Skip to Main Content Hold Notifications

Check Product Availability at a Workshop Near You!

Enter your City, State or Zip Code to view product availability in a Build-A-Bear Workshop near you.

Build-A-Bear Workshop Global Privacy Policy - effective September 4, 2020

Preamble

Scope: This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (including, without limitation, Build-A-Bear Card Services LLC, Build-A-Bear Entertainment, LLC, Build-A-Bear Retail Management, Inc. and Build-A-Bear Workshop Franchise Holdings, Inc.) worldwide.

Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Personal Information:

  • We collect the information you provide to us, such as your name, your phone number, your postal or email address.
  • We collect non-personal information such as browser type and web pages visited to help manage our websites and to improve your overall experience.
  • We use cookies and web beacons to manage our email programs and websites. We do NOT use these technologies to collect or to store personal information.
  • References to Personal Information shall be deemed to include personal data as defined in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and personal information as defined in the California Consumer Privacy Act of 2018 (“CCPA”).
  • Click here for more information.

Uses:

  • We use the information you provide to register Build-A-Bear Workshop products in our Find-A-Bear® ID system.
  • We use the information you provide to create certificates for Build-A-Bear Workshop products.
  • We use the information you provide to place orders or book parties on our websites.
  • If you tell us to, we will send you information about promotions and other marketing events via mail and email.
  • We do NOT share your information with unrelated third parties for their marketing purposes.
  • We use personal information consistent with the purpose you provided it to us.
  • Click here for more information.

Your Choices:

Important Information:


How to Contact Us:

In the US and Canada:
Privacy Officer
Build-A-Bear Workshop
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the European Union:
Privacy Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635


Build-A-Bear Workshop Global Privacy Policy - effective September 4, 2020

The Build-A-Bear Workshop family of companies respects your privacy, and we will do our best to earn and keep your trust. All Personal Information that you share with us is treated with the utmost care. Build-A-Bear Workshop has created this Privacy Policy in order to demonstrate our firm commitment to the privacy of all our guests from all over the world. This Privacy Policy identifies what Personal Information we collect when you visit our stores or use our websites or other online services, what choices you can make about your Personal Information, how we use this data, and how we protect your Personal Information, and applies to all Personal Information provided to us in our stores or through our websites or other online services.

Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Build-A-Bear Workshop complies with the EU-U.S. Privacy Shield Principles, including the Supplemental Principles (collectively, the “Privacy Shield Principles”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (the “EU”) and the United Kingdom (the “UK”) to the United States (the “U.S.”) in reliance on Privacy Shield. Build-A-Bear Workshop has certified to the Department of Commerce that it adheres to the Privacy Shield Principles, including the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, as well as the Supplemental Principles. If there is any conflict between the terms in the Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. A list of companies that are currently certified under the Privacy Shield is available at www.privacyshield.gov/list.

In light of the judgment of the Court of Justice of the EU in Case C-311/18, we do not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, we also process Personal Information submitted relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), and we are committed to responding promptly to inquiries and requests by the United States Department of Commerce for information relating to the Privacy Shield Principles.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://ico.org.uk/concerns/eu-us-privacy-shield/.


CONTENTS

What is Covered by This Policy?
Personal Information We Collect
How We Use Your Personal Information
Your Choices and Access to Your Personal Information
Children’s Privacy
Sharing Personal Information with Third Parties
Personal Information Security
Passive Data Collection - Cookies
Privacy Shield Dispute Resolution
Use of Human Resource Data Subject to Privacy Shield
Changes to This Privacy Policy
Country and State Specific Personal Information(including the GDPR and CCPA)
Contact Us

Policy Body

What is Covered by This Policy?

This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (as defined below) worldwide. The purpose of this policy is to tell guests what information we collect, how it is used, where it is used, and how to contact Build A Bear Workshop with privacy inquiries. Some Build-A-Bear Workshop websites may contain links to websites not owned or operated by Build-A-Bear Workshop. Build-A-Bear Workshop is not responsible for the content, privacy policies, or practices of those websites. We recommend that you review the privacy policies of each site you visit.

