Privacy Policy
Last Updated August 1, 2022
At Bob's Red Mill Natural Foods, Inc. (“BRM,” “we,” “us”), we respect your privacy and are committed to protecting it. This Privacy Policy explains how we treat information collected through bobsredmill.com, our other websites and online channels, products and services we offer, and your interactions with BRM in any manner (collectively, our “Services”) and is governed by and part of our Terms and Conditions.
This Privacy Policy serves as BRM’s notice at collection and disclosure of privacy practices to you. Please read it carefully to understand our privacy practices and your options to exercise your privacy rights.
By accessing our Services in any manner, you agree to our privacy practices as described in this Privacy Policy.
If you do not agree with this Privacy Policy, do not access or use our Services. If you have any questions, please contact us by:
- Email at [email protected]
- Sending a message at https://www.bobsredmill.com/contact/
- Phone 800.349.2173
- Mail to Bob’s Red Mill, 13521 SE Pheasant Ct Milwaukie, OR 97222, United States
Personal Data
When we say, “Personal Data,” we mean any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data falls within certain categories, for example:
- Identifiers (e.g., name, email, telephone number, address, username);
- Sensitive Personal Data (e.g., government identification number; precise geolocation; racial or ethnic origin; religious beliefs; health information; contents of messages when we are not the recipient; in some cases, information about a known child);
- Legally protected information (e.g., race, citizenship, marital status, sex);
- Employment-related information (e.g., current or past employment);
- Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);
- Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;
- Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes;
- Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies); and
- Internet or other similar activity (e.g., browsing history; content interactions).
Not all personal information is protected as Personal Data. Publicly available information, aggregated information (meaning data summaries or reports with Personal Data removed), and anonymized information that cannot be linked back to an individual are generally not subject to legal protections.
Personal Data Collection & Use
The categories of Personal Data we collect about you and the manner of collection depends on how you use our Services, such as customer purchasing our products or services we offer or a visitor or user of our Services. Our lawful basis for collection and use of Personal Data include: (a) consent, as informed by this Privacy Policy and freely given at the time you provide the information; (b) to achieve a legitimate interest that we explain at the time of collection; or (c) as authorized or required by law. We only collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purposes described below or as reasonably necessary and proportionate to provide you with the Services you request.
Categories of Personal Data Collected
During the preceding 12 months, we have collected (a) identifiers, (b) commercial history, and (c) internet or similar activity.
Sources of Personal Data Collected
BRM collects Personal Data from these sources:
- From you as a customer, with your consent. If you create a customer account, we will collect a username and password and ask you to complete an account profile by providing identifiers like your name, email address, phone number, and postal address. We will collect other information that you choose to include in your account profile. If you purchased BRM products through our Services, we collected commercial history related to your shopping and purchase and the identifiers necessary to fulfill and ship your order. We collect this information with your consent and we use it to fulfill your orders, to provide you with customer support, and for our internal business purposes.
- From your communications with us, with your consent. If you visit our website, interact with our online channels, sign up for our email newsletter, or request information about our Services, we will collect identifiers like your name, email address, or social media handle as needed to facilitate your interaction with our Services. If you email BRM or message us on social media, we will collect your contact information and any other information you choose to include in your message to us. We may keep a record of our correspondence with you. We collect this information with your consent, and we use it for the purposes stated at the time of collection, to communicate with you, or to send you direct marketing communications based on your stated preferences.
- Automatically from your use of our Services, with a legitimate interest. When you use visit our website or interact with our online channels, we use cookies and related technologies to collect technical data, which may include Personal Data, like your IP address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data. With your permission, we may use and store information about your location while using the Services. Please review our Cookie Notice to learn more. We collect and use this information to achieve our legitimate interests of administering and improving the Services.
Other Uses of Personal Data
In addition to the uses described above, BRM might use your Personal Data to:
- Fulfill any purpose to which you consent.
- Monitor your compliance with our agreements and policies.
- Help maintain the safety, security, and integrity of our technology assets.
- Conduct internal testing, research, analysis, and product development, including to develop and improve our content and offerings.
- Personalize your experience or deliver targeted ads according to your consent and stated preferences.
- Respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- Identify, contact or bring legal action against persons or entities who may be causing injury to you, to BRM, or to others as we determine necessary.
- Evaluate or conduct a business transition involving some or all of our company assets where Personal Data held by BRM is among the assets transferred.
We will not collect additional categories of Personal Data or use already collected Personal Data for purposes that are materially different, unrelated or not reasonably necessary or compatible with the original purpose without notice and consent to you as required by law.
