Privacy Policy

Privacy Policy

Last Revised: 23 September 2020


This Privacy Policy ("Policy") describes how Gapurna Permai Sdn. Bhd, an authorized franchisee of Costa International Limited, use and disclose personal data of customers collected through our Costa websites and Costa applications (“Costa app”) and other online services that link to this policy (collectively, the “Platforms”), including our physical Costa stores (Stores"). By accessing the Platforms, you hereby voluntarily consent to the use and collection of your data, including your personal data, personal preferences, any information of others provided by you, in the manner described in this Policy. Without limiting the generality of the foregoing, you authorise us to transmit your data outside Malaysia in the manner and for the purposes described in this Policy.

Gapurna Permai Sdn Bhd ("Costa", "We", "Us") is the controller and data user of your personal data. We respect your data and your privacy is important to us.

This notice also explains what rights you have over your personal data and how you can use those rights.

An overview of how we use your data is here.

  1. Summary of how we use your data and your rights
  2. Data we collect from you
  3. Data we receive from third parties
  4. How we use data and the legal basis
  5. Data sharing
  6. Cookies and similar technologies
  7. Data retention
  8. Your rights
  9. Security of your personal data
  10. Contact details
  11. Which Costa entity is the controller?

  1. Summary of how we use your data and your rights

We use your data to provide and improve our products and services, including for marketing, research, feedback and enquiries, and for safety and security purposes, in compliance with the requirements of the Malaysian Personal Data Protection Act (“PDPA”) 2010. We also use your data when you enter competitions or awards that we organise.

We will use your data to comply with laws and regulations. We use your data to prevent and detect crime, such as fraud.

You have the right to object to some of the processing Costa carries out. More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

You are able to withdraw your consent at any time by emailing justinalee@gapurnapermai.com. You can also email justinalee@gapurnapermai.com to exercise any other data rights, such as obtaining a copy of your data, correcting, deleting or restricting how we use your data. Please see “Your rights” for more data.

You can unsubscribe from marketing communications at any time. To opt out of direct marketing, including profiling for direct marketing purposes, you can either adjust the preference settings, or select “unsubscribe” in emails, or email justinalee@gapurnapermai.com.

Our Platforms use cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings.

If you enable location services on the app, or you access the location finder on our sites and your browser settings allow this, your device will identify and alert you to the nearest Costa Store to your location.


  1. Data we collect from you

We collect data when you purchase something or use our services or enter our competitions or awards. This includes store visits, using our Platforms, or corresponding with us.

In particular:

  1. We keep data you give us directly such as contact details (including name, email, address and telephone number), comments, date of birth, gender, region, frequency of visits, feedback, marketing opinions and competition entries.
  2. Financial account data, such as credit card number and other payment data.
  3. If you buy products via our app – what you buy, where you buy, how frequently you buy, rewards you earn, rewards you redeem.
  4. We record and analyse store, web and app visits, details of your purchases and where you take advantage of our promotions.
  5. When you sign up to in-store WiFi.
  6. If there is an incident, we log data about it.
  7. If you engage with us online via our Platforms, our cookies and similar technologies will capture your IP address, your location, and record how you use the site or app to help improve it and improve your user experience, where your browser settings or permission allows for this.
  8. If you post data online about us or provide feedback, we keep a record.
  9. If you contact us directly and complain or give feedback, receive compensation, or enter a competition, we will record details and all related data (including that you provide to us) such as emails, letters, phone calls, date of birth to our product customer data helplines including those operated by third parties.
  10. We use CCTV in our premises for the prevention and detection of crime and for safety and security reasons.

  1. Data we receive from third parties

We receive your data from other people in certain circumstances. This can happen when:

  1. Someone buys you our product, and/or instruct us to deliver to you. They give your name, phone number and address, so we can send you the product they purchased.
  2. You participate in market research, such as focus groups or surveys.
  3. When we engage our CCTV system provider.

