What are the top five food apps doing with your data?

Food delivery apps are hugely popular across the UK and the world, and they’re only getting bigger. After all, everybody’s gotta eat.

Unfortunately, as well as getting you that hot meal or drink you’ve been craving, most food apps also dabble in another business - the sharing of your personal data. From your food preferences, to the dates and times you're most likely to eat, as well as giving third parties access to your data and so that you can be targeted with personalised ads, there's a lot going on.

So, we looked at the following apps:

• Deliveroo
• Just Eat
• UberEats
• Gousto
• Hello Fresh

We read their privacy policies, and asked three questions:

1. What data of yours do they collect?
2. Do they share this data with third parties for advertising purposes?
3. And if so, who with?

⚠️ Remember, when we list the data a company collects on you this doesn’t necessarily mean the company shares all this data with advertisers, they may only share some of it.

Deliveroo app

Let’s start with Deliveroo, the $2 billion valued food and drink delivery company whose business soared during the coronavirus. Co-founder of Deliveroo, Will Shu, said to the BBC that ‘Covid-19 really has marked a new era of delivery’, bringing forward their consumer behaviour by about ‘one to three years’.

What data do they collect on you?

Some examples of the data Deliveroo collects on you include:

• Name, contact details, address and age
• Payment details
• Health information e.g. food allergies (only if you consent)
• Recordings of your calls with Deliveroo
• Messages and feedback you post
• Device type, connection type and IP
• Through your ‘mobile’s browser’ or the deliveroo app, (unless you opt out) your interaction with other retail technology e.g. NFC Tags, QR codes and use of mobile vouchers

Do they share your data with third parties for advertising purposes?

Yes.

Deliveroo collects data about your browsing behaviour on their website and ‘other websites’ to ‘create profiles relating to you’ and show you ads that you’re more likely to respond to. For example, ads for food types you’ve ordered before or ads about what it's like to be a Deliveroo rider if you’ve previously visited their rider apply page.

Who with?

Their cookie policy says Deliveroo share your data with:

• Google
• Microsoft/Bing
• Facebook
• Snapchat
• LinkedIn
• Twitter
• theTradeDeck
• Captify

Delete my personal data from Deliveroo

Have they made any big data-related headlines?

Yes.

In 2019- the BBC reported Deliveroo and Just Eat (we have a look at Just Eat below) are working to combat fraud after customers reported their accounts were being used to buy food they didn’t order, some charges for orders were almost £1,000.

You might be wondering why we’re having a look at the data-related headlines of a company. Well, we think it can be pretty insightful- although above all we value the privacy of your data, we think the security of your data is also extremely important. What’s the point in private data if anyone can get hold of it and use it however they want anyway?

So, it could be a good idea to take into consideration any major data-breaches of a company before allowing them to collect your data. But, please also take these headlines with a pinch of salt. Just because something is or isn’t in the news doesn’t mean a company is necessarily better or worse with data protection: not all data breaches are reported on or even detected.

Just Eat app

Founded in 2001, Just Eat is the most popular food delivery company in the UK and it operates in countries across the world including Canada, Spain and New Zealand. Just Eat processed over 300 million food orders in 2018 alone, and the company is valued at £5 billion, with revenue for this year up 28%.

What data do they collect on you?

Just Eat are not very specific about the data they collect on you, but we do know they collect:

• Name, address, payment details
• Reviews you publish and your feedback
• Buying habits
• Last page visited

Do they share your data with third parties for advertising purposes?

Yes.

Just Eat work with ‘advertising affiliates’ that serve you ads ‘personalised to your interests based upon your internet browsing activity’.

Who with?

Their cookie policy says Just Eat share your data with:

• Twitter
• Facebook
• Criterio
• DoubleClick
• GoogleAdwords
• Havas
• Vindico

Have they made any big data-related headlines?

Yes. Let’s have a look at some of the news headlines…

In 2019- the BBC reported Deliveroo and Just Eat were working to combat fraud after customers reported their accounts were being used to buy food they didn’t order

In 2018- the Independent reported on how a delivery man for Just Eat used a customer’s number to send her unsolicited texts

Delete my data from Just Eat

UberEats app

Known primarily for it’s ride-sharing app, Uber’s UberEats is now America’s most popular food delivery app. But, despite it’s big name and the fact it’s quarterly revenue was over $2.5 billion in April 2019, UberEats is still struggling to make a profit

What data do they collect on you?

Some examples of the data UberEats collects on you include:

• Name, profile picture and contact details
• Access dates and times
• Login name and password
• Features/pages on the app you view
• Location data (when you’re on the app or it’s running in the background) and demographic data
• Payment details

Do they share your data with third parties for advertising purposes?

