Build-A-Bear Workshop Global Privacy Policy - effective July 9, 2024

Preamble

Scope: This Privacy Policy applies to websites and retail stores operated by or on behalf of Build-A-Bear Workshop and its Affiliates (including, without limitation, Build-A-Bear Card Services LLC, Build-A-Bear Entertainment, LLC, Build-A-Bear Retail Management, Inc. and Build-A-Bear Workshop Franchise Holdings, Inc.) worldwide. This Privacy Policy does not apply to any Personal Information collected from or about any of our employees or our Affiliates’ employees that reside in the EU, UK, or California. Personal Information collected from any such employees will be protected by our employment policies and handbook.

Except for the Build-A-Bear “Play” website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the “Shop” website, are not intended for children under 16 years of age in the European Economic Area (“EEA”) or under 13 years of age elsewhere and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear “Play” website, which can be used by people of all ages).

Personal Information:
  • We collect the information you provide to us, such as your name, your phone number, your postal or email address.
  • We collect non-personal information such as browser type and web pages visited to help manage our websites and to improve your overall experience.
  • We use cookies and web beacons to manage our email programs and websites. We do NOT use these technologies to collect or to store personal information
  • References to Personal Information shall be deemed to include “personal data” as defined in the General Data Protection Regulation (EU) 2016/679, including as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (collectively, “GDPR”), “personal information” as defined in the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”), and “personal data” or a similar term as defined in other U.S. state privacy laws.
  • Click here for more information.
Uses:
  • We use the information you provide to register Build-A-Bear Workshop products in our Find-A-Bear® ID system.
  • We use the information you provide to create certificates for Build-A-Bear Workshop products.
  • We use the information you provide to place orders or book parties on our websites.
  • If you tell us to, we will send you information about promotions and other marketing events via mail and email.
  • We do NOT disclose your information to unrelated third parties for their marketing purposes.
  • We use personal information consistent with the purpose you provided it to us.
  • Click here for more information.
Your Choices:
Important Information:

How to Contact Us:

In the US and Canada:
Privacy Officer
Build-A-Bear Workshop
415 S. 18th Street, Suite 200
St. Louis, MO 63103
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the UK and European Union:
Privacy Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635


Build-A-Bear Workshop Global Privacy Policy - effective July 9, 2024

The Build-A-Bear Workshop family of companies respects your privacy, and we will do our best to earn and keep your trust. All Personal Information that you share with us is treated with the utmost care. Build-A-Bear Workshop has created this Privacy Policy in order to demonstrate our firm commitment to the privacy of all our guests from all over the world. This Privacy Policy identifies what Personal Information we collect when you visit our stores or use our websites or other online services, what choices you can make about your Personal Information, how we use this data, and how we protect your Personal Information, and applies to all Personal Information provided to us in our stores or through our websites or other online services.

Except for the Build-A-Bear ”Play“ website, which is intended for all ages, the Build-A-Bear websites, including but not limited to the ”Shop“ website, are not intended for children under 16 years of age in the EEA or under 13 years of age elsewhere and are for adults only. Build-A-Bear does not sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use our websites only with the involvement of a parent or guardian (except for the Build-A-Bear ”Play“ website, which can be used by people of all ages).

Build-A-Bear Workshop complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, including the Supplemental Principles (collectively, the “Data Privacy Framework Principles”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union (the “EU”) and the United Kingdom (the “UK”) to the United States (the “U.S.”) in reliance on EU-U.S. Data Privacy Framework. Build-A-Bear Workshop has certified to the Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles, including the EU-U.S. Data Privacy Framework Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability, as well as the Supplemental Principles. If there is any conflict between the terms in the Privacy Policy and the EU-U.S. Data Privacy Framework Principles, the EU-U.S. Data Privacy Framework Principles shall govern. To learn more about the EU-U.S. Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/. A list of companies that are currently certified under the EU-U.S. Data Privacy Framework is available at https://www.dataprivacyframework.gov/list.

