize fulfilment purposes;
To share photo and/or video footage captured at public or private events in external publications, on social media, with marketing agencies and/or internally;
To market to you;
To conduct market research;
For analytical purposes;
To protect our business, comply with our contractual or regulatory obligations and prevent or detect crime;
To satisfy our legal and regulatory obligations and co-operate with regulators and government bodies; and
To defend and exercise our legal rights, including in relation to managing actual and potential claims.

 

Under data protection laws, we must have a  lawful basis under which we process your personal data. You can find detailed information on the 6 available lawful bases on the Information Commissioner's Office website (https://www.ico.org.uk).   We will only use your personal data for the purposes set out in section 4, unless we reasonably consider that we have another appropriate reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so. 

If you provide us with your consent to processing either in connection with your use of our website, through a Social Media Platform or a Relevant Third Party, you can withdraw it at any time and we will stop the processing activities that were based on consent as a lawful basis. Please note we may still process the data if we have another lawful basis for processing (in most instances, this will be for a more limited purpose e.g. back-up storage or to record a withdrawal). 

Where we need to collect personal data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to continue our Engagement with you or perform the contract we have or are trying to enter into with you (for example, to provide you with products or allow you to participate in competitions). We will notify you of this at the time. 

Further information on the relevant purposes and linked lawful basis are set out in Annex 1.

We may share your personal data with the parties set out below: 

  • Internal third parties - other companies in the Heineken group based within the EEA and the UK, (but not for any marketing purposes without your consent).
  • External third parties – which include:
    o communications platform providers (i.e. vendors we use to send and manage email and SMS communications including Salesforce and Airship);
    o marketing and advertising companies and media agencies for marketing and research purposes, and to provide promotion services, data on-boarding services, research and marketing strategy services; 
    o prize fulfilment agencies;
    o IT and system administration service providers (including data storage providers and data management platform providers);
    o service providers such as solicitors, accountants, insurance claims managers, facility management providers and insurance companies;
    o credit reference agencies (“CRA”) - where you submit an application to become one of our customers, we will supply your personal information to a CRA, and they will give us information about you, such as your financial history, for the purposes of carrying out identity and credit checks against you. Please note that CRAs may also share your information with other interested parties for credit reporting purposes. The identities of CRAs and details of the ways in which they may use your personal information are explained in more detail on the Experian website;
    o regulators, local authorities and government bodies, including the Police and HMRC, to comply with any legal or regulatory requirements or formal/informal investigations;
    o courts, parties to litigation and professional advisers where we reasonably deem it necessary in connection with the establishment, exercise or defence of legal claims; and 
    o a purchaser or parties interested in purchasing any part of our business (and professional advisors supporting on the transaction).

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Where the third parties act as processors on our behalf, we only permit them to process your personal data for specified purposes and in line with our instructions.

 

Third parties we share data with may be based outside the UK. Whenever we transfer your personal data out of the UK, we take steps to ensure that we comply with our legal and regulatory obligations in relation to personal information and that the same level of protection is afforded to it as in the UK. We do this in two ways: 

  • we will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Information Commissioner's Office (for example, all countries in the EEA are deemed “adequate”); or
  • we will use specific contracts approved by the UK Information Commissioner's Office. 
 

We have put in place reasonable security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know - they are subject to a duty of confidentiality. Unfortunately, no transmission of information over the internet can be completely secure, and the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect account information and passwords. Please, take care to protect this information.

Our website and the Wi-Fi services include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites, plug-ins or applications and are not responsible for their privacy policies. We encourage you to read the privacy policy of every website you visit and third party service/application that you use. 

 
We will only retain your personal data to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, tax, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider any legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. Criteria used to determine retention periods for specific data collected are detailed further in Annex 1.

Under data protection laws, you have various rights which are set out below. You can also find more detailed information on the Information Commissioner's Office website (https://www.ico.org.uk). The rights available to you depend on our reason for processing your personal data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond). Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information. 

a) Right of access. You have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the information we process. 

b) Right to rectification. You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.  

c) Right to erasure. You have the right to ask us to erase your personal data in certain circumstances. 

d) Right to restriction of processing. You have the right to ask us to restrict the processing of your information in certain circumstances. 

e) Right to object to processing. You have the right to object to processing of your personal data where we are relying on a legitimate interest or conducting direct marketing.

f) Right to withdraw consent. Where we are relying on consent to process your personal data, you may withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. 

g) Right to data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent. 

 

You have the right to make a complaint to us at any time. Please use the contact details at the start of this privacy policy.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

 

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk


We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance using the details at the start of this privacy policy.

This version was last updated in May 2025. 

