Build-A-Bear Workshop Global Privacy Policy - effective May 30, 2018

Scope: This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates worldwide.
Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Personal Information:

  • We collect the information you provide to us, such as your name, your postal or email address.
  • We collect non-personal information such as browser type and web pages visited to help manage our websites and to improve your overall experience.
  • We use cookies and web beacons to manage our email programs and websites. We do NOT use these technologies to collect or to store personal information.
  • References to Personal Information shall be deemed to include personal data as defined in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
  • Click here for more information.

Uses:

  • We use the information you provide to register Build-A-Bear Workshop products in our Find-A-Bear® ID system.
  • We use the information you provide to create certificates for Build-A-Bear Workshop products.
  • We use the information you provide to place orders or book parties on our websites.
  • If you tell us to, we will send you information about promotions and other marketing events via mail and email.
  • We do NOT share your information with unrelated third parties for their marketing purposes.
  • We use personal information consistent with the purpose you provided it to us.
  • Click here for more information.

Your Choices:

Important Information:

How to Contact Us:

In the US and Canada:
Privacy Officer
Build-A-Bear Workshop
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the European Union:
Privacy Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 5420635

Build-A-Bear Workshop Global Privacy Policy - effective May 11, 2018

The Build-A-Bear Workshop family of companies respects your privacy, and we will do our best to earn and keep your trust. All Personal Information that you share with us is treated with the utmost care. Build-A-Bear Workshop has created this Privacy Policy in order to demonstrate our firm commitment to the privacy of all our guests from all over the world. This Privacy Policy identifies what Personal Information we collect when you visit our stores or use our websites or other online services, what choices you can make about your Personal Information, how we use this data, and how we protect your Personal Information, and applies to all Personal Information provided to us in our stores or through our websites or other online services.

Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Build-A-Bear Workshop complies with the EU-U.S. Privacy Shield Principles, including the Supplemental Principles (collectively, the “Privacy Shield Principles”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (the “EU”) to the United States (the “U.S.”). Build-A-Bear Workshop has certified to the Department of Commerce that it adheres to the Privacy Shield Principles, including the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, as well as the Supplemental Principles. If there is any conflict between the terms in the Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. A list of companies that are currently certified under the Privacy Shield is available at www.privacyshield.gov/list.

We may, but shall not be required to, also process Personal Information submitted relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), and we are committed to responding promptly to inquiries and requests by the United States Department of Commerce for information relating to the Privacy Shield Principles.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://ico.org.uk/concerns/eu-us-privacy-shield/.

CONTENTS

What is Covered by This Policy?
Personal Information We Collect
How We Use Your Personal Information
Your Choices and Access to Your Personal Information
Children’s Privacy
Sharing Personal Information with Third Parties
Personal Information Security
Passive Data Collection - Cookies
Privacy Shield Dispute Resolution
Use of Human Resource Data Subject to Privacy Shield
Changes to This Privacy Policy
Country and State Specific Personal Information(including the GDPR)
Contact Us

What is Covered by This Policy?

This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (as defined below) worldwide. The purpose of this policy is to tell guests what information we collect, how it is used, where it is used, and how to contact Build A Bear Workshop with privacy inquiries. Some Build-A-Bear Workshop websites may contain links to websites not owned or operated by Build-A-Bear Workshop. Build-A-Bear Workshop is not responsible for the content, privacy policies, or practices of those websites. We recommend that you review the privacy policies of each site you visit.

Personal Information We Collect

Build-A-Bear Workshop collects information, including Personal Information, that you provide to us when you visit us in our retail locations or website. References to Personal Information shall be deemed to include personal data as defined in the GDPR. “Personal Information” that may be collected or processed by Build-A-Bear Workshop includes:
first and last names;
email address;
postal address;
date of birth and/or age;
sex/gender;
credit card information;
payment details;
product preference;
purchasing history;
IP address;
work experience, including job titles, company names and dates of employment;
education and education degree(s);
financial information, such as that which could be used to process invoices and payments; and
any other information that might be used to identify you by another person.