Personal Information We Collect

Build-A-Bear Workshop collects information, including Personal Information, that you provide to us when you visit us in our retail locations or website. References to Personal Information shall be deemed to include personal data as defined in the GDPR and personal information as defined in the CCPA. “Personal Information” that may be collected or processed by Build-A-Bear Workshop includes:

  • first and last names;
  • email address;
  • postal address;
  • phone number;
  • date of birth and/or age;
  • sex/gender;
  • voiceprint if you purchase and record one of our Record Your Voice soundchips;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing and/or browsing history;
  • IP address;
  • work experience, including job titles, company names and dates of employment;
  • education and education degree(s);
  • financial information, such as that which could be used to process invoices and payments;
    and
  • any other information that might be used to identify you by another person.

Build-A-Bear Workshop’s website may allow third-party companies, including ad networks, to serve advertisements, provide other advertising services and/or collect certain information when you visit our website.  These third-party companies may use non-Personal Information (e.g., click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) during your visit to this website in order to provide advertisements about goods and services likely to be of greater interest to you. Third-party companies may use non-cookie technologies to recognize your computer or device and/or to collect and record information about your web surfing activity including your activities on this website. These technologies may be used directly on this website. To learn more about Interest-Based Advertising or to opt-out of this type of advertising by those third parties that are members of self-regulatory programs such as the Network Advertising Initiative, please visit the NAI’s website (www.networkadvertising.org/choices) which will allow you to opt out of Interest-Based Advertising by one, or all, NAI members.

Some web browsers may transmit “do not track” signals. Web browsers may incorporate or activate these features differently, making it unclear if users have consciously activated them. As a result, at this time we do not take steps to respond to such signals.

How We Use Your Personal Information

We may use or disclose the personal information we collect from one or more of the following business purposes:

  • To conduct business with you;
  • To improve your experience with us;
  • To register your Build-A-Bear Workshop product in our Find-A-Bear® ID system;
  • To book a party;
  • To make an in store or online purchase;
  • To create a wish list;
  • To process, fulfill, and follow up on online purchases;
  • To create and maintain accounts;
  • To register for our Build-A-Bear Bonus Club program;
  • To handle guest service requests;
  • To maintain our Loyalty Program;
  • To send friends and families emails and e-cards on your behalf;
  • To send surveys;
  • To help you receive email, direct mail, or SMS text messages;
  • To help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions;
  • To suggest products and services which may be of interest to you;
  • To help you send us testimonials, guest submissions, or other communications;
  • To permit you to apply for a job;
  • To administer employee evaluations, payroll, compensation surveys, benefits, and our Employee Discount Program;
  • To prevent or address service or technical problems;
  • To respond to customer support matters;
  • To follow the instructions of a customer who submitted personal information;
  • In response to contractual requirements with our customers and service providers;
  • In connections with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition;
  • To prevent damage or harm to us, our services, or any person or property; or
  • If we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities.

We process Personal Information submitted by customers for the purpose of providing the above-referenced services (collectively, the “Services”) to customers. To fulfill these purposes, we may access Personal Information to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of a customer who submitted the Personal Information, or in response to contractual requirements with our customers and service providers.

With respect to Personal Information covered by Privacy Shield, Build-A-Bear Workshop certifies that it collects Personal Information solely to the extent such Personal Information is relevant in providing the Services. For our record keeping purposes, we may retain certain Personal Information that you submit in conjunction with commercial transactions; however, we will retain such Personal Information only so long as it serves the purpose of providing the Services.

Your Choices and Access to Your Personal Information

Our email, website, and other interactive programs allow you to choose to receive or to stop receiving communications from us. You can choose to receive email and/or postal mail from a specific Build-A-Bear Workshop brand or to receive offers from other Build-A-Bear Workshop brands.

Build-A-Bear Workshop honors a “once out – always out” policy. Once you opt out, you are opted out of that type of communication and that brand until we are explicitly told in writing to opt you back in. You may opt out of email programs at any time by following the opt-out instructions provided in the email you receive. You also have the right to opt out of us using your Personal Information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.

