Build-A-Bear Workshop Global Privacy Policy - effective 6 February, 2023

Preamble

Scope: This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (including, without limitation, Build-A-Bear Card Services LLC, Build-A-Bear Entertainment, LLC, Build-A-Bear Retail Management, Inc. and Build-A-Bear Workshop Franchise Holdings, Inc.) worldwide. This Privacy Policy does not apply to any Personal Information collected from or about any of our employees or our Affiliates’ employees that reside in the EU, UK, or California. Personal Information collected from any such employees will be protected by our employment policies and handbook.

Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age in the European Economic Area (“EEA”) or under 13 years of age elsewhere and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Personal Information:
  • We collect the information you provide to us, such as your name, your phone number, your postal or email address.
  • We collect non-personal information such as browser type and web pages visited to help manage our websites and to improve your overall experience.
  • We use cookies and web beacons to manage our email programs and websites. We do NOT use these technologies to collect or to store personal information
  • References to Personal Information shall be deemed to include “personal data” as defined in the General Data Protection Regulation (EU) 2016/679, including as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (collectively, “GDPR”), “personal information” as defined in the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”), and “personal data” or a similar term as defined in other U.S. state privacy laws, including, without limitation, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (from and after 1 July, 2023) (“ColoPA”), the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (from and after 1 July, 2023) (“CT DPA”), and the Utah Consumer Privacy Act (from and after 31 December, 2023) (“UCPA”).
  • Click here for more information.
Uses:
  • We use the information you provide to register Build-A-Bear Workshop products in our Find-A-Bear® ID system.
  • We use the information you provide to create certificates for Build-A-Bear Workshop products.
  • We use the information you provide to place orders or book parties on our websites.
  • If you tell us to, we will send you information about promotions and other marketing events via mail and email.
  • We do NOT disclose your information to unrelated third parties for their marketing purposes.
  • We use personal information consistent with the purpose you provided it to us.
  • Click here for more information.
Your Choices:
Important Information:

How to Contact Us:

In the US and Canada:
Privacy Officer
Build-A-Bear Workshop
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the UK and European Union:
Privacy Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635


Build-A-Bear Workshop Global Privacy Policy - effective 6 February, 2023

The Build-A-Bear Workshop family of companies respects your privacy, and we will do our best to earn and keep your trust. All Personal Information that you share with us is treated with the utmost care. Build-A-Bear Workshop has created this Privacy Policy in order to demonstrate our firm commitment to the privacy of all our guests from all over the world. This Privacy Policy identifies what Personal Information we collect when you visit our stores or use our websites or other online services, what choices you can make about your Personal Information, how we use this data, and how we protect your Personal Information, and applies to all Personal Information provided to us in our stores or through our websites or other online services.

Except for the Build-A-Bear ”Play“ website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the ”Shop“ website, are not intended for children under 16 years of age in the EEA or under 13 years of age elsewhere and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear ”Play“ website, which can be used by people of all ages).

Build-A-Bear Workshop complies with the EU-U.S. Privacy Shield Principles, including the Supplemental Principles (collectively, the “Privacy Shield Principles”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (the “EU”) and the United Kingdom (the “UK”) to the United States (the “U.S.”) in reliance on Privacy Shield. Build-A-Bear Workshop has certified to the Department of Commerce that it adheres to the Privacy Shield Principles, including the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, as well as the Supplemental Principles. If there is any conflict between the terms in the Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. A list of companies that are currently certified under the Privacy Shield is available at www.privacyshield.gov/list.

In light of the judgment of the Court of Justice of the EU in Case C-311/18, we do not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, we also process Personal Information submitted relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), and we are committed to responding promptly to inquiries and requests by the United States Department of Commerce for information relating to the Privacy Shield Principles.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://ico.org.uk/concerns/eu-us-privacy-shield/.


CONTENTS

What is Covered by This Policy?
Personal Information We Collect
How We Use Your Personal Information
Your Choices and Access to Your Personal Information
Children’s Privacy
Sharing Personal Information with Third Parties
Personal Information Security
Passive Data Collection - Cookies
Privacy Shield Dispute Resolution
Use of Human Resource Data Subject to Privacy Shield
Changes to This Privacy Policy
Country and State Specific Personal Information (including the GDPR and CCPA)
Contact Us

Policy Body

What is Covered by This Policy?

This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (as defined below) worldwide. The purpose of this Policy is to tell guests what information we collect, how it is used, where it is used, and how to contact Build-A-Bear Workshop with privacy inquiries. Some Build-A-Bear Workshop websites may contain links to websites not owned or operated by Build-A-Bear Workshop. Build-A-Bear Workshop is not responsible for the content, privacy policies, or practices of those websites. We recommend that you review the privacy policies of each site you visit.

This Privacy Policy does not apply to any Personal Information collected from or about any of our employees or our Affiliates’ employees that reside in the EU, UK, or California. Personal Information collected from any such employees will be protected by our employment policies and handbook.

Personal Information We Collect

Build-A-Bear Workshop collects information, including Personal Information, that you provide to us when you visit us in our retail locations or website. References to Personal Information shall be deemed to include personal data as defined in the GDPR, personal information as defined in the CCPA, and “personal data” or a similar term as defined in other U.S. state privacy laws, including, without limitation, VCDPA, ColoPA (from and after 1 July, 2023), CT DPA (from and after 1 July, 2023), and UCPA (from and after 31 December, 2023).