Build-A-Bear Workshop’s website may allow third-party companies, including ad networks, to serve advertisements, provide other advertising services and/or collect certain information when you visit our website.  These third-party companies may use non-Personal Information (e.g., click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) during your visit to this website in order to provide advertisements about goods and services likely to be of greater interest to you.  Third-party companies may use non-cookie technologies to recognize your computer or device and/or to collect and record information about your web surfing activity including your activities on this website. These technologies may be used directly on this website. To learn more about Interest-Based Advertising or to opt-out of this type of advertising by those third parties that are members of self-regulatory programs such as the Network Advertising Initiative, please visit the NAI’s website (www.networkadvertising.org/choices) which will allow you to opt out of Interest-Based Advertising by one, or all, NAI members. 

Some web browsers may transmit “do not track” signals. Web browsers may incorporate or activate these features differently, making it unclear if users have consciously activated them. As a result, at this time we do not take steps to respond to such signals.

How We Use Your Personal Information

Build-A-Bear Workshop collects and uses your Personal Information to:

  • Conduct business with you
  • Improve your experience with us
  • Register your Build-A-Bear Workshop product in our Find-A-Bear® ID system
  • Book a party
  • Make an in store or online purchase
  • Create a wish list
  • Process, fulfill, and follow up on online purchases
  • Create and maintain accounts
  • Register for our Build-A-Bear Bonus Club® program
  • Handle guest service requests
  • Maintain our Loyalty Program
  • Send friends and families emails and e-cards on your behalf
  • Send surveys
  • Help you receive email and direct mail
  • Help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions
  • Help you send us testimonials, guest submissions, or other communications
  • Help you submit a book review
  • Permit you to apply for a job

We process Personal Information submitted by customers for the purpose of providing the above-referenced services (collectively, the “Services”) to customers. To fulfill these purposes, we may access Personal Information to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of a customer who submitted the Personal Information, or in response to contractual requirements with our customers and service providers.

With respect to Personal Information covered by Privacy Shield, Build-A-Bear Workshop certifies that it collects Personal Information solely to the extent such Personal Information is relevant in providing the Services. For our record keeping purposes, we may retain certain Personal Information that you submit in conjunction with commercial transactions; however, we will retain such Personal Information only so long as it serves the purpose of providing the Services.

Your Choices and Access to Your Personal Information

Our email, website, and other interactive programs allow you to choose to receive or to stop receiving communications from us. You can choose to receive email and/or postal mail from a specific Build-A-Bear Workshop brand or to receive offers from other Build-A-Bear Workshop brands.

Build-A-Bear Workshop honors a “once out – always out” policy. Once you opt out, you are opted out of that type of communication and that brand until we are explicitly told in writing to opt you back in. You may opt out of email programs at any time by following the opt-out instructions provided in the email you receive. You also have the right to opt out of us using your Personal Information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.

You have the right to access, amend, or delete any Personal Information we hold about you, be removed from Build-A-Bear Workshop programs you enrolled in, stop receiving postal mail and other communications, and prevent any further use of your Personal Information by Build-A-Bear Workshop, by contacting us; click here to select your country and be linked to the correct address or email address to use to contact us. Build-A-Bear Workshop will respond to reasonable requests in an appropriate timeframe as determined by the respective authority. We will respond to requests within one month.

Build-A-Bear Workshop will also contact individuals whose Personal Information is within the scope of the Privacy Shield Principles to obtain prior affirmative express consent if sensitive (referred to as special categories of personal data under the GDPR) Personal Information (i.e., Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or Personal Information specifying the sex life or sexual orientation of the individual) is to be collected or disclosed to a third party, or if such sensitive Personal Information is to be used for a purpose other than those for which it was originally collected or subsequently authorized by such individual. We will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive.

Children’s Privacy

Build-A-Bear Workshop is committed to protecting children’s privacy on the Internet. No one under age 16 may provide any Personal Information to or on the websites. Build-A-Bear Workshop does not knowingly collect Personal Information from children under 16. If you are under 16, do not use or provide any information on our websites or retail stores, make any purchases through our websites, use any of the interactive or public comment features of our websites or retail stores or provide any information about yourself or others to us, including your/others name, address, telephone number, email address, or any screen name or user name you/others may use. If we learn we have collected or received Personal Information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 16, please contact us at privacy@buildabear.com or privacy@buildabear.co.uk.

What Personal Information is collected online from children under 16 and how is it used?

Build-A-Bear Workshop does not knowingly collect, use, or disclose Personal Information (including online contact information) of children under the age of 16. We may collect information about visits to our websites without a user actively submitting such information. For information about such passive data collection, click here.