Sensitive Personal Data
BRM does not seek to collect sensitive Personal Data about any individual, and in no case do we disclose any sensitive Personal Data for the purpose of inferring characteristics about you or otherwise use your sensitive Personal Data without your consent. If this ever changes in the future, we will update this Privacy Policy and provide you with methods to opt-out or limit our use and disclosure of sensitive Personal Data.
Payment Data
BRM does not collect, process, or store any payment data. We use a PCI-DSS compliant payment processor to collect and store all payment information and to process all purchases that take place on through the Services.
Disclosing Personal Data
BRM will only disclose Personal Data to the third parties as described in this section, with your permission, or as required by law. In the preceding 12 months, we have disclosed Personal Data for a business purpose to the following third parties:
- Service Providers. We may provide our service providers like advertisers, payment processors, and email and data hosting providers with access to Personal Data as needed to perform their contractual obligations to us. We prohibit our service providers from selling or disclosing the Personal Data, and we require all service providers to maintain confidentiality standards and appropriate technical and organizational measures to ensure the security of your Personal Data.
- Affiliate Businesses. Businesses within our corporate family that use common data systems with us may have access to the Personal Data as needed for those businesses to provide our products and perform affiliated business operations.
- Law enforcement, and other governmental agencies, as permitted or required by law.
- Other third parties, as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
Aggregated and Deidentified Information. We reserve the right to share aggregated, anonymized, or deidentified information about any individuals with nonaffiliated entities for marketing, advertising, research or other purposes, without restriction.
Children’s Privacy
Our Services are intended for adults, not children under the age of 18. We do not knowingly collect Personal Data from anyone under the age of 18. Children should not use the Services or provide any Personal Data to us. If we learn we have collected or received Personal Data from a child under 18, we will delete that information. If you believe we might have any information from or about a child under 18, please contact [email protected].
Retention Periods
Bob's Red Mill Natural Foods, Inc. retains Personal Data as long as is necessary to achieve our purposes of collection, after which we will securely delete the data. For example, if you create a customer account, we will retain your profile information and other Personal Data while your account remains active. If contact us with a question about our products, we will retain the Personal Data you provide until we respond to your inquiry or fulfill your request for customer support. Cookie data is retained for various periods ranging from the duration of a single website visit to as long as 10 years for certain data. Other retention periods are governed by BRM company policy. We reserve the right to retain data for longer periods as required by law or court order or if doing so is critical to our business.
Your Controls
BRM gives you the ability to directly control the Personal Data we collect and hold about you through our Services:
- Your Account. You can access, correct, update, or delete certain Personal Data by logging into your account. If you require assistance, please contact us at [email protected].
- BRM Emails. We may send you informational or support emails related to your account or marketing emails based on your stated communication preferences. You can unsubscribe or change your email preferences at any time by using the links provided in our emails or by sending a request to [email protected]. Note that if you opt-out of marketing emails, BRM may still send you service messages about your account, product orders or other topics.
- Device Settings. You can control the data we collect through cookies and related technologies by adjusting your device settings.
- Do Not Track. Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests.
- Texting. If you provide us with your wireless phone number, you consent to BRM sending you informational or service text messages. However, we will only send you marketing text messages if you opt-in to receive these notifications from us. For all text messages, the number of texts you receive will depend on the Services you use and the information you request from us. You can unsubscribe from our text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
- Opt-Out of Interest Based Ads. You may limit our use of information collected from or about your mobile device for purposes of serving online behavioral advertising to you by going to your device settings and selecting “Limit Ad Tracking” (for iOS devices) or “Opt-Out of Interest-Based Ads” (for Android devices).
- Block Location Tracking. You can stop all collection of information by an app by uninstalling it. You can also reset your device Ad Id at any time through your device settings, which is designed to allow you to limit the use of information collected about you. You can stop all collection of precise location data through an app by uninstalling the app or withdrawing your consent through your device settings.
Privacy Requests
If you wish to exercise your rights under your applicable privacy laws, express concerns, revoke your consent, lodge a complaint, or request information, please contact [email protected] or submit a request through our online form.
Bob’s Red Mill may only legally fulfill a request when we have sufficient information to verify that the requester is the person or an authorized representative of the person about whom we have collected Personal Data, and to properly understand, evaluate, and respond to the request. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so, such as requests that are excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We endeavor to respond to privacy requests in accordance with the requirements of the law applicable to your jurisdiction. If we do not fulfill your request within the legally required timeline, you can appeal by contacting us at [email protected].