“Personal Information” that may be collected or processed by Build-A-Bear Workshop includes:

  • first and last names;
  • email address;
  • postal address;
  • phone number;
  • date of birth and/or age;
  • sex/gender;
  • voiceprint if you purchase and record one of our Record Your Voice soundchips;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing and/or browsing history;
  • IP address;
  • Device ID;
  • work experience, including job titles, company names and dates of employment;
  • education and education degree(s);
  • financial information, such as that which could be used to process invoices and payments;
    and
  • any other information that might be used to identify you by another person.

Build-A-Bear Workshop’s website may allow third-party companies, including ad networks, to serve advertisements, provide other advertising services and/or collect certain information when you visit our website. These third-party companies may use non-Personal Information (e.g., click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) during your visit to this website in order to provide advertisements about goods and services likely to be of greater interest to you and for Build-A-Bear Workshop’s business purposes, including but not limited to research and analytics, product promotions, and website management. Third-party companies may use non-cookie technologies to recognise your computer or device and/or to collect and record information about your web surfing activity including your activities on this website. This information includes, but is not limited to, the pages you viewed, how long you spent on each page, and how you interact with particular webpages via input devices. These technologies may be used directly on this website. To learn more about Interest-Based Advertising or to opt-out of this type of advertising by those third parties that are members of self-regulatory programs such as the Network Advertising Initiative, please visit the NAI’s website (www.networkadvertising.org/choices) which will allow you to opt out of Interest-Based Advertising by one, or all, NAI members.

Some web browsers may transmit “do not track” signals. Web browsers may incorporate or activate these features differently, making it unclear if users have consciously activated them. As a result, at this time we do not take steps to respond to such signals.

You may also have the right to opt-out of Interest-Based Advertising under applicable laws. For more information, see Country and State Specific Personal Information.

How We Use Your Personal Information

We may use or disclose the Personal Information we collect from one or more of the following business purposes:

  • To conduct business with you;
  • To improve your experience with us;
  • To register your Build-A-Bear Workshop product in our Find-A-Bear® ID system;
  • To book a party;
  • To make an in store or online purchase;
  • To create a wish list;
  • To process, fulfill, and follow up on online purchases;
  • To create and maintain accounts;
  • To register for our Build-A-Bear Bonus Club program;
  • To handle guest service requests;
  • To maintain our Loyalty Program;
  • To send friends and families emails and e-cards on your behalf;
  • To send surveys;
  • To help you receive email, direct mail, or SMS text messages;
  • To help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions;
  • To suggest products and services which may be of interest to you;
  • To help you send us testimonials, guest submissions, or other communications;
  • To permit you to apply for a job;
  • To administer employee evaluations, payroll, compensation surveys, benefits, and our Employee Discount Program;
  • To prevent or address service or technical problems;
  • To respond to customer support matters;
  • To follow the instructions of a customer who submitted Personal Information;
  • In response to contractual requirements with our customers and service providers;
  • In connections with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition;
  • To prevent damage or harm to us, our services, or any person or property; or
  • If we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities.

We process Personal Information submitted by customers for the purpose of providing the above-referenced services (collectively, the “Services”) to customers. To fulfill these purposes, we may access Personal Information to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of a customer who submitted the Personal Information, or in response to contractual requirements with our customers and service providers.

As required by applicable law or the Privacy Shield, Build-A-Bear Workshop certifies that it collects Personal Information solely to the extent such Personal Information is relevant in providing the Services. For our record keeping purposes, we may retain certain Personal Information that you submit in conjunction with commercial transactions; however, we will retain such Personal Information only so long as it serves the purpose of providing the Services.

Your Choices and Access to Your Personal Information

Our email, website, and other interactive programs allow you to choose to receive or to stop receiving communications from us. You can choose to receive email and/or postal mail from a specific Build-A-Bear Workshop brand or to receive offers from other Build-A-Bear Workshop brands.

Build-A-Bear Workshop honors a “once out – always out” policy. Once you opt out, you are opted out of that type of communication and that brand until we are explicitly told in writing to opt you back in. You may opt out of email programs at any time by following the opt-out instructions provided in the email you receive. You also have the right to opt out of us using your Personal Information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorised by you.

As provided by applicable law, you may have the right to access, amend, or delete any Personal Information we hold about you, be removed from Build-A-Bear Workshop programs you enrolled in, stop receiving postal mail and other communications, and prevent any further use of your Personal Information by Build-A-Bear Workshop, by contacting us; click here to select your country and be linked to the correct address or email address to use to contact us. Build-A-Bear Workshop will respond to reasonable requests in an appropriate timeframe as determined by the respective authority. In most cases, we will respond to requests within one month; provided, however, if the request is complex, we may extend our response time in accordance with applicable law.

Build-A-Bear Workshop will also contact individuals whose Personal Information is within the scope of the Privacy Shield Principles to obtain prior affirmative express consent if sensitive (referred to as special categories of personal data under the GDPR) Personal Information (i.e., Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or Personal Information specifying the sex life or sexual orientation of the individual) is to be collected or disclosed to a third party, or if such sensitive Personal Information is to be used for a purpose other than those for which it was originally collected or subsequently authorised by such individual. We will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive. In the last 12 months, we have not collected any sensitive Personal Information of guests or other consumers.

Children’s Privacy

Build-A-Bear Workshop is committed to protecting children’s privacy on the Internet. No one under 16 years of age in the EEA or under 13 years of age elsewhere may provide any Personal Information to or on the websites. Build-A-Bear Workshop does not knowingly collect Personal Information from children under 16 years of age in the EEA or under 13 years of age elsewhere. If you are under 16 in the EEA or under 13 elsewhere, do not use or provide any information on our websites or retail stores, make any purchases through our websites, use any of the interactive or public comment features of our websites or retail stores or provide any information about yourself or others to us, including your/others name, address, telephone number, email address, or any screen name or user name you/others may use. If we learn we have collected or received Personal Information from a child under 16 years of age in the EEA or under 13 years of age elsewhere without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 16 in the EEA or under 13 elsewhere, please contact us at privacy@buildabear.com or privacy@buildabear.co.uk.