Is my child’s Personal Information required for participation in online activities?

No.

Is my child’s Personal Information required to receive certificates in the store?

Yes. Personal Information is required to create a certificate at the Name Me® station in the store.

Is my child’s Personal Information shared with unrelated third parties?

No.

What Personal Information did my child share while attending a party?

Parental supervision is always recommended; however, parents often do not attend a party with their child. Children attending a party may create a certificate at the Name Me® station. A certificate can be created with just the animal’s name and the child’s first name, gender and year of birth.

Sharing Personal Information with Third Parties

We employ other companies (“Agents”) and people to perform tasks on our behalf and need to share, and may internationally transfer, your information with them to provide products or services to you; for example, ExactTarget (SalesForce). Other types of Agents with which we may share Personal Information include organizations providing services to support Build-A-Bear Workshop functions, such as our mail and email processing companies, payment processing companies, and market research firms. We also transfer Personal Information to Agents for email marketing purposes. If Build-A-Bear Workshop transfers Personal Information subject to the Privacy Shield Principles to a third party, the recipient will have the same level of protection as required of the Build-A-Bear Workshop under the Privacy Shield. All such service providers are bound by contract to refrain from using the Personal Information we collect from you for any purpose other than providing the service to Build-A-Bear Workshop. Build-A-Bear Workshop is liable under the Privacy Shield Principles for its Agents to process transferred Personal Information in a manner consistent with the Principles.

We may also disclose information (including Personal Information) collected from guests outside of the U.S. to affiliated companies or Affiliates in the U.S. and elsewhere. For purposes of this Privacy Policy, “Affiliates” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Build-A-Bear Workshop, Inc., whether by ownership or otherwise. Any Personal Information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy and, as applicable, the Privacy Shield Principles. We train our employees and those of our Affiliates about the importance of privacy and how to handle and manage customer Personal Information appropriately and securely. We may share your information (including Personal Information) with franchisees of Build-A-Bear Workshop, but only where we indicate to you at time of Personal Information collection that such Personal Information will be provided to a franchisee, or if we otherwise obtain your permission.

In addition to disclosures to third party providers and Affiliates as described above, we may disclose or transfer Personal Information in connection with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition. We may also disclose Personal Information to prevent damage or harm to us, our Services, or any person or property, or if we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities. Except as described in this Privacy Policy, we will not otherwise disclose Personal Information to third parties unless you have been provided with an opportunity to opt in to such disclosure.

Build-A-Bear Workshop does not release the Personal Information it collects from you to any unrelated third parties so that they may send you commercial promotions or offers for products or services. We do, however, share anonymous, aggregate information concerning the demographic makeup of our customers to unrelated third parties, and share Personal Information as described below.

Except as described in this Privacy Policy, we will not otherwise disclose Personal Information to any third parties unless you have been provided with an opportunity to opt in to such disclosure and, in the case of Personal Information collected from children, the appropriate verifiable consent is obtained.

If an individual wishes to opt out or limit the use and disclosure of their Personal Information to a third party or a use that is incompatible with the purpose for Personal Information was originally collected or authorized, the individual may send such request to privacy@buildabear.com.

When Build-A-Bear Workshop transfers Personal Information to countries other than the country where it was provided, we do so in compliance with applicable data protection laws, including, as applicable, the Privacy Shield Principles. All Personal Information is transmitted to World Bearquarters in St. Louis, Missouri daily. Copies of the Personal Information at the point of origin are deleted on a regular basis. We may transfer Personal Information from guests outside the U.S. to Affiliates located either in the U.S. or otherwise; provided that transfers to the U.S. from the EU will comply with the Privacy Shield Principles in all respects.

Personal Information Security

Build-A-Bear Workshop maintains appropriate technical and organizational security measures designed to help protect against unauthorized or unlawful processing, loss, destruction, damage, misuse, and alteration of Personal Information collected by Build-A-Bear Workshop, which include:

  • physical and logical access controls, including firewall, limited access, and SSL encryption technology, that limit who can access Personal Information based on business/processing need;
  • privacy policies for Personal Information and for employee Personal Information (a copy of which may be requested at privacy@buildabear.com);
  • annual employee training on our privacy policies;
  • employees who are bound by confidentiality obligations;
  • the appointment of a Privacy Officer to handle all Personal Information incidences or issues, including, without limitation, the handling of individual requests related to his/her Personal Information processed by Build-A-Bear Workshop; and
  • Build-A-Bear Workshop‘s General Information Security Policy and Incident Response Policy that contain incident response plans for escalation and resolution of data breach incidents.