You have the right to access, amend, or delete any Personal Information we hold about you, be removed from Build-A-Bear Workshop programs you enrolled in, stop receiving postal mail and other communications, and prevent any further use of your Personal Information by Build-A-Bear Workshop, by contacting us; click here to select your country and be linked to the correct address or email address to use to contact us. Build-A-Bear Workshop will respond to reasonable requests in an appropriate timeframe as determined by the respective authority. We will respond to requests within one month.

Build-A-Bear Workshop will also contact individuals whose Personal Information is within the scope of the Privacy Shield Principles to obtain prior affirmative express consent if sensitive (referred to as special categories of personal data under the GDPR) Personal Information (i.e., Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or Personal Information specifying the sex life or sexual orientation of the individual) is to be collected or disclosed to a third party, or if such sensitive Personal Information is to be used for a purpose other than those for which it was originally collected or subsequently authorized by such individual. We will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive.

Children’s Privacy

Build-A-Bear Workshop is committed to protecting children’s privacy on the Internet. No one under age 16 may provide any Personal Information to or on the websites. Build-A-Bear Workshop does not knowingly collect Personal Information from children under 16. If you are under 16, do not use or provide any information on our websites or retail stores, make any purchases through our websites, use any of the interactive or public comment features of our websites or retail stores or provide any information about yourself or others to us, including your/others name, address, telephone number, email address, or any screen name or user name you/others may use. If we learn we have collected or received Personal Information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 16, please contact us at privacy@buildabear.com or privacy@buildabear.co.uk.

What Personal Information is collected online from children under 16 and how is it used?

Build-A-Bear Workshop does not knowingly collect, use, or disclose Personal Information (including online contact information) of children under the age of 16. We may collect information about visits to our websites without a user actively submitting such information. For information about such passive data collection, click here.

Is my child’s Personal Information required for participation in online activities?

No.

Is my child’s Personal Information required to receive certificates in the store?

Yes. Personal Information is required to create a certificate at the Name Me® station in the store.

Is my child’s Personal Information shared with unrelated third parties?

No.

What Personal Information did my child share while attending a party?

Parental supervision is always recommended; however, parents often do not attend a party with their child. Children attending a party may create a certificate at the Name Me® station. A certificate can be created with just the animal’s name and the child’s first name, gender and year of birth.

Sharing Personal Information with Third Parties

We employ other companies (“Agents”) and people to perform tasks on our behalf and need to share, and may internationally transfer, your information with them to provide products or services to you; for example, ExactTarget (SalesForce). Other types of Agents with which we may share Personal Information include organizations providing services to support Build-A-Bear Workshop functions, such as our mail and email processing companies, payment processing companies, and market research firms. We also transfer Personal Information to Agents for email marketing purposes. If Build-A-Bear Workshop transfers Personal Information subject to the Privacy Shield Principles to a third party, the recipient will have the same level of protection as required of the Build-A-Bear Workshop under the Privacy Shield. All such service providers are bound by contract to refrain from using the Personal Information we collect from you for any purpose other than providing the service to Build-A-Bear Workshop. Build-A-Bear Workshop is liable under the Privacy Shield Principles for its Agents to process transferred Personal Information in a manner consistent with the Principles.

We may also disclose information (including Personal Information) collected from guests outside of the U.S. to affiliated companies or Affiliates in the U.S. and elsewhere. For purposes of this Privacy Policy, “Affiliates” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Build-A-Bear Workshop, Inc., whether by ownership or otherwise. Any Personal Information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy and, as applicable, the Privacy Shield Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. We train our employees and those of our Affiliates about the importance of privacy and how to handle and manage customer Personal Information appropriately and securely. We may share your information (including Personal Information) with franchisees of Build-A-Bear Workshop, but only where we indicate to you at time of Personal Information collection that such Personal Information will be provided to a franchisee, or if we otherwise obtain your permission.

In addition to disclosures to third party providers and Affiliates as described above, we may disclose or transfer Personal Information in connection with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition. We may also disclose Personal Information to prevent damage or harm to us, our Services, or any person or property, or if we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities. Except as described in this Privacy Policy, we will not otherwise disclose Personal Information to third parties unless you have been provided with an opportunity to opt in to such disclosure.