In addition to processing Personal Information submitted relating to individuals in the EU and the UK according to the principles of the EU-U.S. Data Privacy Framework, we also adhere to other compliance mechanisms as described in Article 46 of the GDPR. This includes using data processing agreements which incorporate the EU Standard Contractual Clauses. Our EU-U.S. Data Privacy Framework compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), and we are committed to responding promptly to inquiries and requests by the United States Department of Commerce for information relating to the EU-U.S. Data Privacy Framework Principles.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://ico.org.uk/make-a-complaint/uk-extension-to-the-eu-us-data-privacy-framework-complaints-tool/dpf-complaints-tool/.


CONTENTS

What is Covered by This Policy?
Personal Information We Collect
How We Use Your Personal Information
Your Choices and Access to Your Personal Information
Children’s Privacy
Sharing Personal Information with Third Parties
Personal Information Security
Passive Data Collection - Cookies
EU-U.S. Data Privacy Framework Dispute Resolution
Use of Human Resource Data Subject to EU-U.S. Data Privacy Framework
Changes to This Privacy Policy
Country and State Specific Personal Information (including the GDPR and CCPA)
Contact Us

Policy Body

What is Covered by This Policy?

This Privacy Policy applies to the privacy practices of Build-A-Bear Workshop and its Affiliates (as defined below) worldwide, including on or through our websites and in retail stores operated by us or on our behalf. The purpose of this Policy is to tell guests what information we collect, how it is used, where it is used, and how to contact Build-A-Bear Workshop with privacy inquiries. Some Build-A-Bear Workshop websites may contain links to websites not owned or operated by Build-A-Bear Workshop. Build-A-Bear Workshop is not responsible for the content, privacy policies, or practices of those websites. We recommend that you review the privacy policies of each site you visit.

This Privacy Policy does not apply to any Personal Information collected from or about any of our employees or our Affiliates’ employees that reside in the EU, UK, or California. Personal Information collected from any such employees will be protected by our employment policies and handbook.

Personal Information We Collect

Build-A-Bear Workshop collects information, including Personal Information, that you provide to us when you visit us in our retail locations or website. References to Personal Information shall be deemed to include personal data as defined in the GDPR, personal information as defined in the CCPA, and “personal data” or a similar term as defined in other U.S. state privacy laws.

“Personal Information” that may be collected or processed by Build-A-Bear Workshop includes:

  • first and last names;
  • email address;
  • postal address;
  • phone number;
  • date of birth and/or age;
  • sex/gender;
  • voice recording if you purchase and record one of our Record Your Voice sound chips;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing and/or browsing history;
  • IP address;
  • Device ID;
  • work experience, including job titles, company names and dates of employment;
  • education and education degree(s);
  • financial information, such as that which could be used to process invoices and payments;
    and
  • any other information that might be used to identify you by another person.

We also may receive Personal Information from third parties, such as data aggregators, and process such Personal Information for our internal business purposes subject to this Privacy Policy. When the source of Personal Information is such a third party, we may provide such a third-party information about our communications relating to a consumer request that requires us to identify the third party as the source of the Personal Information. We may also receive Personal Information from third parties if you choose to grant us access to your data from another service. We do not control these third parties’ privacy practices, tracking technologies, or how they may be used. If you have any questions about any third party’s policies or procedures, you should contact the responsible provider directly.

Build-A-Bear Workshop’s website may allow third-party companies, including ad networks, to serve advertisements, provide other advertising services and/or collect certain information when you visit our website. These third-party companies may use non-Personal Information (e.g., click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) during your visit to this website in order to provide advertisements about goods and services likely to be of greater interest to you and for Build-A-Bear Workshop’s business purposes, including but not limited to research and analytics, product promotions, and website management. Third-party companies may use non-cookie technologies to recognize your computer or device and/or to collect and record information about your web surfing activity including your activities on this website. This information includes, but is not limited to, the pages you viewed, how long you spent on each page, and how you interact with particular webpages via input devices. These technologies may be used directly on this website. To learn more about Interest-Based Advertising or to opt-out of this type of advertising by those third parties that are members of self-regulatory programs such as the Network Advertising Initiative, please visit the NAI’s website (www.networkadvertising.org/choices) which will allow you to opt out of Interest-Based Advertising by one, or all, NAI members.