What Personal Information is collected online from children and how is it used?

Build-A-Bear Workshop does not knowingly collect, use, or disclose Personal Information (including online contact information) of children under 16 years of age in the EEA or under 13 years of age elsewhere. We may collect information about visits to our websites without a user actively submitting such information. For information about such passive data collection, click here.

Is my child’s Personal Information required for participation in online activities?

No.

Is my child’s Personal Information required to receive certificates in the store?

Yes. Personal Information is required to create a certificate at the Name Me® station in the store.

Is my child’s Personal Information shared with unrelated third parties?

No.

What Personal Information did my child share while attending a party?

Parental supervision is always recommended; however, parents often do not attend a party with their child. Children attending a party may create a certificate at the Name Me® station. A certificate can be created with just the animal’s name and the child’s first name, gender and year of birth.

Sharing Personal Information with Third Parties

We employ other companies (“Agents”) and people to perform tasks on our behalf and need to disclose, and may internationally transfer, your information with them to provide products or services to you; for example, Salesforce, Google, Facebook and other advertising partners. Other types of Agents with whom we may disclose Personal Information include organisations providing services to support Build-A-Bear Workshop functions, such as our mail and email processing companies, payment processing companies, and market research firms. We also transfer Personal Information to Agents for email marketing purposes. If Build-A-Bear Workshop transfers Personal Information subject to the Privacy Shield Principles to a third party, the recipient will have the same level of protection as required of the Build-A-Bear Workshop under the Privacy Shield. All such service providers are bound by contract to refrain from using the Personal Information we collect from you for any purpose other than providing the service to Build-A-Bear Workshop. Build-A-Bear Workshop is liable under the Privacy Shield Principles for its Agents to process transferred Personal Information in a manner consistent with the Principles.

We may also disclose information (including Personal Information) collected from guests outside of the U.S. to affiliated companies or Affiliates in the U.S. and elsewhere. For purposes of this Privacy Policy, “Affiliates” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Build-A-Bear Workshop, Inc., whether by ownership or otherwise. Any Personal Information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy and, as applicable, the Privacy Shield Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses.

We train our employees and those of our Affiliates about the importance of privacy and how to handle and manage customer Personal Information appropriately and securely. We may disclose your information (including Personal Information) to franchisees of Build-A-Bear Workshop, but only where we indicate to you at time of Personal Information collection that such Personal Information will be provided to a franchisee, or if we otherwise obtain your permission.

In addition to disclosures to third party providers and Affiliates as described above, we may disclose or transfer Personal Information in connection with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition. We may also disclose Personal Information to prevent damage or harm to us, our Services, or any person or property, or if we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities. Except as described in this Privacy Policy, we will not otherwise disclose Personal Information to third parties unless you have been provided with an opportunity to opt in to such disclosure.

Build-A-Bear Workshop does not release the Personal Information it collects from you to any unrelated third parties so that they may send you commercial promotions or offers for their products or services. Build-A-Bear Workshop does not engage in the sale of your personal information. We do, however, disclose anonymous, aggregate information concerning the demographic makeup of our customers to unrelated third parties, and share Personal Information for purposes of cross-context behavioral advertising or targeted advertising, as contemplated under applicable law, such as the CCPA, VCDPA, ColoPA, CTDPA, and UCPA, as described below.

Except as described in this Privacy Policy, we will not otherwise disclose or sell Personal Information to any third parties unless you have been provided with an opportunity to opt in to such disclosure and, in the case of Personal Information collected from children, the appropriate verifiable consent is obtained.

If an individual wishes to opt out or limit the use and disclosure of their Personal Information to a third party or a use that is incompatible with the purpose for Personal Information was originally collected or authorised, the individual may send such request to privacy@buildabear.com or opt out using one of the methods described in the Country and State Specific Personal Information section below.

When Build-A-Bear Workshop transfers Personal Information to countries other than the country where it was provided, we do so in compliance with applicable data protection laws, including, as applicable, the Privacy Shield Principles. In light of the judgment of the Court of Justice of the EU in Case C-311/18, we do not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, we transfer Personal Information relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. All Personal Information is transmitted to World Bearquarters in St. Louis, Missouri daily. Copies of the Personal Information at the point of origin are deleted on a regular basis. We may transfer Personal Information from guests outside the U.S. to Affiliates located either in the U.S. or otherwise; provided that transfers to the U.S. from the EU will comply with the Privacy Shield Principles and such other compliance mechanisms in all respects.

Personal Information Security

Build-A-Bear Workshop maintains appropriate technical and organisational security measures designed to help protect against unauthorised or unlawful processing, loss, destruction, damage, misuse, and alteration of Personal Information collected by Build-A-Bear Workshop, which include:

  • physical and logical access controls, including firewall, limited access, and SSL encryption technology, that limit who can access Personal Information based on business/processing need;
  • privacy policies for Personal Information and for employee Personal Information (a copy of which may be requested at privacy@buildabear.com);
  • annual employee training on our privacy policies;
  • employees who are bound by confidentiality obligations;
  • the appointment of a Privacy Officer to handle all Personal Information incidences or issues, including, without limitation, the handling of individual requests related to his/her Personal Information processed by Build-A-Bear Workshop; and
  • Build-A-Bear Workshop‘s General Information Security Policy and Incident Response Policy that contain incident response plans for escalation and resolution of data breach incidents.