Yes.

If you place an order on UberEats, they’ll ‘provide recommendations, promotions, or ads about similar food offered by other Uber partners’.

Tellingly, UberEats have a ‘Do not sell my info’ link on their homepage, which is required by the California Consumer Privacy Act (CCPA) for any business that sells or shares personal information. We’ve written a blog explaining the CCPA if you’d like to know more!

Who with?

UberEats say in their cookie policy that they share your data with:

• Google
• Facebook
• Adobe
• MediaMath
• Yahoo
• Twitter
• LinkedIn
• Outbrain
• Microsoft/Bing
• QuantCast
• Moat
• Liveramp
• Indeed

Have they made any big data-related headlines?

Yes.

In 2018- the BBC revealed that hackers stole the data of 2.7 million UK customers. Uber paid the hackers £78,400 to destroy the data and didn’t alert users of the breach. The ICO fined Uber £385,000.

Gousto recipe boxes

Gousto is a British recipe box provider that had an impressive net income of £15.6 million in 2018. During lockdown it saw a surge in orders to the point that Gousto had to stop accepting new customers, and earlier this year announced that it would be holding a virtual dinner party with celebrities such as Paloma Faith and Nick Grimshaw.

What data do they collect on you?

Some examples of the data Gousto collects on you include:

• Name and contact details
• IP address, previous purchases and recipes you look at
• Survey data e.g. household makeup, age, food preferences and allergies

Do they share your data with third parties for advertising purposes?

Yes.

Gousto says that: ‘your personal data will be shared to relevant third parties to allow you to receive tailored communications about products that may be of interest to you’.

Who with?

Gusto uses some social media features such as Facebook’s like button and LinkedIn’s share/follow button. In return, these social media platforms can collect information related to your visit on the Gusto website and use it for their own targeted advertising.

Some examples of the social media platforms and other third parties Gousto share your data with are:

• Google
• Microsoft
• Facebook
• Twitter
• Pinterest
• LinkedIn
• Youtube
• Appnexus
• AddRoll
• Epsilon Abacus

To give you an idea, Epsilon Abacus is a company that manages an alliance of UK retailers e.g. for clothing, food & wine and entertainment. These retailers share data on what their customers buy, and Epsilon Abacus pools together this data to help ‘retailers understand consumers’ wider buying patterns’ and help them with targeted advertising, amongst other services.

Have they made any big data-related headlines?

No. But, please note that just because something is or isn’t in the news doesn’t mean a company is necessarily better or worse with data protection: not all data breaches are reported on or even detected.

HelloFresh food box

HelloFresh is the most popular meal-kit company in the world. It has over 4 million active customers and delivered over 280 million meals in 2019. It’s based in Germany, operates in 14 different countries and is known for providing healthy easy-to-follow recipes.

What data do they collect on you?

Some examples of the data HelloFresh collects on you include:

• Name, username, marital status, title, date of birth and gender
• Address, contact details and payment details
• IP address, browser type and version and time zone setting
• Purchase history
• Interests, preferences and feedback

Do they share your data with third parties for advertising purposes?

Yes.

Third parties can ‘create profiles of your usage behavior’ and use it to ‘show you personalized advertising’.

Who with?

HelloFresh works with Experian for direct marketing campaigns. HelloFresh says that: ‘Experian combines our customer records with their own data in order to identify an actionable audience within Facebook for targeted advertising’.

They also share data with:

• Facebook
• Twitter
• Google
• Pinterest
• Dynamic Yield
• Hotjar
• New Relic
• AppNexus
• Microsoft/Bing
• Cross Engage
• Taboola
• Crazy Egg
• Outbrain
• BidSwitch
• Flashtalking
• VE Interactive
• FLXONE

Have they made any big data-related headlines?

No.

Final thoughts

You may be surprised at just how many third parties these companies share your data with for advertising purposes. Facebook, Microsoft and Google in particular seem to pop-up frequently.

The information we’ve used in this article is from each company’s privacy and cookie policy- the one’s you ‘consent’ to before using the service e.g. ‘by continuing to use our website, we assume that you consent to use of the cookies outlined above’.

If you don’t like the idea of being targeted by ads based on information about your food preferences or any of the other data we listed above, it might be worth adjusting your privacy and cookie preferences in each app or website ⚙️. Or, if you’d like to know exactly what data each company has on you, who they share it with and even ask for it to be deleted, you can send them a SAR (Subject Access Request), either by yourself or by using Rightly!

We hope this article has given you a better understanding of what some of the top food sites do with your data, and as always, if you have any questions or thoughts on this topic get in touch- we’d love to hear from you!