Some web browsers may transmit “do not track” signals. Web browsers may incorporate or activate these features differently, making it unclear if users have consciously activated them. As a result, at this time we do not take steps to respond to such signals.

You may also have the right to opt-out of Interest-Based Advertising under applicable laws. For more information, see Country and State Specific Personal Information.

How We Use Your Personal Information

We may use or disclose the Personal Information we collect from one or more of the following business purposes:

  • To conduct business with you;
  • To improve your experience with us;
  • To register your Build-A-Bear Workshop product in our Find-A-Bear® ID system;
  • To book a party;
  • To make an in store or online purchase;
  • To create a wish list;
  • To process, fulfill, and follow up on online purchases;
  • To create and maintain accounts;
  • To register for our Build-A-Bear Bonus Club program;
  • To handle guest service requests;
  • To maintain our Loyalty Program;
  • To send friends and families emails and e-cards on your behalf;
  • To send surveys;
  • To help you receive email, direct mail, or SMS text messages;
  • To help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions;
  • To suggest products and services which may be of interest to you;
  • To help you send us testimonials, guest submissions, or other communications;
  • To permit you to apply for a job;
  • To prevent or address service or technical problems;
  • To respond to customer support matters;
  • To follow the instructions of a customer who submitted Personal Information;
  • In response to contractual requirements with our customers and service providers;
  • In connections with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition;
  • To prevent damage or harm to us, our services, or any person or property; or
  • If we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities.

We process Personal Information submitted by customers for the purpose of providing the above-referenced services (collectively, the “Services”) to customers. To fulfill these purposes, we may access Personal Information to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of a customer who submitted the Personal Information, or in response to contractual requirements with our customers and service providers.

As required by applicable law or the EU-U.S. Data Privacy Framework, Build-A-Bear Workshop certifies that it collects Personal Information solely to the extent such Personal Information is relevant in providing the Services. For our record-keeping purposes, we may retain certain Personal Information that you submit in conjunction with commercial transactions; however, we will retain such Personal Information only so long as it serves the purpose of providing the Services.

Your Choices and Access to Your Personal Information

Our email, website, and other interactive programs allow you to choose to receive or to stop receiving communications from us. You can choose to receive email and/or postal mail from a specific Build-A-Bear Workshop brand or to receive offers from other Build-A-Bear Workshop brands.

Build-A-Bear Workshop honors a “once out – always out” policy. Once you opt out, you are opted out of that type of communication and that brand until we are explicitly told in writing to opt you back in. You may opt out of email programs at any time by following the opt-out instructions provided in the email you receive. You also have the right to opt out of us using your Personal Information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.

As provided by applicable law, you may have the right to access, amend, or delete any Personal Information we hold about you, be removed from Build-A-Bear Workshop programs you enrolled in, stop receiving postal mail and other communications, and prevent any further use of your Personal Information by Build-A-Bear Workshop, by contacting us; click here to select your country and be linked to the correct address or email address to use to contact us. Build-A-Bear Workshop will respond to reasonable requests in an appropriate timeframe as determined by the respective authority. In most cases, we will respond to requests within one month; provided, however, if the request is complex, we may extend our response time in accordance with applicable law.