  1. How we use data and the legal basis

Costa may use data about you or others that you have provided on your own volition for purposes described in this Policy or disclosed to you on our Platforms or with our Services. For example, we may use data about you or others that you provided to:

  1. Process and manage your purchase and use of Costa products and services, including your accounts and program participation, your use of our Platforms.
  2. Respond to your customer service inquiries, post your comments or statements on any blog or other online forum maintained on our Platforms, or take other actions in response to your inquiries or other website/app activities.
  3. Create personalized promotions by combining your personal data with non personal data about you, such as the amounts and types of purchases you make or any benefits you receive through our programs.
  4. Communicate with you about your orders or purchases, your services, accounts and program participation, a contest or sweepstakes you have entered, and your requests for data.
  5. Communicate with you about our brands, products, events or other promotional purposes, including co-branded offers and affiliate and partner offers in relation to food and beverage and catering services.
  6. For internal operations, including troubleshooting, data analysis, testing, research and service improvement.
    The data that we collect from you may be transferred to, and stored at, a destination outside Malaysia. By submitting your data and accessing the Platforms, you consent and agree to such transfers.
  7. To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, including where we are required to do so by law, we:
    1. review CCTV, record call centre communications and emails.
    2. Use other organisations to check the validity of the credit or debit card details you use to pay (for further details see “Data sharing” below).
  8. To comply with law, assess and uphold legal or contractual rights and claims, and for monitoring, auditing and training on compliance matters:
    1. We keep records and pass your data to Costa International Limited and our insurers when necessary (for further details see Data sharing below).
    2. We monitor, and record communications, including incoming and outgoing calls and emails.
    3. We verify your identity in certain circumstances.
    4. We keep records to comply with health and safety legislation, including accounting for the number of individuals on our premises and logging accidents.

If you give us consent, we:

  1. Send you electronic marketing, including promotions and offers, in relation to our products and services and inform you of other Costa outlets. You can subscribe or unsubscribe from our marketing communications at any time. For instance, preferences can be adjusted in account settings online.
  2. Use cookies or similar technologies on the website, app and in marketing emails, including analytic cookies.
  3. Through the settings on your device, send you push notifications through the app.
  4. If you use the store locator in the app or site and enable location services, it will notify you of the nearest Costa Coffee store.
  5. Use data for other purposes where we explain that purpose when we ask for your consent.

When you give consent, you are able to withdraw that consent at any time by contacting us, for instance by emailing justinalee@gapurnapermai.com. If you do so we can only continue to use your data if another legal basis applies, such as when we’re required to do something by law.

Nevertheless, you have an absolute right to opt-out of direct marketing, including profiling for direct marketing purposes, at any time. You can opt out of marketing by selecting “unsubscribe” in emails or by adjusting the preference settings on your account or by emailing justinalee@gapurnapermai.com.

When the law requires us to process your data we will do so. This can include:

  1. Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.
  2. When you exercise your rights under data protection legislation, including when you ask to unsubscribe from our marketing communications.

  1. Data Sharing

For some activities Costa uses third party service providers, for instance provision of WiFi in our stores. When these service providers need customer data from you, we share data with them, such as if a delivery partner needs data such as your name, contact details, address, and the items you have purchased for delivery of your purchase, to manage any complaints and other relevant purpose.

We use third party providers for the following services:

  1. WiFi
  2. Sending promotional offers
  3. Customer feedback surveys
  4. Delivery order fulfilment, including the management of queries, concerns or complaints related to your order(s)
  5. Data analysis to enable us to optimise our services (including locations and products) Gift cards (including E-Gifts)
  6. Loyalty scheme platform
  7. Insurance
  8. IT development, support, maintenance and hosting, including the provision of applications and website hosting
  9. Payments’ processing to enable you to pay by credit or debit card
  10. CCTV system provision and maintenance
  11. Administration of our competitions and awards

We may share data with our group of companies, parent company, subsidiaries and other affiliated companies.

If our business is to be integrated with another business or sold, your details would be shared with our advisers and any prospective purchaser’s advisers. Your data could be passed to the new owners. (You will be notified if this happens).

