Privacy Policy

Costa Limited respects your data and your privacy is important to us. This is the Privacy Policy for the Costa Coffee for Business website. Costa Coffee for Business is the trading name used by Costa Limited to promote the purchase of Costa rewards and gift cards by business.

The Costa Coffee for Business Privacy Policy explains what personal data is collected by Costa Coffee for Business and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.

You have the right to object to some of the processing which Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

Costa Limited’s registered office is Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, Bucks, HP10 9QR. This Costa for Business Privacy Notice is in addition to the Costa Limited Privacy Notice which covers contact with Customer Services, Costa Coffee Club and stores we own.

Summary of how we use your data and your rights

Information we collect from you

Information we receive from third parties

How we use information and the legal basis

Data sharing

International transfers

Cookies and similar technologies

Data retention

Your rights

Contact details

Which Costa entity is the controller?


Summary of how we use your data and your rights

We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries.

We will use your data to comply with laws and regulations. We may use your data to prevent and detect crime, such as fraud. 

You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice. 

When you give consent, you are able to withdraw that consent at any time, for instance by emailing You can also email to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data.  Please see “Your rights” for more information.

You can unsubscribe from marketing communications at any time. To opt out of marketing, select “unsubscribe” in emails, or email    

Our Costa Coffee for Business website uses strictly necessary cookies and similar technologies to improve functionality and analytics cookies to gather business insights anonymously. You can reject and block cookies in your browser settings. Please see our Cookie Notice for more information.

If you access the location finder on our main Costa site ( and your browser settings allow this, your device will identify and alert you to the nearest Costa Store and Costa Express to your location.

Costa is part of the Coca Cola group of companies, for details of how personal data is shared with the Coca Cola group, please see the “Data Sharing” section below.


Information we collect from you

We collect information from businesses who contact us or use our services. This includes purchasing Gifts and EGifts, using our websites or corresponding with us. 

In particular:

  • We keep information of our business contacts such as contact details (including name, email, address and telephone number), comments, feedback, purchased made and marketing opinions.
  • We record and analyse web visits and details of your purchases.
  • If you engage with us online via our websites our cookies and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.
  • If you post information online about us or provide feedback, we may keep a record.
  • If you contact us directly and complain or give feedback, receive compensation, we will record details and all related information such as emails, letters and phone calls.
  • If you use a Costa Coffee Club card to collect loyalty points when you make purchases using your Gift card, please refer to the Privacy Notice for Costa Limited, which covers Costa Coffee Club.


Information we receive from third parties

We may receive your information from other people.  This can happen when:

  • Someone buys you a Gift or E-Gift. They give your name and email address, so we can send you the E-Gift. They may give your name to enable personalisation of a Gift card.
  • Our Costa for Business service partners give us business customer information to assist with service delivery and business improvements.


How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as: 

  • To fulfil a contract we have with you;
  • When it is in our legitimate interest;
  • When you consent to it; or
  • To comply with the law.

A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. For more information on this assessment please contact

We have set out below how and why we may use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.

When you buy something from us we use your information to fulfil our contract with you.

We take information to communicate with you, check your identity, take payment, and provide products and services. 

To run our business and pursue our legitimate interests, we use your information.

Our legitimate interests include keeping our records up to date, fulfilling our legal, compliance and contractual duties, working out which of our products and services may interest you, improving our site and apps, and services, developing new products and services, and telling you about them and conducting market research. 

Further details of our legitimate interests:

To run and promote our business, we use your information:

  • To provide and improve our products and services, including Gift Cards and E-Gifts, and to respond to you if you contact us.
  • Where you leave a voicemail, to gather details and respond to your request.
  • When we monitor Costa websites, social media platforms such as Facebook and Twitter and online services including our mobile app and responses to email marketing. If you post comments online or in other media we may capture this information, contact you, and use it to improve our products and services.
  • To run promotions and track which offers seem of interest to you.
  • To understand you better as a customer by analysing your transactions and other information you provide to us or which we learn through your interactions with us.

To prevent, investigate and/or report crime including fraud, misrepresentation, including where we are required to do so by law we may:

  • Monitor your account and communications with us.
  • Use other organisations to check the validity of the credit or debit card details you use to pay (for further details see “Data sharing” below).