Build-A-Bear Workshop does not release the Personal Information it collects from you to any unrelated third parties so that they may send you commercial promotions or offers for products or services. Build-A-Bear Workshop does not engage in the sale of your personal information. We do, however, share anonymous, aggregate information concerning the demographic makeup of our customers to unrelated third parties, and share Personal Information as described below.

Except as described in this Privacy Policy, we will not otherwise disclose or sell Personal Information to any third parties unless you have been provided with an opportunity to opt in to such disclosure and, in the case of Personal Information collected from children, the appropriate verifiable consent is obtained.

If an individual wishes to opt out or limit the use and disclosure of their Personal Information to a third party or a use that is incompatible with the purpose for Personal Information was originally collected or authorized, the individual may send such request to privacy@buildabear.com.

When Build-A-Bear Workshop transfers Personal Information to countries other than the country where it was provided, we do so in compliance with applicable data protection laws, including, as applicable, the Privacy Shield Principles. In light of the judgment of the Court of Justice of the EU in Case C-311/18, we do not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, we transfer Personal Information relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. All Personal Information is transmitted to World Bearquarters in St. Louis, Missouri daily. Copies of the Personal Information at the point of origin are deleted on a regular basis. We may transfer Personal Information from guests outside the U.S. to Affiliates located either in the U.S. or otherwise; provided that transfers to the U.S. from the EU will comply with the Privacy Shield Principles and such other compliance mechanisms in all respects.

Personal Information Security

Build-A-Bear Workshop maintains appropriate technical and organizational security measures designed to help protect against unauthorized or unlawful processing, loss, destruction, damage, misuse, and alteration of Personal Information collected by Build-A-Bear Workshop, which include:

  • physical and logical access controls, including firewall, limited access, and SSL encryption technology, that limit who can access Personal Information based on business/processing need;
  • privacy policies for Personal Information and for employee Personal Information (a copy of which may be requested at privacy@buildabear.com);
  • annual employee training on our privacy policies;
  • employees who are bound by confidentiality obligations;
  • the appointment of a Privacy Officer to handle all Personal Information incidences or issues, including, without limitation, the handling of individual requests related to his/her Personal Information processed by Build-A-Bear Workshop; and
  • Build-A-Bear Workshop‘s General Information Security Policy and Incident Response Policy that contain incident response plans for escalation and resolution of data breach incidents.

All Personal Information collected via our websites is stored on secured servers located at our Build-A-Bear Workshop World Bearquarters in St. Louis, Missouri.

 

Passive Data Collection – Cookies and Web Beacons

Our Build-A-Bear Workshop website may also collect Personal Information passively, through the use of cookies. A cookie is a small text file that writes to your hard drive. The cookie file contains your computer‘s IP address and a user ID. The user ID links any orders you have placed on our site to your Personal Information. A user ID has no personally identifiable information attached to it unless you place an order on our site. Our website uses cookies to enhance the guests‘ experience and help us improve our services. For example, we may use cookies to keep track of your basket or shopping cart while you are shopping on our site or to track your activity. Build-A-Bear Workshop uses web beacons in emails to track traffic from the email to specific pages on our websites. You may be able to adjust your browser so that your computer either does not accept cookies, or notifies you when a website tries to deposit a cookie into your computer. Our cookies do not contain confidential Personal Information such as your home address, telephone number, or credit card information. We do not exchange cookies with any third parties.

Build-A-Bear Workshop Cookie Declaration:

This website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners, who may combine it with other information that you‘ve provided to them or that they‘ve collected from your use of their services. Cookies are small text files that can be used by websites to make a user‘s experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need a lawful basis for processing, which may include your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. By agreeing to the use of cookies on our website, you are directing us to disclose your personal information and data to our third party service providers for these purposes.