All Personal Information collected via our websites is stored on secured servers located at our Build-A-Bear Workshop World Bearquarters in St. Louis, Missouri.

Passive Data Collection – Cookies and Web Beacons

Our Build-A-Bear Workshop website may also collect Personal Information passively, through the use of cookies. A cookie is a small text file that writes to your hard drive. The cookie file contains your computer‘s IP address and a user ID. The user ID links any orders you have placed on our site to your Personal Information. A user ID has no personally identifiable information attached to it unless you place an order on our site. Our website uses cookies to enhance the guests‘ experience and help us improve our Services. For example, we may use cookies to keep track of your basket or shopping cart while you are shopping on our site or to track your activity. Build-A-Bear Workshop uses web beacons in emails to track traffic from the email to specific pages on our websites. You may be able to adjust your browser so that your computer either does not accept cookies, or notifies you when a website tries to deposit a cookie into your computer. Our cookies do not contain confidential Personal Information such as your home address, telephone number, or credit card information. We do not exchange cookies with any third parties.

Build-A-Bear Workshop Cookie Declaration:

This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners, who may combine it with other information that you‘ve provided to them or that they‘ve collected from your use of their services. Cookies are small text files that can be used by websites to make a user‘s experience more efficient. Applicable law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need a lawful basis for processing, which may include your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. By agreeing to the use of cookies on our website, you are directing us to disclose your personal information and data to our third party service providers for these purposes.

Specifically, the information that we collect through the cookies on our site is as follows:

  • Page Information, which is retained by Build-A-Bear for up to a year:
    • URL – the URL of the page you are viewing and
    • Title – the title of the page you are viewing.
  • Browser Information, which is retained by Build-A-Bear for up to a year:
    • Browser name – the type of browser you are using;
    • Viewport or Viewing pane – the size of the browser window you are using;
    • Screen resolution – the resolution of your screen;
    • Java enabled – whether or not you have Java enabled; and
    • Flash version – what version of Flash you are using.
  • User Information, which is retained by Build-A-Bear for up to a year:
    • Location – this is derived from the IP address where the hit originated (please note that the IP address itself is not available or retained by Build-A-Bear); and
    • Language – derived from the language settings of your browser.
    • We are committed to safeguarding your privacy and ensuring that your personal information is protected. Any Personal Information collected through the cookies on our Site will be protected by Build-A-Bear pursuant to this Privacy Policy.

      It is always possible for you to visit our website without disclosing your Personal Information. This requires that you have disabled cookies. You can opt out of the processing of such information via the Cookie Consent Banner displayed at the bottom of the relevant site or through your browser settings. Please note, however, that without cookies you may not be able to use all of the features of our site or Services.

      If you have any questions about the cookies on our website or any of the information, including, without limitation, Personal Information, gathered by the cookies, please contact Build-A-Bear‘s Data Protection Officer, whose contact information is below:

      In the US and Canada:
      Data Protection Officer
      Build-A-Bear Workshop
      1954 Innerbelt Business Center Drive
      St. Louis, MO 63114-5760
      privacy@buildabear.com
      Telephone: 1-877-789-BEAR (2327)

      In the EU and United Kingdom:
      Data Protection Officer
      Build-A-Bear Workshop
      2nd Floor, Aquasulis House
      10 - 14 Bath Road
      Slough, Berkshire SL1 3SA, United Kingdom
      privacy@buildabear.co.uk
      Telephone: +44 (0) 800 542 0635

      We are committed and required to respond to any of your inquiries on this issue within one month of receiving the complaint.

      Privacy Shield Dispute Resolution

      In compliance with the Privacy Shield Principles, Build-A-Bear Workshop commits to resolve complaints about our collection or use of your Personal Information. EU or UK individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Build-A-Bear Workshop‘s Privacy Officer, who will, in accordance with Build-A-Bear Workshop‘s Incident Response Policy and its Data Protection Retention Policy, as applicable, escalate it as necessary, at:

      Privacy Officer
      Build-A-Bear Workshop UK Limited
      2nd Floor, Aquasulis House
      10 - 14 Bath Road
      Slough, Berkshire SL1 3SA, United Kingdom
      Email: privacy@buildabear.co.uk
      Telephone: +44 (0) 870 224 5130

      Suspected and confirmed Personal Information security incidents will be investigated by the Privacy Officer and/or other personnel as necessitated by the scope of the incident. Such investigation will include, but will not be limited to, determining the source of the breach, identifying the types of data affected, determining whether notifications must be made and instituting any remedial measures that may be necessary to avoid similar incidents in the future.

      Build-A-Bear Workshop has further committed to refer unresolved Privacy Shield complaints to The Information Commissioner’s Office of the United Kingdom (the “ICO”), the Data Protection Supervisory Authority for the United Kingdom. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://ico.org.uk/concerns/eu-us-privacy-shield/ for more information or to file a complaint. The services of the ICO are provided at no cost to you. Under certain limited circumstances, EU or UK individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

      The FTC has committed to reviewing, on a priority basis, referrals alleging non-compliance of the Privacy Shield Principles received from independent dispute resolution bodies, among others. If the FTC concludes that it has reason to believe Section 5 of the Privacy Shield Principles has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect.