All Personal Information collected via our websites is stored on secured servers located at our Build-A-Bear Workshop World Bearquarters in St. Louis, Missouri.

 

Passive Data Collection – Cookies and Web Beacons

Our Build-A-Bear Workshop website may also collect Personal Information passively, through the use of cookies. A cookie is a small text file that writes to your hard drive. The cookie file contains your computer’s IP address and a user ID. The user ID links any orders you have placed on our site to your Personal Information. A user ID has no personally identifiable information attached to it unless you place an order on our site. Our website uses cookies to enhance the guests’ experience and help us improve our services. For example, we may use cookies to keep track of your basket or shopping cart while you are shopping on our site or to track your activity. Build-A-Bear Workshop uses web beacons in emails to track traffic from the email to specific pages on our websites. You may be able to adjust your browser so that your computer either does not accept cookies, or notifies you when a website tries to deposit a cookie into your computer. Our cookies do not contain confidential Personal Information such as your home address, telephone number, or credit card information. We do not exchange cookies with any third parties.

Privacy Shield Dispute Resolution

In compliance with the Privacy Shield Principles, Build-A-Bear Workshop commits to resolve complaints about our collection or use of your Personal Information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Build-A-Bear Workshop’s Privacy Officer, , who will, in accordance with Build-A-Bear Workshop’s Incident Response Policy and its Data Protection Retention Policy, as applicable, escalate it as necessary, at:

Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 800 5420635

Suspected and confirmed Personal Information security incidents will be investigated by the Privacy Officer and/or other personnel as necessitated by the scope of the incident. Such investigation will include, but will not be limited to, determining the source of the breach, identifying the types of data affected, determining whether notifications must be made and instituting any remedial measures that may be necessary to avoid similar incidents in the future.

Build-A-Bear Workshop has further committed to refer unresolved Privacy Shield complaints to The Information Commissioner’s Office of the United Kingdom (the “ICO”), the Data Protection Supervisory Authority for the United Kingdom. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://ico.org.uk/concerns/eu-us-privacy-shield/ for more information or to file a complaint. The services of the ICO are provided at no cost to you. Under certain limited circumstances, EU individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

The FTC has committed to reviewing on a priority basis referrals alleging non-compliance of the Privacy Shield Principles received from independent dispute resolution bodies, among others. If the FTC concludes that it has reason to believe Section 5 of the Privacy Shield Principles has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect.

Use of Human Resource Personal Information Subject to Privacy Shield

Where a member of the Build-A-Bear Workshop group in the EU transfers Personal Information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the U.S. participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, Build-A-Bear Workshop will comply with the Privacy Shield Principles, make reasonable efforts to accommodate employee privacy preferences, and will not use employees’ exercise of their rights under Privacy Shield to restrict employment opportunities or take punitive action against employees.

Build-A-Bear Workshop collects Personal Information from its employees to administer employee evaluations, payroll, compensation surveys, benefits, and its Employee Discount Program. Build-A-Bear Workshop will comply with all relevant laws, and, as applicable, the Privacy Shield Principles, in the collection and use of employee-related Personal Information. To the extent and for the period necessary to avoid prejudicing the ability of Build-A-Bear Workshop in making promotions, appointments, or other similar employment decisions, we may not offer employees the notice and choice options described in the Privacy Shield Principles. Similarly, for occasional employment-related operational needs, such as the booking of a flight, hotel room, or insurance coverage, transfers of Personal Information of a small number of employees may take place with limited access or the entering into a contract with the third-party transferee, provided that we otherwise comply with the Privacy Shield Principles. Access must also be limited in the context of employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations.

Where employees in the EU make complaints about violations of their Personal Information protection rights and are not satisfied with the results of our internal review, complaint, and appeal procedures, they will be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. Build-A-Bear Workshop commits to cooperate with competent EU Data Protection Authorities in the investigation and resolution of Privacy Shield complaints with regard to human resources Personal Information transferred from a European country to the U.S. Build-A-Bear Workshop will comply with any advice given by the Data Protection Authorities where such authorities take the view that we need to take specific action to comply with the Privacy Shield Principles.