To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:

  • We keep records and pass your data to Costa Coffee Ltd and our insurers when necessary (for further details see Data sharing below).
  • We keep notes of communications, including incoming and outgoing calls and emails.
  • We may verify your identity.
  • If you visit us, we keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.

We may, if you give us consent

  • Send you electronic marketing if you have asked for information about our services.
  • Use cookies or similar technologies on the website, including analytic cookies. For more details on our use of such technologies, click here to see our Cookie Notice.
  • If you use the store locator on the main Costa site and enable location services it will notify you of the nearest Costa or Costa Express.
  • Use data for other purposes where we explain that purpose when we ask for your consent.

When you give consent, you are able to withdraw that consent at any time by contacting us, for instance by emailing  If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law. 

Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time. You can opt out of marketing by emailing

When the law requires us to process your data we will do so.  This can include:

  • Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.
  • When you exercise your rights under data protection legislation, including when you ask to subscribe or unsubscribe from our marketing communications.


Data sharing

Costa is part of the Coca-Cola group of companies which includes Costa Express Limited. Coca-Cola group companies may process your personal data in the course of assisting us with customer information services,

For some activities Costa uses third party service providers for the following services:

  • Sending promotional offers
  • Customer feedback surveys
  • Gift cards (including E-Gifts)
  • Insurance
  • IT development, support, maintenance and hosting, including the provision of applications and website hosting
  • Payments’ processing to enable you to pay by credit or debit card
  • CCTV system provision and maintenance

If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers.  Your information will be passed to the new owners and you would be notified.

Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.

International transfers

Sometimes we may need to send or store your data outside of the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (‘EEA’).  For example, to follow your instructions, comply with a legal duty or to work with or receive services from our service providers who we use to help run your accounts and our services.

If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some countries have been deemed adequate by the EU.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.
  • Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.


Cookies and similar technologies

Our website uses cookies and similar technology. Full information is in our Cookie Notice. This includes information on how to adjust your browser settings to accept or reject cookies.

Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, whilst you are an active user of our site, deemed to be a current or potential business customer and, where required by law or to protect legal rights.

We always look to keep your data for the minimum time in line with data protection principles and our processes.  For example, we keep:

  • Information on business customers who have purchased Costa Gift Cards and EGifts.
  • Records of payment information in line with tax law and audit requirements.
  • Information to maintain records according to rules that apply to us.
  • Written information about recipients of Gift cards and EGifts only when strictly necessary and then for only 24 hours after the Gift card or EGift is sent. For instance, we only receive recipient information if a business customer requests that we send out the Gift cards or EGifts directly to their intended recipients, or if a business customer requests personalisation, and then that information is destroyed within 24 hours of sending out the Gift or EGift on behalf of the business customer.
  • Any call recordings are deleted after one month.

If you unsubscribe from marketing communications we keep a record of this request indefinitely to ensure we do not send you personally direct marketing again.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.


Your rights

You have rights over your personal data. 

You can:

  • ask for a copy of your information;
  • ask for information to be corrected;
  • ask for information to be erased or deleted;
  • ask for us to limit or restrict processing;
  • object to us processing your data, in particular where we use the data for direct marketing, including profiling for direct marketing purposes. The right to object does not apply if we must process the data to meet a contractual or legal requirement;
  • ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep information.  We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.  On occasion there may be a compelling legitimate interest to keep processing data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below.  To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.

You have a right to complain to an EU data protection authority.  This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office (the “ICO”).


Contact details

To exercise any of your rights or to withdraw consent you can email:

To discuss or change your Costa Business account details contact your business account manager or

For any queries relating to data protection please contact or by writing to them at Privacy Officer, Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, Bucks, HP10 9QR.

We may change or update this notice from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively telling you about the changes.


Which Costa entity is the controller?

The controller for your information is Costa Limited, 3 Knaves Beech Business Centre, Davies Way, Loudwater, Bucks, HP10 9QR. Costa Limited runs Costa Business accounts within Great Britain.

Costa for Business uses carefully selected service providers to assist with processing of Gift cards and EGifts.

To improve and personalise your visit, 1st and 3rd party cookies are used. See Cookies for more info. "I Decline" continues with necessary cookies, "I Accept" accepts all.