      Use of Human Resource Personal Information Subject to Privacy Shield

      Where a member of the Build-A-Bear Workshop group in the EU or UK transfers Personal Information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the U.S. participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, Build-A-Bear Workshop will comply with the Privacy Shield Principles, make reasonable efforts to accommodate employee privacy preferences, and will not use employees’ exercise of their rights under Privacy Shield to restrict employment opportunities or take punitive action against employees. In light of the judgment of the Court of Justice of the EU in Case C-311/18, Build-A-Bear Workshop does not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, Build-A Bear Workshop transfers Personal Information about its employees (past or present) collected in the context of the employment relationship relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses.

      Build-A-Bear Workshop collects Personal Information from its employees to administer employee evaluations, payroll, compensation surveys, benefits, and its Employee Discount Program. Build-A-Bear Workshop will comply with all relevant laws, and, as applicable, the Privacy Shield Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses, in the collection and use of employee-related Personal Information. To the extent and for the period necessary to avoid prejudicing the ability of Build-A-Bear Workshop in making promotions, appointments, or other similar employment decisions, we may not offer employees the notice and choice options described in the Privacy Shield Principles. Similarly, for occasional employment-related operational needs, such as the booking of a flight, hotel room, or insurance coverage, transfers of Personal Information of a small number of employees may take place with limited access or the entering into a contract with the third-party transferee, provided that we otherwise comply with the Privacy Shield Principles or such other compliance mechanisms, as applicable. Access must also be limited in the context of employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organisations.

      Where employees in the EU or UK make complaints about violations of their Personal Information protection rights and are not satisfied with the results of our internal review, complaint, and appeal procedures, they will be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. Build-A-Bear Workshop commits to cooperate with competent EU or UK Data Protection Authorities in the investigation and resolution of Privacy Shield complaints with regard to human resources Personal Information transferred from an EU country or the UK to the U.S. Build-A-Bear Workshop will comply with any advice given by the Data Protection Authorities where such authorities take the view that we need to take specific action to comply with the Privacy Shield Principles.

      Build-A-Bear Workshop has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

      Changes to This Privacy Policy

      We may amend this Privacy Policy at any time. If we make any changes in the way we collect, use, and/or share your Personal Information, we will notify you by sending you an email at the last email address that you provided us, or by prominently posting notice of the changes on the web sites covered by this Privacy Policy.

      Contact Us

      If you have questions or concerns regarding your privacy, please contact Build-A-Bear Workshop directly. Please feel free to use your native language when sending your questions or comments.

      In the US and Canada:
      Privacy Officer
      Build-A-Bear Workshop, Inc.
      1954 Innerbelt Business Center Drive
      St. Louis, MO 63114-5760
      Email: privacy@buildabear.com
      Telephone: 1-877-789-BEAR (2327)

      In the EU and United Kingdom:
      Privacy Officer
      Build-A-Bear Workshop UK Limited
      2nd Floor, Aquasulis House
      10 - 14 Bath Road
      Slough, Berkshire SL1 3SA, United Kingdom
      Email: privacy@buildabear.co.uk
      Telephone: +44 (0) 800 542 0635

      If you are a resident of the EU or the UK and you believe we maintain your Personal Information within the scope of this Privacy Shield certification, you may direct any questions or complaints to our United Kingdom email and postal addresses above. We are committed and required to respond to any of your inquiries on this issue within one month of receiving the complaint.

      Country and State Specific Information
      Canada

      Build-A-Bear Workshop complies with Canadian Federal and Provincial privacy laws and regulations including the Personal Information Protection and Electronic Documents Act.

      Build-A-Bear Workshop, Inc. will only use your Personal Information for the purposes intended and as detailed in the Privacy Policy unless we have obtained your consent to use it for other purposes.

      United Kingdom

      Your Personal Information is protected in the United Kingdom by the GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, together with any additional applicable data protection and privacy laws in force from time to time, in the UK. Under these laws, we will only process your Personal Information in a lawful, fair and transparent manner and your Personal Information will only be collected for specified and legitimate purposes. We will secure your Personal Information to prevent unauthorised access by third parties.

      Data controller details
      The data controller in relation to the processing of Personal Information that you provide to us is Build-A-Bear Workshop UK Limited. Our address is 10-14 Bath Road, Slough, Berkshire, United Kingdom, SL1 3SA, United Kingdom. The easiest ways to contact us are by email at privacy@buildabear.co.uk or by telephone at +44 (0) 870 224 5130. All Personal Information collection and processing in the United Kingdom by Build-A-Bear Workshop will be undertaken by Build-A-Bear Workshop UK Limited in accordance with the terms of this privacy policy.

      Processing information
      The information set out in this Privacy Policy is provided to individuals whose Personal Information we process, in compliance with our obligations under Articles 13 and 14 of the GDPR.

      To make this information clear, we have divided the data we receive into the following groups, where each of which refers to: the particular category of information we collect and retain; the purpose and legal basis of processing and to whom we will (if applicable) disclose the information:

      International transfers
      Details of third parties to whom transfers of Personal Information may be made are set out above (click here for more information).

      We will not transfer Personal Information relating to you to a country which is outside the UK unless: (1) the country or recipient is covered by an adequacy decision of the ICO under GDPR Article 45; (2) appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the ICO’s the international data transfer addendum to the European Commission’s Standard Contractual Clauses for transfers of Personal Information outside the UK); or (3) one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary) the transfer is necessary to perform, or to form, a contract to which we are a party; the transfer is necessary for the establishment, exercise or defense of legal claims; you have provided your explicit consent to the transfer; or the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

      Retention of Personal Information
      Different types of Personal Information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of data. In determining the appropriate retention period consideration is given to the following factors:

      • the purposes for which the Personal Information is processed;
      • the legal basis for processing that Personal Information;
      • legal requirements for retention (particularly employment and health and safety law); and
      • regulatory requirements.