Changes to This Privacy Policy

We may amend this Privacy Policy at any time. If we make any changes in the way we collect, use, and/or share your Personal Information, we will notify you by sending you an email at the last email address that you provided us, or by prominently posting notice of the changes on the web sites covered by this Privacy Policy.

Country and State Specific Information

Canada

Build-A-Bear Workshop complies with Canadian Federal and Provincial privacy laws and regulations including the Personal Information Protection and Electronic Documents Act.
Build-A-Bear Workshop, Inc. will only use your Personal Information for the purposes intended and as detailed in the Privacy Policy unless we have obtained your consent to use it for other purposes.

United Kingdom

Your Personal Information is protected in the United Kingdom by the Data Protection Act 1998 (the “Act”) up until 24 May 2018 and by the GDPR from May 25, 2018. Under the Act and the GDPR we will only process your Personal Information in a lawful, fair and transparent manner and your Personal Information will only be collected for specified and legitimate purposes. We will secure your Personal Information to prevent unauthorized access by third parties.

Data controller details

The data controller in relation to the processing of Personal Information that you provide to us is Build-A-Bear Workshop UK Limited. Our address is 10-14 Bath Road, Slough, Berkshire, United Kingdom, SL1 3SA, United Kingdom. The easiest ways to contact us are by email at privacy@buildabear.co.uk or by telephone at +44 (0) 800 5420635. All Personal Information collection and processing in the United Kingdom by Build-A-Bear Workshop will be undertaken by Build-A-Bear Workshop UK Limited in accordance with the terms of this privacy policy.

Processing information

The information set out in this privacy policy is provided to individuals whose Personal Information we process, in compliance with our obligations under Articles 13 and 14 of the GDPR.

To make this information clear, we have divided the data we receive into the following groups, where each of which refers to: the particular category of information we collect and retain; the purpose and legal basis of processing and to whom we will (if applicable) disclose the information:

 

International transfers

Details of third parties to whom transfers of Personal Information may be made are set out above (click here for more information).

We will not transfer Personal Information relating to you to a country which is outside the European Economic Area (“EEA”) unless: (1) the country or recipient is covered by an adequacy decision of the European Commission under GDPR Article 45; (2) appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the European Commission’s Standard Model Clauses for transfers of Personal Information outside the EEA); or (3) one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary) the transfer is necessary to perform, or to form, a contract to which we are a party; the transfer is necessary for the establishment, exercise or defense of legal claims; you have provided your explicit consent to the transfer; or the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

Retention of Personal Information

Different types of Personal Information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of data. In determining the appropriate retention period consideration is given to the following factors:

  • the purposes for which the Personal Information is processed;
  • the legal basis for processing that Personal Information;
  • legal requirements for retention (particularly employment and health and safety law); and
  • regulatory requirements.

 

In particular, except where otherwise required by applicable law or a request to delete or erase Personal Information, Build-A-Bear retains certain specific categories of Personal Information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

In addition, Build-A-Bear may retain anonymized Personal Information (data that is no longer in a form identifying or making identifiable the individual to which the Personal Information originally related).

Your rights in respect of your Personal Information

You have certain rights under the GDPR, including the right to (upon written request) access a copy of your Personal Information that we are processing. From May 25, 2018, in accordance with the GDPR you will have the following rights:

  • right to access: the right to request certain information about, access to and copies of the Personal Information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs) and this will be provided to you within one month of your request; and
  • right to rectification: the right to have your Personal Information rectified if it is inaccurate or incomplete.
  • In certain circumstances, you will also have the following rights:
  • right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of your Personal Information (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your Personal Information from our systems (however, this will not apply if we are required to hold on to the Personal Information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);
  • right to restriction of use of your Personal Information: the right to stop us from using your Personal Information or limit the way in which we can use it;
  • right to object: the right to object to our use of your Personal Information including where we use it for our legitimate interests or for marketing purposes; and
  • right to data portability: the right to request that we return any Personal Information that you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible.

 

As set out above, you are entitled to withdraw your consent to the processing of your Personal Information but please note that if you do withdraw your consent, we may not be able to carry out our contractual obligations to you or provide you with access to all or certain parts of our services.