Specifically, the information that we collect through the cookies on our Site is as follows:

  • Page Information, which is retained by Build-A-Bear for up to a year:
    • URL – the URL of the page you are viewing and
    • Title – the title of the page you are viewing.
  • Browser Information, which is retained by Build-A-Bear for up to a year:
    • Browser name – the type of browser you are using;
    • Viewport or Viewing pane – the size of the browser window you are using;
    • Screen resolution – the resolution of your screen;
    • Java enabled – whether or not you have Java enabled; and
    • Flash version – what version of Flash you are using.
  • User Information, which is retained by Build-A-Bear for up to a year:
    • Location – this is derived from the IP address where the hit originated (please note that the IP address itself is not available or retained by Build-A-Bear); and
    • Language – derived from the language settings of your browser.

We are committed to safeguarding your privacy and ensuring that your personal information is protected. Any personal information collected through the cookies on our Site will be protected by Build-A-Bear pursuant to its Privacy Policy.

It is always possible for you to visit our website without disclosing your personal information. This requires that you have disabled cookies. You can opt out of the processing of such information via the Cookie Consent Banner displayed at the bottom of the relevant Site. Please note, however, that without cookies you may not be able to use all of the features of our Site or online services.

If you have any questions about the cookies on our website or any of the information, including, without limitation, personal information, gathered by the cookies, please contact Build-A-Bear‘s Data Protection Officer, whose contact information is below:

In the US and Canada:
Data Protection Officer
Build-A-Bear Workshop
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the United Kingdom:
Data Protection Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635

We are committed and required to respond to any of your inquiries on this issue within one month of receiving the complaint.

Privacy Shield Dispute Resolution

In compliance with the Privacy Shield Principles, Build-A-Bear Workshop commits to resolve complaints about our collection or use of your Personal Information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Build-A-Bear Workshop‘s Privacy Officer, , who will, in accordance with Build-A-Bear Workshop‘s Incident Response Policy and its Data Protection Retention Policy, as applicable, escalate it as necessary, at:
Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635

Suspected and confirmed Personal Information security incidents will be investigated by the Privacy Officer and/or other personnel as necessitated by the scope of the incident. Such investigation will include, but will not be limited to, determining the source of the breach, identifying the types of data affected, determining whether notifications must be made and instituting any remedial measures that may be necessary to avoid similar incidents in the future.

Build-A-Bear Workshop has further committed to refer unresolved Privacy Shield complaints to The Information Commissioner’s Office of the United Kingdom (the “ICO”), the Data Protection Supervisory Authority for the United Kingdom. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://ico.org.uk/concerns/eu-us-privacy-shield/ for more information or to file a complaint. The services of the ICO are provided at no cost to you. Under certain limited circumstances, EU or UK individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

The FTC has committed to reviewing, on a priority basis, referrals alleging non-compliance of the Privacy Shield Principles received from independent dispute resolution bodies, among others. If the FTC concludes that it has reason to believe Section 5 of the Privacy Shield Principles has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect.

Use of Human Resource Personal Information Subject to Privacy Shield

Where a member of the Build-A-Bear Workshop group in the EU or UK transfers Personal Information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the U.S. participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, Build-A-Bear Workshop will comply with the Privacy Shield Principles, make reasonable efforts to accommodate employee privacy preferences, and will not use employees‘ exercise of their rights under Privacy Shield to restrict employment opportunities or take punitive action against employees. In light of the judgment of the Court of Justice of the EU in Case C-311/18, Build-A-Bear Workshop does not rely on the Privacy Shield Principles as a legal basis for transfers of Personal Information relating to individuals in the EU or the UK. Therefore, Build-A Bear Workshop transfers Personal Information about its employees (past or present) collected in the context of the employment relationship relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses.

Build-A-Bear Workshop collects Personal Information from its employees to administer employee evaluations, payroll, compensation surveys, benefits, and its Employee Discount Program. Build-A-Bear Workshop will comply with all relevant laws, and, as applicable, the Privacy Shield Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses, in the collection and use of employee-related Personal Information. To the extent and for the period necessary to avoid prejudicing the ability of Build-A-Bear Workshop in making promotions, appointments, or other similar employment decisions, we may not offer employees the notice and choice options described in the Privacy Shield Principles. Similarly, for occasional employment-related operational needs, such as the booking of a flight, hotel room, or insurance coverage, transfers of Personal Information of a small number of employees may take place with limited access or the entering into a contract with the third-party transferee, provided that we otherwise comply with the Privacy Shield Principles or such other compliance mechanisms, as applicable. Access must also be limited in the context of employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations.