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest


Retention period

To communicate with you and improve our products and services, which includes:

  • managing our relationship with you;
  • investigating and responding to enquiries or complaints;
  • recording customer calls to our Customer Care and Consumer Care teams for quality and training purposes
  • making suggestions to you about various products and services that may be of interest to you;
  • sending you emails, newsletters or alerts;
  • asking you to complete surveys about how we can improve the products or services we offer you;
  • asking you for information on how we can improve our websites or our Engagements with you; and
  • ·notifying you about changes to our terms or privacy policy.

Note: See Annex 2 for more information on our marketing and profiling activities.

  • Identity

  • Contact

  • Call Recording

  • Profile

  • Technical and Usage
  • Marketing and Communications

Performance of a contract with you.

Necessary for our legitimate interests (for running, managing and protecting our business).

To perform our legal obligations.

Where required by privacy laws, consent.

 

Where you have contacted us in connection with an enquiry or complaint, we will retain your data for 3 years after the enquiry or complaint has been resolved.

 

Recorded calls will be retained for 400 days from the time of the relevant call.

 

Survey feedback will be retained until it has fulfilled its intended purpose (Note: please see section 9 to learn more about the things we consider when determining how long we will retain your personal data).

 

If you no longer wish to receive marketing communications from us, you can unsubscribe at any time. We will remove your email address once you have opted-out, unless this is also used and retained for other purposes listed in this privacy policy. 



To administer our business and perform contracts with you – this includes:

  • managing payments, fees and charges and delivering the requested product / service;
  • assessing and accepting customers, suppliers and other business partners who wish to do business with us, as well as entering into appropriate agreements with said customers, suppliers and business partners;
  • completing customer account opening procedures;
  • processing your application to join and registering you as a member of our Star Retailer scheme; and

using the information that you have provided for the purposes of verifying your identity and carrying out anti money laundering and credit checks against you (Note: this may include use of a credit reference agency or other third parties).

  • Identity

  • Contact

  • Financial and Transactional

Necessary for our legitimate interest (to ensure we are doing business with creditworthy and legitimate entities, which requires analysis of certain individuals connected with such entities).

 

Performance of a Contract with you.

 

To perform our legal obligations.

 

 

After the duration of your contract with us has expired, our online sales records will be retained by us for 7 years or longer if required for tax or corporate bookkeeping purposes.

 

The information you provided for the purposes of verifying your identity and carrying out anti money laundering and credit checks against you is retained for 3 years after termination of the relationship.

 

Our retention period for data in connection with contracts and performance of the business is 6 years after termination of the relationship.

 

We retain personal data processed in connection with our Star Retailer Scheme for 12 months after membership to the scheme ends.

To maintain, improve and optimise our website and to keep it relevant - this includes data analytics and solving performance issues, including troubleshooting, testing, system maintenance, support and reporting and hosting of data in order to improve the availability and functionality of our website.

  • Identity
  • Contact
  • Profile
  • Technical and Usage

Necessary for our legitimate interests to maintain the relevance of our brand, products and reputation run our business, operate administration and IT services, protect network security and to prevent fraud).

 

Necessary to comply with a legal obligation.

We retain information relating to the performance of our website for 2 years.

 

The cookie policy on the relevant website you are viewing provides more information on specific cookie retention periods.

To deter crime and ensure the personal safety and security of visitors and staff through the use of CCTV at our sites.
  • Identity
 Necessary for our legitimate interests (to protect the safety and security of visitors and staff at our sites and assist in criminal investigations).


Video footage will be retained for a limited time before it is automatically deleted.  The retention of CCTV is determined by the need to investigate health and safety incidents or criminal incidents, including in connection with any legal proceedings or requests from law enforcement authorities, loss adjusters and insurers. 

 


To maintain, improve and optimise our website and to keep it relevant - this includes data analytics and solving performance issues, including troubleshooting, testing, system maintenance, support and reporting and hosting of data in order to improve the availability and functionality of our website.

 

 
  • Identity

  • Contact

  • Profile

  • Technical and Usage
 

Necessary for our legitimate interests to maintain the relevance of our brand, products and reputation run our business, operate administration and IT services, protect network security and to prevent fraud).

 

Necessary to comply with a legal obligation.

 

 

We retain information relating to the performance of our website for 2 years.

 

The cookie policy on the relevant website you are viewing provides more information on specific cookie retention periods.

To enable you to partake in promotions and for prize fulfilment purposes including:

  • Prize with purchase promotions;
  • Loyalty and reward schemes; and
  • Sweepstakes, scratch-card and raffle style promotions.


  • Identity
  • Contact






Performance of a contract with you.