Build-A-Bear Workshop will also contact individuals whose Personal Information is within the scope of the EU-U.S. Data Privacy Framework Principles to obtain prior affirmative express consent if sensitive (referred to as special categories of personal data under the GDPR) Personal Information (i.e., Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or Personal Information specifying the sex life or sexual orientation of the individual) is to be collected or disclosed to a third party, or if such sensitive Personal Information is to be used for a purpose other than those for which it was originally collected or subsequently authorized by such individual. We will treat as sensitive any Personal Information received from a third party where the third party identifies and treats it as sensitive. In the last 12 months, we have not collected any sensitive Personal Information of guests or other consumers

Children’s Privacy

Build-A-Bear Workshop is committed to protecting children’s privacy on the Internet. No one under 16 years of age in the EEA or under 13 years of age elsewhere may provide any Personal Information to or on the websites. Build-A-Bear Workshop does not knowingly collect Personal Information from children under 16 years of age in the EEA or under 13 years of age elsewhere. If you are under 16 in the EEA or under 13 elsewhere, do not use or provide any information on our websites or retail stores, make any purchases through our websites, use any of the interactive or public comment features of our websites or retail stores or provide any information about yourself or others to us, including your/others name, address, telephone number, email address, or any screen name or user name you/others may use. If we learn we have collected or received Personal Information from a child under 16 years of age in the EEA or under 13 years of age elsewhere without verification of parental consent, we will delete that information. If you believe we might have any information from a child under 16 in the EEA or under 13 elsewhere, please contact us at privacy@buildabear.com or privacy@buildabear.co.uk.

What Personal Information is collected online from children and how is it used?

Build-A-Bear Workshop does not knowingly collect, use, or disclose Personal Information (including online contact information) of children under 16 years of age in the EEA or under 13 years of age elsewhere. We may collect information about visits to our websites without a user actively submitting such information. For information about such passive data collection, click here.

Is my child’s Personal Information required for participation in online activities?

No.

Is my child’s Personal Information required to receive certificates in the store?

Yes. Personal Information is required to create a certificate at the Name Me® station in the store.

Is my child’s Personal Information shared with unrelated third parties?

No.

What Personal Information did my child share while attending a party?

Parental supervision is always recommended; however, parents often do not attend a party with their child. Children attending a party may create a certificate at the Name Me® station. A certificate can be created with just the animal’s name and the child’s first name, and year of birth.

Disclosing Personal Information to Third Parties

We employ other companies (“Agents”) and people to perform tasks on our behalf and need to disclose, and may internationally transfer, your information with them to provide products or services to you; for example, Salesforce, Google, Facebook and other advertising partners. Other types of Agents with whom we may disclose Personal Information include organizations providing services to support Build-A-Bear Workshop functions, such as our mail and email processing companies, payment processing companies, and market research firms. We also transfer Personal Information to Agents for email marketing purposes. If Build-A-Bear Workshop transfers Personal Information subject to the EU-U.S. Data Privacy Framework Principles to a third party, the recipient is required to have the same level of protection as required of Build-A-Bear Workshop under the EU-U.S. Data Privacy Framework. All such service providers are bound by contract to refrain from using the Personal Information we collect from you for any purpose other than providing the service to Build-A-Bear Workshop for which consent has been given. Build-A-Bear Workshop remains liable under the EU-U.S. Data Privacy Framework Principles and takes reasonable and appropriate steps to ensure that its Agents process transferred Personal Information in a manner consistent with the Principles. Should an Agent no longer be able to meet its obligations, Build-A-Bear Workshop will take necessary steps to stop and remediate unauthorized processing.

We may also disclose information (including Personal Information) collected from guests outside of the U.S. to affiliated companies or Affiliates in the U.S. and elsewhere. For purposes of this Privacy Policy, “Affiliates” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Build-A-Bear Workshop, Inc., whether by ownership or otherwise. Any Personal Information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy and, as applicable, the EU-U.S. Data Privacy Framework Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses.

We train our employees and those of our Affiliates about the importance of privacy and how to handle and manage customer Personal Information appropriately and securely. We may disclose your information (including Personal Information) to franchisees of Build-A-Bear Workshop, but only where we indicate to you at time of Personal Information collection that such Personal Information will be provided to a franchisee, or if we otherwise obtain your permission.