Personal data may be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.


  1. Cookies and similar technologies

We may automatically collect online use data when you visit our website or use our app. This data may include data about your Internet service provider, your operating system, browser type, domain name, Internet protocol (IP) address, your access times, the website that referred you to us, the Web pages you request, and the date and time of those requests. Our collection of online use data may involve the use of cookies and Web beacons. Cookies are small data files stored on your hard drive by a website. Among other things, cookies help us improve our Platforms and your experience. We use cookies to see which areas and features are popular and to count visits to our Platforms.

We may combine data we collect about you with data we receive from third parties.


  1. Data retention

We keep your data to enable us to fulfil our contract with you or to provide services, to enable us to facilitate the provision of products and services purchased from us ,whilst you are an active user of our site or app, to administer and promote our awards and competitions or where required by law or to protect legal rights.

We always look to keep your data for the minimum time in line with data protection principles and our processes. For example, we keep:

  1. Personal data related to products and services purchased in our app for as long as the personal data is required in order for us to fulfil our contract with you, as long as required to service any related warranty and for 6 years from performance of our contract with you.
  2. Records of payment data in line with tax law and audit requirements.
  3. Customer feedback and correspondence with our customer services teams, depending on the nature of the interaction and any applicable law, such as health and safety. This enables us to respond to any questions or complaints.
  4. Data to maintain records according to rules that apply to us.

If you unsubscribe from marketing communications we keep a record of this request indefinitely to ensure we do not send you direct marketing again.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons.


  1. Your rights

You have rights over your personal data.

You can:

  1. ask for a copy of your data;
  2. ask for data to be corrected;
  3. ask for data to be erased or deleted;
  4. ask for us to limit or restrict processing;
  5. object to us processing your data, in particular, where we do not have to process the data to meet a contractual or other legal requirement and in relation to processing for direct marketing purposes, including profiling for direct marketing purposes;
  6. ask us to send you a copy in a structured digital format or ask for us to send it to another party.

Some rights, however, may be limited. We may be obliged by law or regulation to keep data. We must respect other people’s privacy as well, which means we may need to redact or remove data where it includes personal data about someone else, even if it is connected to your data. On occasion there may be a compelling legitimate interest to keep processing data. If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Contact details’ below. To process a request from you, we may need to confirm your identity to ensure we’re accessing the right data.


  1. Security of your personal data

We take reasonable steps to maintain appropriate physical, technical and administrative security to help prevent loss, misuse, unauthorized access, disclosure or modification of personal data.

While we take these reasonable efforts to safeguard your personal data and information of others that you provided, no system of transmission of data over the internet or any other public network can be guaranteed to be 100% secure.


  1. Contact details

To discuss or change your personal details, including preference settings, you can click on “Profile” and edit your details from there; or you can contact customer services at justinalee@gapurnapermai.com.

For any queries relating to data protection, please contact Costa's Data Protection Officer by email at justinalee@gapurnapermai.com or write to them at Gapurna Permai Sdn Bhd, 42-2, Jalan Medan Setia 2, Plaza Damansara, Bukit Damansara,50490 Kuala Lumpur.

We may change or update this notice from time to time. We will communicate these as appropriate – for example, by updating our website or, where legally required, by actively telling you about the changes.


  1. Which Costa entity is the controller?

The controller for your data is Gapurna Permai Sdn Bhd, 42-2, Jalan Medan Setia 2, Plaza Damansara, Bukit Damansara,50490 Kuala Lumpur.

Please remember that when you click a link to go from our website to another website, our Privacy Policy no longer applies. Any browsing and interaction on another website, is subject to that website's or third party notices and policies which we recommend you read. This policy applies solely to data collected and processed by Costa Coffee.

Some stores using the Costa brand are licensees of Costa International Limited but are not related to us. We are all committed to protecting your privacy but, just to be clear, each Costa franchisee/licensee is an independent business and is responsible for the operation of its own stores and Platforms and compliance with data protection law.