Depending on where you reside, you may be entitled to specific, additional controls over your Personal Data. Please review the supplemental notices of privacy rights listed below and contact [email protected] if you have questions about exercising your privacy rights.
United States Privacy Rights
In the United States, consumer privacy is governed by federal privacy laws covering specific industries or data uses and state privacy laws providing with general consumer privacy rights. This section provides informational notices for state privacy laws like the California Consumer Privacy Act of 2018 (“CCPA”) and similar laws in Colorado, Connecticut, Nevada, Utah, Virginia, and other states require companies to inform consumers about their privacy rights and provide a method to exercise those rights. Residents of states offering privacy protections (each a “Consumer”) can exercise their privacy rights as applicable to our Services by submitting a Privacy Request.
- Right to Correct. You have the right to request that we correct inaccurate Personal Data about you on our systems. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
- Right to Deletion. You have the right to request that we delete your Personal Data that we collected and retained, with certain exceptions. We may permanently delete, deidentify, or aggregate the Personal Data in response to a request for deletion.
- Right to Access. You have the right to request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data. If you submit an access request, we will provide you with copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that we may be prohibited by law from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
- Right to Disclosure. You may request that we disclose information to you about our collection and use of your Personal Data, such as: (a) the categories of Personal Data we have collected about you; (b) the categories of sources for the Personal Data we have collected about you; (c) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (d) the categories of third parties with whom we share that Personal Data; and (e) if we sold or shared your Personal Data under the CCPA, two separate lists stating: (i) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (ii) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
- Limited Use and Disclosure of Sensitive Personal Data. You have the right to opt-out or limit our use of your sensitive Personal Data BRM does not seek to collect sensitive Personal Data from any consumer. If you choose to provide us with sensitive Personal Data, we will only use it to provide you with the products and services you request. In no case do we disclose any sensitive Personal Data for the purpose of inferring characteristics about you. If this ever changes in the future, we will update this notice and provide you with methods to limit our use and disclosure of your sensitive Personal Data.
- Opt-Out of Selling and Sharing. Some states entitle consumers to opt-out of the sale or sharing of Personal Data or targeted advertising practices. BRM may share any category of Personal Data we collect for cross-contextual behavioral advertising purposes or sell your Personal Data to third parties. We engage in these practices to market our products and services to existing and potential new customers and to optimize your experience on our Services. To opt-out of sharing or selling your Personal Data, please submit a Do Not Sell or Share My Personal Information request or email [email protected].
- Right to Opt-Out of Profiling. You have the right to opt-out of automated profiling. We use a third-party tracking beacon to analyze your activity on the Services to predict your interests and preferences. To opt out, you can block tracking beacons via a third-party browser extension such as an adblocker. If you need support, please contact us at [email protected].
- Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (a) deny you goods or services; (b) charge you different prices or rates for goods or services; (c) provide you a different level or quality of goods or services; (d) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (e) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
- Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes.
If you are a Consumer, you may exercise these rights by submitting a Privacy Request.
Canadian Privacy Rights
This section provides the disclosures and notices required under Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”) and solely to residents of Canada where PIPEDA applies (“Canadian Consumers”). PIPEDA gives Canadian Consumers specific rights regarding Personal Data offering details on an identifiable person without the inclusion of name, title, telephone number, and business address of an employee of a business or organization. The rights afforded under PIPEDA are described below.
- Right to know why we collect, use, and distribute the Personal Data we process. We have set the required notices in this Privacy Policy. We may provide you with additional notices about other ways we process your Personal Data, such as by sending you a notice via email or by other means of communication.
- Right to expect us to collect, use, or disclose Personal Data responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Policy and collect express or implied consent at various stages of collection or processing. If we collect or use your Personal Data based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any time with reasonable notice by contacting us at [email protected].
- Right to accuracy of your Personal Data. We take steps to reasonably ensure that your Personal Data we are using is accurate. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
- Right to access your Personal Data. Upon written request and identity authentication, we will provide you with your Personal Data under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. We may not be able to provide access to some or all of the Personal Data you request if limited by law or potential infringement of another’s privacy rights. If we must refuse an access request, we will notify you in writing, document the reasons for refusal, and outline further steps that are available to you.
Canadian Consumers may exercise these rights by submitting a Privacy Request.