Where employees in the EU or UK make complaints about violations of their Personal Information protection rights and are not satisfied with the results of our internal review, complaint, and appeal procedures, they will be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. Build-A-Bear Workshop commits to cooperate with competent EU or UK Data Protection Authorities in the investigation and resolution of Privacy Shield complaints with regard to human resources Personal Information transferred from an EU country or the UK to the U.S. Build-A-Bear Workshop will comply with any advice given by the Data Protection Authorities where such authorities take the view that we need to take specific action to comply with the Privacy Shield Principles.

Changes to This Privacy Policy

We may amend this Privacy Policy at any time. If we make any changes in the way we collect, use, and/or share your Personal Information, we will notify you by sending you an email at the last email address that you provided us, or by prominently posting notice of the changes on the web sites covered by this Privacy Policy.

Contact Us

If you have questions or concerns regarding your privacy, please contact Build-A-Bear Workshop directly. Please feel free to use your native language when sending your questions or comments.

In the US and Canada:

Privacy Officer
Build-A-Bear Workshop, Inc.
1954 Innerbelt Business Center Drive
St. Louis, MO 63114-5760
Email: privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the United Kingdom:

Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635

If you are a resident of the EU or the UK and you believe we maintain your Personal Information within the scope of this Privacy Shield certification, you may direct any questions or complaints to our United Kingdom email and postal addresses above. We are committed and required to respond to any of your inquiries on this issue within forty-five (45) days of receiving the complaint.

Country and State Specific Information

Canada

Build-A-Bear Workshop complies with Canadian Federal and Provincial privacy laws and regulations including the Personal Information Protection and Electronic Documents Act.

Build-A-Bear Workshop, Inc. will only use your Personal Information for the purposes intended and as detailed in the Privacy Policy unless we have obtained your consent to use it for other purposes.

United Kingdom

Your Personal Information is protected in the United Kingdom by the Data Protection Act 1998 (the “Act”) up until 24 May 2018 and by the GDPR from May 25, 2018. Under the Act and the GDPR we will only process your Personal Information in a lawful, fair and transparent manner and your Personal Information will only be collected for specified and legitimate purposes. We will secure your Personal Information to prevent unauthorized access by third parties.

Data controller details

The data controller in relation to the processing of Personal Information that you provide to us is Build-A-Bear Workshop UK Limited. Our address is 10-14 Bath Road, Slough, Berkshire, United Kingdom, SL1 3SA, United Kingdom. The easiest ways to contact us are by email at privacy@buildabear.co.uk or by telephone at +44 (0) 800 542 0635. All Personal Information collection and processing in the United Kingdom by Build-A-Bear Workshop will be undertaken by Build-A-Bear Workshop UK Limited in accordance with the terms of this privacy policy.

Processing information

The information set out in this privacy policy is provided to individuals whose Personal Information we process, in compliance with our obligations under Articles 13 and 14 of the GDPR.

To make this information clear, we have divided the data we receive into the following groups, where each of which refers to: the particular category of information we collect and retain; the purpose and legal basis of processing and to whom we will (if applicable) disclose the information:

International transfers

Details of third parties to whom transfers of Personal Information may be made are set out above (click here for more information).

We will not transfer Personal Information relating to you to a country which is outside the European Economic Area (“EEA”) unless: (1) the country or recipient is covered by an adequacy decision of the European Commission under GDPR Article 45; (2) appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the European Commission’s Standard Model Clauses for transfers of Personal Information outside the EEA); or (3) one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary) the transfer is necessary to perform, or to form, a contract to which we are a party; the transfer is necessary for the establishment, exercise or defense of legal claims; you have provided your explicit consent to the transfer; or the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

Retention of Personal Information

Different types of Personal Information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of data. In determining the appropriate retention period consideration is given to the following factors:

  • the purposes for which the Personal Information is processed;
  • the legal basis for processing that Personal Information;
  • legal requirements for retention (particularly employment and health and safety law); and
  • regulatory requirements.