      In particular, except where otherwise required by applicable law or a request to delete or erase Personal Information, Build-A-Bear retains certain specific categories of Personal Information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

      In addition, Build-A-Bear may retain anonymised Personal Information (data that is no longer in a form identifying or making identifiable the individual to which the Personal Information originally related).

      Your rights in respect of your Personal Information
      You have certain rights under the GDPR, including the right to (upon written request) access a copy of your Personal Information that we are processing. From 25 May, 2018, in accordance with the GDPR you will have the following rights:

      • right to access: the right to request certain information about, access to and copies of the Personal Information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs) and this will be provided to you within one month of your request; and
      • right to rectification: the right to have your Personal Information rectified if it is inaccurate or incomplete.
      • In certain circumstances, you will also have the following rights:
      • right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of your Personal Information (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your Personal Information from our systems (however, this will not apply if we are required to hold on to the Personal Information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);
      • right to restriction of use of your Personal Information: the right to stop us from using your Personal Information or limit the way in which we can use it;
      • right to object: the right to object to our use of your Personal Information including where we use it for our legitimate interests or for marketing purposes; and
      • right to data portability: the right to request that we return any Personal Information that you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible.

      As set out above, you are entitled to withdraw your consent to the processing of your Personal Information but please note that if you do withdraw your consent, we may not be able to carry out our contractual obligations to you or provide you with access to all or certain parts of our Services.

      To exercise your Right to Access or your Right to Erasure, you may click here and enter the email address for which you want to exercise these rights. For all other requests or queries, please email, write, or call the Privacy Officer as indicated in the Contact Us section of this Privacy Policy.

      Complaints
      If you consider our use of your Personal Information to be unlawful, you have the right to lodge a complaint with the ICO. Please see further information on their website: www.ico.org.uk. Build-A-Bear Workshop and Build-A-Bear Workshop UK Limited are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

      Automatic decision making
      We do not make decisions in relation to your Personal Information that are based solely on automated data processing (including profiling).

      United States

      Build-A-Bear Workshop complies with the U.S. Federal and State privacy laws, including the Children’s Online Privacy Protection Act.

      California – CCPA Notice of Collection

      This section applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”), excluding any of our employees or our Affiliates’ employees that reside in the State of California, which are covered by our employment policies and handbook. We adopt this notice to comply with the CCPA and any terms defined in the CCPA have the same meaning when used in this notice.

      Information We Collect
      Build-A-Bear Workshop collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (for purposes of this CCPA Notice, “personal information”). In particular, Build-A-Bear Workshop has collected the following categories of personal information from its consumers within the last twelve (12) months:

      Uses for Site Guests
      Category Examples Collected
      A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, and account name. YES
      B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. YES
      C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status. YES
      D. Commercial information. Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
      E. Biometric information. Voiceprints, in the case of consumers who purchase our Record Your Voice Chip YES
      F. Internet or other similar network activity. Browsing history, search history, information on a consumer‘s interaction with a website, application, or advertisement. YES
      G. Geolocation data. Physical location or movements. YES
      H. Sensory data. Audio information, specifically voiceprints, in the case of consumers who purchase our Record Your Voice Chip. YES
      I. Professional or employment-related information. Current or past job history or performance evaluations. YES
      J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
      K. Inferences drawn from other personal information. Profile reflecting a person‘s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

      For purposes of this CCPA Notice, personal information does not include:

      • Publicly available information from government records.
      • Lawfully obtained, truthful information that is a matter of public concern.
      • Deidentified or aggregated consumer information.
      • Information excluded from the CCPA‘s scope, like:
        • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
        • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver‘s Privacy Protection Act of 1994.

      Build-A-Bear Workshop obtains the categories of personal information listed above from the following categories of sources:

      • Directly from you when you visit us in our retail locations or website. For example, from forms you complete or products and services you purchase.
      • Indirectly from you. For example, from observing your actions on our website.
      • From a third-party fraud assessment tool when you place an order via one of our websites.

      Retention of Personal Information
      Different types of personal information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of personal information. In determining the appropriate retention period consideration is given to the following factors:

      • the purposes for which the personal information is processed;
      • the legal basis for processing that personal information;
      • legal requirements for retention (particularly employment and health and safety law); and
      • regulatory requirements.

      In particular, except where otherwise required by applicable law or a request to delete personal information, Build-A-Bear retains the above categories of personal information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

      In addition, Build-A-Bear may retain anonymised personal information (data that is no longer in a form identifying or making identifiable the individual to which the personal information originally related).

      Use of Personal Information
      We may use or disclose the personal information we collect for one or more of the business purposes set forth above under “How We Use Your Personal Information.” Build-A-Bear Workshop will not collect additional categories of personal information or use the personal information we collected for additional purposes without providing you notice.

      Disclosing Personal Information for a Business Purpose
      Build-A-Bear Workshop may disclose your personal information to a third party for a business purpose, including to help ensure the security and integrity of our Services, identify and repair errors that impair functionality of our Services, and performing services on behalf of us, such as providing customer services processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing advertising and marketing services (other than for cross-context behavioral advertising) and other similar services. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

      We disclose your personal information for a business purpose with the following categories of third parties:

      • Service providers
      • Data aggregators

      Disclosures of Personal Information for a Business Purpose
      In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:

      • Category A: Identifiers.
      • Category B: California Customer Records personal information categories.
      • Category C: Protected classification characteristics under California or federal law.
      • Category D: Commercial information.
      • Category F: Internet or other similar network activity.
      • Category G: Geolocation data.
      • Category I: Professional or employment-related information.
      • Category K: Inferences drawn from other personal information.