To exercise your Right to Access or your Right to Erasure, you may click here and enter the email address for which you want to exercise these rights. For all other requests or queries, please email, write, or call the Privacy Officer as indicated below in the Contact Us section of this document.

Complaints

If you consider our use of your Personal Information to be unlawful, you have the right to lodge a complaint with the ICO. Please see further information on their website: www.ico.org.uk. Build-A-Bear Workshop and Build-A-Bear Workshop UK Limited are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

Automatic decision making

We do not make decisions in relation to your Personal Information that are based solely on automated data processing (including profiling).

United States

Build-A-Bear Workshop complies with the U.S. Federal and State privacy laws, including the Children’s Online Privacy Protection Act.

California

Beginning January 1, 2005, under California’s “Shine the Light” law, California residents who provide Personal Information for uses identified above are entitled to request and obtain from us once a calendar year information about the customer Personal Information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared Personal Information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities).

Europe

From May 25, 2018, Build-A-Bear Workshop’s practices are compliant with the GDPR in Europe.

Contact Us

If you have questions or concerns regarding your privacy, please contact Build-A-Bear Workshop directly. Please feel free to use your native language when sending your questions or comments.

In the US and Canada:

Privacy Officer
Build-A-Bear Workshop, Inc.
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
Email: privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the United Kingdom:

Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 800 5420635

If you are a resident of a European country participating in the Privacy Shield and you believe we maintain your Personal Information within the scope of this Privacy Shield certification, you may direct any questions or complaints to our United Kingdom email and postal addresses above. We are committed and required to respond to any of your inquiries on this issue within forty-five (45) days of receiving the complaint.

USES OF PERSONAL INFORMATION

Customers and visitors to our site

What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • postal address;
  • date of birth and/or age;
  • sex/gender;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing history;
  • IP address;
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of providing our Services or to enable you to make an in store or online purchase.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a customer relationship, obtaining evidence of identity of our customers, for insight purposes (e.g. to analyse market trends and demographics, and develop the service which we offer to you or other individuals in the future).
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
  • If we obtain your consent: in order to:
  • conduct business with you
  • improve your experience with us
  • register your Build-A-Bear Workshop product in our Find-A-Bear® ID system
  • book a party
  • create a wish list
  • process, fulfill, and follow up on online purchases
  • create and maintain accounts
  • register for our Build-A-Bear Bonus Club program
  • handle guest service requests
  • maintain our Loyalty Program
  • send friends and families emails and e-cards on your behalf
  • send surveys
  • help you receive email and direct mail
  • help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions
  • help you send us testimonials, guest submissions, or other communications
  • help you submit a book review.
1. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
2. Please note that personal information we are holding about you may be shared with and processed by:
2.1. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
2.2. credit reference and fraud prevention agencies;
2.3. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
2.4. other parties and/or their professional advisers involved in a matter where required as part of the conduct of the Services;
2.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
2.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;
2.7. third parties as part of the arrangements for any event for which you have expressed an interest in attending; and
2.8. another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

 

 

Suppliers and supplier personnel

 

 

What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • telephone numbers;
  • payment details
  • identification
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of receiving services from you, for the purposes of making payments to you.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a working relationship.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
3. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
4. Please note that personal information we are holding about you may be shared with and processed by:
4.1. our customers, in the course of providing services to them;
4.2. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
4.3. credit reference and fraud prevention agencies;
4.4. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
4.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
4.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers; and
4.7. another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

PERSONAL INFORMATION RETENTION PERIODS

Category Information description (includes but not limited to) Retention Period (in absence of a deletion request, other request from a data subject or legal requirement)
Guest Data (Non-Bonus Club Member Data) Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Purchasing history;
IP address;
6 years
Bonus Club Member Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Product preference;
Purchasing history;
IP address;
DOB’s;
Gender;
For as long as a bonus club account is active, and for 1 year after cancellation of account.
Supplier Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
6 years after services have been provided
Supplier Contracts Contracts for supplier services;
Related sub-contracts;
12 + 1 years after services have ceased
Insurance Data Personal Information involving insurance claims;
Insurance policies;
Insurance related correspondence, outcomes and notices;
12 + 1 years
Health and Safety Assessments
Policy Statements
Records of consultations with safety representatives
Permanently

Click here to learn about cookies on Build-A-Bear.com and Build-A-Bear.co.uk.