In particular, except where otherwise required by applicable law or a request to delete or erase Personal Information, Build-A-Bear retains certain specific categories of Personal Information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

In addition, Build-A-Bear may retain anonymized Personal Information (data that is no longer in a form identifying or making identifiable the individual to which the Personal Information originally related).

Your rights in respect of your Personal Information

You have certain rights under the GDPR, including the right to (upon written request) access a copy of your Personal Information that we are processing. From May 25, 2018, in accordance with the GDPR you will have the following rights:

  • right to access: the right to request certain information about, access to and copies of the Personal Information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs) and this will be provided to you within one month of your request; and
  • right to rectification: the right to have your Personal Information rectified if it is inaccurate or incomplete.
  • In certain circumstances, you will also have the following rights:
  • right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of your Personal Information (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your Personal Information from our systems (however, this will not apply if we are required to hold on to the Personal Information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);
  • right to restriction of use of your Personal Information: the right to stop us from using your Personal Information or limit the way in which we can use it;
  • right to object: the right to object to our use of your Personal Information including where we use it for our legitimate interests or for marketing purposes; and
  • right to data portability: the right to request that we return any Personal Information that you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible.

As set out above, you are entitled to withdraw your consent to the processing of your Personal Information but please note that if you do withdraw your consent, we may not be able to carry out our contractual obligations to you or provide you with access to all or certain parts of our services.

To exercise your Right to Access or your Right to Erasure, you may click here and enter the email address for which you want to exercise these rights. For all other requests or queries, please email, write, or call the Privacy Officer as indicated in the Contact Us section of this document.

Complaints

If you consider our use of your Personal Information to be unlawful, you have the right to lodge a complaint with the ICO. Please see further information on their website: www.ico.org.uk. Build-A-Bear Workshop and Build-A-Bear Workshop UK Limited are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

Automatic decision making

We do not make decisions in relation to your Personal Information that are based solely on automated data processing (including profiling).

United States

Build-A-Bear Workshop complies with the U.S. Federal and State privacy laws, including the Children’s Online Privacy Protection Act.

California

This section applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

Build-A-Bear Workshop collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (for purposes of this CCPA Notice, “personal information”). In particular, Build-A-Bear Workshop has collected the following categories of personal information from its consumers within the last twelve (12) months:

Uses for Site Guests
Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, and account name. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status. YES
D. Commercial information. Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Voiceprints, in the case of consumers who purchase our Record Your Voice Chip YES
F. Internet or other similar network activity. Browsing history, search history, information on a consumer‘s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio information, specifically voiceprints, in the case of consumers who purchase our Record Your Voice Chip. YES
I. Professional or employment-related information. Current or past job history or performance evaluations. YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person‘s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

For purposes of this CCPA Notice, personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA‘s scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
    • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver‘s Privacy Protection Act of 1994.

Build-A-Bear Workshop obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you when you visit us in our retail locations or website. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our website.
  • From a third-party fraud assessment tool when you place an order via one of our websites.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the business purposes set forth above under “How We Use Your Personal Information.” Build-A-Bear Workshop will not collect additional categories of personal information or use the personal information we collected for additional purposes without providing you notice.

Sharing Personal Information

Build-A-Bear may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We share or otherwise disclose your personal information with the following categories of third parties:

  • Service providers
  • Data aggregators

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:

  • Category A: Identifiers.
  • Category B: California Customer Records personal information categories.
  • Category C: Protected classification characteristics under California or federal law.
  • Category D: Commercial information.
  • Category F: Internet or other similar network activity.
  • Category G: Geolocation data.
  • Category I: Professional or employment-related information.
  • Category K: Inferences drawn from other personal information.