European Economic Area & United Kingdom Privacy Rights
This section provides the disclosures and notices required under the General Data Protection Regulation (“GDPR”) and its counterpart regulation applicable to residents of the United Kingdom. This section applies solely to residents of the European Economic Area (“EEA”) and the United Kingdom (“Data Subjects”). BRM does not specifically market to Data Subjects in the EEA or UK, but BRM accepts orders and inquiries from Data Subjects as a controller. Data Subjects can exercise the rights provided under the laws applicable to them by submitting a Privacy Request, subject to applicable exceptions and limitations.
Data Subjects have the following rights over their Personal Data, subject to applicable limitations:
- Right to know how we process your Personal Data. We have set the required notices in this Privacy Policy. We may provide you with additional notices about other ways we process your Personal Data by sending you a notice via email or by another method.
- Right to access your Personal Data. Upon request, we will provide you with a copy of your Personal Data and details about the types of Personal Data we process, why we process it, and any third parties we work with to collect Personal Data on our behalf. We may have one or more legally valid reasons to refuse your request in whole or in part, for example, to protect the rights of other individuals.
- Right to restrict processing of your Personal Data. You can request that we restrict the processing of your Personal Data if: (a) the data is inaccurate; (b) the processing is unlawful; (c) we no longer need the Personal Data; or (d) you exercise your right to object.
- Right to rectify your Personal Data. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
- Right to data portability. In some circumstances, we are required to provide your Personal Data to another organization at your request and in a structured, commonly used and machine-readable format.
- Right to erasure (a.k.a. the “right to be forgotten”). Upon your request, we must delete your Personal Data in certain circumstances and where required by law. This right is not absolute, and we may be entitled to retain and process your Personal Data despite your request. If you make this request, we balance certain legal, contractual, and business interests against your right to request the deletion of your Personal Data.
- Right to object to certain processing of your Personal Data. Upon your request, we will limit our processing of your Personal Data as you request in certain circumstances and where we are required to do so by law.
- Right not to be subject to automated decision-making. BRM does not use automated decision-making to provide the Services. If this changes in the future, we will update this posting to describe our use of automated decision-making and your options to exercise your privacy rights related to your Personal Data processed using automated decision-making.
- Right to lodge a complaint with a supervisory authority. Data Subjects can submit requests, questions, or complaints to us using the methods described under Privacy Requests. If, after contacting us, you feel a privacy issue has not been resolved, you have the right to file a complaint with a supervisory authority. We suggest the Data Protection Commissioner of Ireland.
Cross-Border Data Transfers
BRM is a United States company using technical infrastructure in the United States to serve our customers wherever they are located. If you access the Services from outside the United States, please be aware that your Personal Data may be transferred to, processed, stored, and used in the United States. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States, it may be accessed by U.S. government authorities.
BRM is committed to ensuring that all cross-border transfers of Personal Data are lawful and appropriate. To the extent that BRM is deemed to transfer Personal Data from the EEA to outside of the EEA, we do so on the legal basis that such transfer is necessary to provide you with the Services you have chosen to use and are completed in compliance with standard contractual clauses or another valid transfer mechanism approved by the European Commission. However, we do not warrant that our Services are lawful or appropriate for use in any other jurisdictions.
You are solely responsible for determining whether your use of the Services complies with the laws that apply to you. By allowing us to collect Personal Data about you, you consent to the transfer and processing of your Personal Data as described in this section.
Data Security
BRM has implemented and maintains reasonable measures to secure your Personal Data from accidental loss and unauthorized access, use, alteration, and disclosure. For example, BRM stores all data in a secure cloud environment and secures data in transit using strong encryption. Company policies govern the collection, processing, and handling of data. Access to Personal Data is limited to employees and contractors as needed to perform their job functions. We also ensure that our employees, contractors, and agents responsible for handling privacy inquiries are informed of applicable legal requirements and we restrict access to those who need that information to process it. As part of our duty of care with respect to privacy matters, we implement our security measures to be appropriate to the volume, scope, and nature of the Personal Data we process.
Please bear in mind that submission of information over the Internet is never entirely secure. You are responsible for keeping your device access and login information confidential. You are also encouraged to install anti-virus and anti-malware software on your devices and keep all software updated to avoid security risks. We cannot guarantee the security of information you submit via our Services while it is in transit over the Internet, and any such submission is at your own risk.
Third Party Services
This Privacy Policy does not apply to any third-party platforms or services, or any third-party services linked or accessible from our Services. Our Services may contain links to third-party websites or services. If you click on a third-party link, you will be directed to that third party's site. BRM has no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services. We strongly advise you to review the Privacy Policy of every site you visit.
Updates
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the date of the posting. We will collect your consent to these changes to the extent required by applicable law. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.