6 months following prize fulfilment (in certain cases the retention period may be longer due to the nature of the prize e.g. flight tickets – in such cases the personal data will be deleted when it is no longer required).


To share photo and/or video footage captured at public or private events in external publications, on social media, with marketing agencies and/or internally.

  • Photo and Video Data
 

Necessary for our legitimate interest (to promote and grow our business).

Where required by privacy laws, consent.

Until an opt-out / objection is received or consent is withdrawn as applicable. 

To conduct market research, we may reach out to specific customers and request an insight into developing new products or ways to improve our current products or services – we will use this information to ensure our marketing is relevant.

 

Note: See Annex 2 for more information on our marketing and profiling activities.

  • Identity
  • Profile

  • Technical and Usage

Necessary for our legitimate interests (to maintain the relevance of our brand and reputation and to grow our business by ensuring we understand the market in which we operate).

Contractual necessity, where you are asked to sign up to terms as part of the market research product.

We will retain your data until an opt-out / objection is received.

The cookie policy on the relevant website you are viewing provides more information on specific cookie retention periods.

To conduct data analytics to improve our marketing strategies, customer relationships and experiences, so that we can issue relevant marketing content and offers and analyse email engagement. This includes:

 

  • identifying what subjects are of most interest to you;
  • using tracking technologies to understand how you respond to our emails (for example, whether you open the email, click-through links and/or unsubscribe); and
  • assessing the success of our marketing campaigns and communications.

 

Note: See Annex 2 for more information on our marketing and profiling activities.

· Identity

· Profile

· Marketing and Communications

· Technical and Usage

· Inferred

· Location

Necessary for our legitimate interests (to promote and grow our business).

Where required by privacy laws, consent.

Data will be processed until an opt-out / objection is received or consent is withdrawn as applicable.

 

The cookie policy on the relevant website you are viewing provides more information on specific cookie retention periods.

To protect our business through compliance with contractual or regulatory obligations, prevention / detection of crime and satisfaction of our legal obligations / defence of our legal rights, including:

  • recording calls placed with our Customer Care and Consumer Care teams;
  • complying with requests (including informal investigations) or demands of regulators and other bodies having jurisdiction over us;
  • investigating security incidents on our website; detecting and preventing spam, fraudulent activity, network exploits and abuse on our websites; and
  • securing our website against fraud.

· Identity

· Contact

· Technical and Usage

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).

Necessary to comply with a legal obligation.

Where you have contacted us in connection with an enquiry or complaint, we will retain your data for 3 years after the enquiry or complaint has been resolved.

The cookie policy on the relevant website you are viewing provides more information on specific cookie retention periods.


Marketing (Customer / B2B)

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. 

We will only send direct electronic marketing (e.g. via emails or mobile messaging) where:

  • you are a Heineken customer or a Star Pubs lessee and you have not opted-out of receiving marketing relating to our brands and any third party products that we make available, as well as information on our comprehensive support package; or
  • in relation to emails or other communications containing offers and discounts from carefully selected suppliers who are part of our Heineken or Star Pubs Buying Clubs, we have your consent; or

  • you have solicited certain information (for example to receive one-off correspondence regarding products or services of ours). 

 

You can ask us to stop sending you direct marketing messages at any time by using the unsubscribe link in any marketing email that we send to you or by contacting us at unsubscribe@heineken.co.uk. Where you opt out of receiving these marketing messages, we will no longer conduct direct electronic marketing unless you opt-in again at a later point. Please note that where we have another lawful basis for processing, we will continue to process personal data for other purposes – for example, we may process information provided to us in connection with an Engagement on the basis of contract necessity.

 

Profiling

We may use your Identity Data, Contact Data, Profile Data, Technical and Usage Data, Marketing and Communications Data and Location Data, to form a view on what we think you may want or what may be of interest to you and to understand your purchasing trends. 
A specific example is that when you receive an email from us, we may receive certain information about how you interact with that email. The information we collect includes the number of times you have opened the email; if you have clicked links in the email; whether you have unsubscribed or marked the email as spam; or whether the email has bounced. This ensures you do not receive irrelevant or unwanted emails, as well as allowing us to use our resources efficiently. 

These profiling activities inform how we decide which brands, products, services and offers may be relevant to you. By building a profile on you, we can send you tailored communications and make personalised recommendations, inform you of special offers we think you will be interested in and customise promotions & special offers that are most relevant to you.

Please note that whilst we carry out the profiling activities described here, we do not carry out any automated decision-making processes which could have a legal or significant impact on you.

Note: If you are a consumer and we are processing your personal data for marketing purposes, please refer to our Heineken and Star Pubs Consumer Privacy Policy