      Sharing Personal Information for Cross-Context Behavioral Advertising
      Build-A-Bear Workshop may share your personal information with a third party for cross-context behavioral advertising, which is the targeting of advertising to you based on your personal information obtained from your activity across businesses, distinctly-branded websites, applications, or services, other than those with which you intentionally interact. We share personal information with third parties for cross-context behavioral advertising for our commercial purposes and to provide you with advertising targeted to your interests and preferences.

      We do not have actual knowledge that we share the personal information of consumers under 16 years of age for cross-context behavioral advertising. We will not share the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sharing may opt-out of future sales or sharing at any time.

      We share your personal information for cross-context behavioral advertising with the following categories of third parties:

      • Advertising and marketing companies.
      • Lead generators.
      • Analytics providers.
      • Social media platforms.

      In the preceding twelve (12) months, Build-A-Bear Workshop has shared the following categories of personal information for cross-context behavioral advertising:

      • Category A: Identifiers.
      • Category B: California Customer Records personal information categories.
      • Category D: Commercial information.
      • Category F: Internet or other similar network activity.
      • Category K: Inferences drawn from other personal information.

      Pursuant to the CCPA, you have the right to direct us to not share your personal information for cross-context behavioral advertising. To exercise this right to opt-out, you (or your authorised agent) may submit a request to us by visiting the following link:

      Do Not Share My Personal Information

      You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognised by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sharing for that browser or device sending the signal, and, if known, for the consumer.

      Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorise sharing your personal information for cross-context behavioral advertising. However, you may change your mind and opt back in to sharing of your personal information at any time by:

      Opt-In to Sharing Personal Information

      You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

      No Personal Information Sales
      We do not sell (as defined in the CCPA) any personal information that we collect or use. We do not have actual knowledge that we sell the personal information of consumers under 16 years of age.

      Sensitive Personal Information
      Build-A-Bear Workshop does not collect any sensitive personal information (as defined in the CCPA) of consumers. We have not sold (as defined in the CCPA) any sensitive personal information of consumers or shared any sensitive personal information of consumers for cross-context behavioral advertising in the last twelve (12) months.

      Non-Discrimination
      We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by the CCPA, we will not:

      • Deny you goods or services.
      • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
      • Provide you a different level or quality of goods or services.
      • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

      However, we may, from time-to-time, offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to the value to us of your personal information and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent to join the Build-A-Bear Bonus Club, which you may revoke at any time pursuant to the terms and conditions of the Build-A-Bear Bonus Club. Click here for Bonus Club terms and conditions.

      Other California Privacy Rights
      Beginning 1 January 2005, under California’s “Shine the Light” law, California residents who provide Personal Information for uses identified above are entitled to request and obtain from us once a calendar year information about the customer Personal Information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared Personal Information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities).

      California, Colorado, Connecticut, Utah, and Virginia

      The CCPA, VCDPA, ColoPA (from and after 1 July, 2023), CT DPA (from and after 1 July, 2023), and UCPA (from and after 31 December, 2023) provide residents of their respective states with specific rights regarding their Personal Information. This section describes your these rights and explains how residents of those states can exercise those rights.

      Access to Specific Information and Data Portability Rights
      Pursuant to applicable law, you may have the right to request that Build-A-Bear disclose certain information to you about our collection and use of your Personal Information. Once we receive and verify your request (see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will disclose to you, as applicable:

      1. The categories of Personal Information we collected about you.
      2. The categories of sources for the Personal Information we collected about you.
      3. Our business or commercial purpose for collecting or sharing that Personal Information.
      4. The categories of third parties with whom we disclose that personal information.
      5. The specific pieces of Personal Information we collected about you (also called a data portability request).
      6. If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
        1. the Personal Information categories that we sold and for each category identified, the categories of third parties to whom we sold that particular category of Personal Information; and
        2. the Personal Information categories that we disclosed for a business purpose and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Information.

      Correction Request Rights
      You may have the right to request that we correct inaccurate Personal Information about you. Once we receive and verify your request (please see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will use commercially reasonable efforts to correct the information to comply with your request. This right is not afforded to residents of Utah.

      Deletion Request Rights
      Pursuant to applicable law, you may have the right to request that Build-A-Bear Workshop delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and verify your request (see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. In responding to your request, we will inform you whether or not we have complied with the request, and, if we have not complied, provide you with an explanation as to why.

      A service provider may not be required to comply with a deletion request submitted directly to the service provider.

      We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

      • Complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
      • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
      • Help to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for those purposes.
      • Debug products to identify and repair errors that impair existing intended functionality.
      • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
      • Exercise free speech, ensure the right of another consumer to exercise his/her free speech rights, or exercise another right provided for by law.
      • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
      • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
      • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
      • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
      • Comply with a legal obligation

      Sharing/Targeted Advertising Opt-Out and Opt-In Rights
      Build-A-Bear Workshop may share your Personal Information with a third party for cross-context behavioral advertising (under the CCPA) or process your Personal Information for targeted advertising (under the VCDPA, ColoPA (from and after 1 July, 2023), CT DPA (from and after 1 July, 2023), and UCPA (from and after 31 December, 2023)). Pursuant to applicable law, you may have the right to direct us to not share your Personal Information for cross-context behavioral advertising or process your Personal Information for targeted advertising.

      To exercise this right to opt-out, you (or your authorised agent) may submit a request to us by visiting the following link:

      Do Not Share My Personal Information

      You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognised by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sharing for that browser or device sending the signal, and, if known, for the individual.

      Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorise sharing your Personal Information for cross-context behavioral advertising or processing your Personal Information for targeted advertising. However, you may change your mind and opt back in to sharing of your Personal Information or processing of your Personal Information for targeted advertising at any time by:

      Opt-In to Sharing Personal Information

      You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Information provided in an opt-out request to review and comply with the request.

      Exercising Access, Data Portability, and Deletion Rights
      To exercise the access, data portability, correction, and deletion rights described above, please submit a verifiable request to us by either:

      • Calling us at 1-877-789-BEAR (2327)
      • Visiting the request page on our website here
      • Visiting a California, Colorado, Connecticut, Utah, or Virginia store location, as applicable

      When you use a request method above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification.

      Only you, or a person properly authorised to act on your behalf, may make a verifiable request related to your Personal Information. You may also make a verifiable request on behalf of your minor child.

      An authorised agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorised agent to submit a consumer request, we may require the authorised agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorised agent permission to submit the request.

      You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

      • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorised agent of such person.
      • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

      We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

      Making a verifiable consumer request does not require you to create an account with us.

      We will only use Personal Information provided in a verifiable consumer request to verify the requestor‘s identity or authority to make the request.

      If we deny your request, you may have the right to appeal our decision. Further, if you appeal and your appeal is denied, you may the right to complain to your state’s attorney general. You may appeal your decision by contacting us at privacy@buildabear.com.

      For instructions on exercising opt-out and opt-in rights, see Sharing/Targeted Advertising Opt-Out and Opt-In Rights above.

      Response Timing and Format
      In accordance with applicable law, we endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing.

      We will deliver our written response by mail or electronically, at your option.

      The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

      We do not charge a fee to process or respond to your requests unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

      Europe

      From 25 May, 2018, Build-A-Bear Workshop’s practices are compliant with the GDPR in Europe.

      Uses of Personal Information

      Customers and visitors to our site
      Uses for Site Guests
      What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
      • first and last names;
      • email address;
      • postal address;
      • date of birth and/or age;
      • phone number;
      • sex/gender;
      • credit card information;
      • payment details;
      • product preference;
      • purchasing history;
      • IP address;
      • Device ID;
      • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of providing our Services or to enable you to make an in store or online purchase.
      • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a customer relationship, including to suggest products and services which may of interest for you, obtaining evidence of identity of our customers, for insight purposes (e.g. to analyse market trends and demographics, and develop the service which we offer to you or other individuals in the future) or for online age verification purposes.
      • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
      • If we obtain your consent: in order to:
      • conduct business with you
      • improve your experience with us
      • register your Build-A-Bear Workshop product in our Find-A-Bear® ID system
      • book a party
      • create a wish list
      • process, fulfill, and follow up on online purchases
      • create and maintain accounts
      • register for our Build-A-Bear Bonus Club program
      • handle guest service requests
      • maintain our Loyalty Program
      • send friends and families emails and e-cards on your behalf
      • send surveys
      • help you receive email and direct mail
      • help you receive text messages
      • help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions
      • help you send us testimonials, guest submissions, or other communications
      • help you submit a book review.
      1. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
      2. Please note that personal information we are holding about you may be shared with and processed by:
      2.1. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
      2.2. credit reference and fraud prevention agencies;
      2.3. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
      2.4. other parties and/or their professional advisers involved in a matter where required as part of the conduct of the Services;
      2.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
      2.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;
      2.7. third parties as part of the arrangements for any event for which you have expressed an interest in attending; and
      2.8. another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

       

      Suppliers and supplier personnel
      Uses for Supplier Personnel
      What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
      • first and last names;
      • email address;
      • telephone numbers;
      • payment details
      • identification
      • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of receiving services from you, for the purposes of making payments to you.
      • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a working relationship.
      • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
      3. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
      4. Please note that personal information we are holding about you may be shared with and processed by:
      4.1. our customers, in the course of providing services to them;
      4.2. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
      4.3. credit reference and fraud prevention agencies;
      4.4. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
      4.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
      4.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers; and
      4.7. another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

       

      Personal Information Retention Periods

      Category Information description (includes but not limited to) Retention Period (in absence of a deletion request, other request from a data subject or legal requirement)
      Guest Data (Non-Bonus Club Member Data) Names;
      Addresses;
      Transaction Information;
      Payment details;
      E-mail Addresses;
      Telephone Numbers;
      Purchasing history;
      IP address;
      Device ID;
      6 years
      Bonus Club Member Data Names;
      Addresses;
      Transaction Information;
      Payment details;
      E-mail Addresses;
      Telephone Numbers;
      Product preference;
      Purchasing history;
      IP address;
      DOB’s;
      Gender;
      For as long as a bonus club account is active, and for 1 year after cancellation of account.
      Guest Data (for Online Age Verification Only) Date of Birth;
      Age Range;
      Not retained beyond initial data entry point (deleted immediately following verification)
      Supplier Data Names;
      Addresses;
      Transaction Information;
      Payment details;
      E-mail Addresses;
      Telephone Numbers;
      6 years after services have been provided
      Supplier Contracts Contracts for supplier services;
      Related sub-contracts;
      12 + 1 years after services have ceased
      Insurance Data Personal Information involving insurance claims;
      Insurance policies;
      Insurance related correspondence, outcomes and notices;
      12 + 1 years
      Health and Safety Assessments
      Policy Statements
      Records of consultations with safety representatives
      Permanently

      Click here to learn about cookies on buildabear.com and buildabear.co.uk.