No Personal Information Sales

We do not sell any personal information that we collect or use.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that Build-A-Bear disclose the categories and specific pieces of information we have collected, and certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

  1. The categories of personal information we collected about you.
  2. The categories of sources for the personal information we collected about you.
  3. Our business or commercial purpose for collecting or selling that personal information.
  4. The categories of third parties with whom we share that personal information.
  5. The specific pieces of personal information we collected about you (also called a data portability request).
  6. If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    1. sales, identifying the personal information categories that each category of recipient purchased; and
    2. disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that Build-A-Bear Workshop delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research‘s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

  • Calling us at 1-877-789-BEAR (2327)
  • Visiting the request page on our website here
  • Visiting a California store location

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us.

We will only use personal information provided in a verifiable consumer request to verify the requestor‘s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request‘s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may, from time-to-time, offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to the value to us of your personal information and contain written terms that describe the program‘s material aspects. Participation in a financial incentive program requires your prior opt-in consent to join the Build-A-Bear Bonus Club, which you may revoke at any time pursuant to the terms and conditions of the Build-A-Bear Bonus Club. Click here for Bonus Club terms and conditions.

Other California Privacy Rights

Beginning January 1, 2005, under California‘s “Shine the Light” law, California residents who provide Personal Information for uses identified above are entitled to request and obtain from us once a calendar year information about the customer Personal Information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared Personal Information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities).

Europe

From May 25, 2018, Build-A-Bear Workshop’s practices are compliant with the GDPR in Europe.


USES OF PERSONAL INFORMATION

Customers and visitors to our site

Uses for Site Guests
What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • postal address;
  • date of birth and/or age;
  • phone number;
  • sex/gender;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing history;
  • IP address;
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of providing our Services or to enable you to make an in store or online purchase.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a customer relationship, including to suggest products and services which may of interest for you, obtaining evidence of identity of our customers, for insight purposes (e.g. to analyze market trends and demographics, and develop the service which we offer to you or other individuals in the future).
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
  • If we obtain your consent: in order to:
  • conduct business with you
  • improve your experience with us
  • register your Build-A-Bear Workshop product in our Find-A-Bear® ID system
  • book a party
  • create a wish list
  • process, fulfill, and follow up on online purchases
  • create and maintain accounts
  • register for our Build-A-Bear Bonus Club program
  • handle guest service requests
  • maintain our Loyalty Program
  • send friends and families emails and e-cards on your behalf
  • send surveys
  • help you receive email and direct mail
  • help you receive text messages
  • help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions
  • help you send us testimonials, guest submissions, or other communications
  • help you submit a book review.
1. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
2. Please note that personal information we are holding about you may be shared with and processed by:
2.1. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
2.2. credit reference and fraud prevention agencies;
2.3. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
2.4. other parties and/or their professional advisers involved in a matter where required as part of the conduct of the Services;
2.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
2.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers and those organizations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;
2.7. third parties as part of the arrangements for any event for which you have expressed an interest in attending; and
2.8. another organization to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

 

Suppliers and supplier personnel

Uses for Supplier Personnel
What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • telephone numbers;
  • payment details
  • identification
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of receiving services from you, for the purposes of making payments to you.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a working relationship.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
3. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
4. Please note that personal information we are holding about you may be shared with and processed by:
4.1. our customers, in the course of providing services to them;
4.2. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
4.3. credit reference and fraud prevention agencies;
4.4. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
4.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
4.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers; and
4.7. another organization to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

PERSONAL INFORMATION RETENTION PERIODS

Category Information description (includes but not limited to) Retention Period (in absence of a deletion request, other request from a data subject or legal requirement)
Guest Data (Non-Bonus Club Member Data) Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Purchasing history;
IP address;
6 years
Bonus Club Member Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Product preference;
Purchasing history;
IP address;
DOB’s;
Gender;
For as long as a bonus club account is active, and for 1 year after cancellation of account.
Supplier Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
6 years after services have been provided
Supplier Contracts Contracts for supplier services;
Related sub-contracts;
12 + 1 years after services have ceased
Insurance Data Personal Information involving insurance claims;
Insurance policies;
Insurance related correspondence, outcomes and notices;
12 + 1 years
Health and Safety Assessments
Policy Statements
Records of consultations with safety representatives
Permanently

Click here to learn about cookies on buildabear.com and buildabear.co.uk.

You are about to visit
our shopping site

Please note that you must be over 18 or with an adult to buy online