In addition to disclosures to third party providers and Affiliates as described above, we may disclose or transfer Personal Information in connection with, or during negotiations of, any merger, sale of company assets, product lines or divisions, or any financing or acquisition. We may also disclose Personal Information to prevent damage or harm to us, our Services, or any person or property, or if we believe that disclosure is required by law (including to meet national security or law enforcement requirements), or in response to a lawful request by public authorities. Except as described in this Privacy Policy, we will not otherwise disclose Personal Information to third parties unless you have been provided with an opportunity to opt in to such disclosure.

Build-A-Bear Workshop does not release the Personal Information it collects from you to any unrelated third parties so that they may send you commercial promotions or offers for their products or services. Build-A-Bear Workshop does not engage in the sale of your personal information. We do, however, disclose anonymous, aggregate information concerning the demographic makeup of our customers to unrelated third parties, and share Personal Information for purposes of cross-context behavioral advertising or targeted advertising, as contemplated under applicable law, such as the CCPA and other U.S. state privacy laws, as described below.

Except as described in this Privacy Policy, we will not otherwise disclose or sell Personal Information to any third parties unless you have been provided with an opportunity to opt in to such disclosure and, in the case of Personal Information collected from children, the appropriate verifiable consent is obtained.

If an individual wishes to opt out or limit the use and disclosure of their Personal Information to a third party or a use that is incompatible with the purpose for Personal Information was originally collected or authorized, the individual may send such request to privacy@buildabear.com or opt out using one of the methods described in the Country and State Specific Personal Information section below.

When Build-A-Bear Workshop transfers Personal Information to countries other than the country where it was provided, we do so in compliance with applicable data protection laws, including, as applicable, the EU-U.S. Data Privacy Framework Principles. In addition to acting in accordance with the EU-U.S. Data Privacy Framework, we transfer Personal Information relating to individuals in the EU and the UK via other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses. All Personal Information is transmitted to St. Louis, Missouri daily. Copies of the Personal Information at the point of origin are deleted on a regular basis. We may transfer Personal Information from guests outside the U.S. to Affiliates located either in the U.S. or otherwise; provided that transfers to the U.S. from the EU will comply with the EU-U.S. Data Privacy Framework Principles and such other compliance mechanisms in all respects.

Personal Information Security

Build-A-Bear Workshop maintains appropriate technical and organizational security measures designed to help protect against unauthorized or unlawful processing, loss, destruction, damage, misuse, and alteration of Personal Information collected by Build-A-Bear Workshop, which include:

  • physical and logical access controls, including firewall, limited access, and SSL encryption technology, that limit who can access Personal Information based on business/processing need;
  • privacy policies for Personal Information and for employee Personal Information (a copy of which may be requested at privacy@buildabear.com);
  • annual employee training on our privacy policies;
  • employees who are bound by confidentiality obligations;
  • the appointment of a Privacy Officer to handle all Personal Information incidences or issues, including, without limitation, the handling of individual requests related to his/her Personal Information processed by Build-A-Bear Workshop; and
  • Build-A-Bear Workshop‘s General Information Security Policy and Incident Response Policy that contain incident response plans for escalation and resolution of data breach incidents.

All Personal Information collected via our websites is stored on secured servers.

Passive Data Collection – Cookies and Web Beacons

Our Build-A-Bear Workshop website may also collect Personal Information passively, through the use of cookies. A cookie is a small text file that writes to your hard drive. The cookie file contains your computer‘s IP address and a user ID. The user ID links any orders you have placed on our site to your Personal Information. A user ID has no personally identifiable information attached to it unless you place an order on our site. Our website uses cookies to enhance the guests’ experience and help us improve our Services. For example, we may use cookies to keep track of your basket or shopping cart while you are shopping on our site or to track your activity. Build-A-Bear Workshop uses web beacons in emails to track traffic from the email to specific pages on our websites. You may be able to adjust your browser so that your computer either does not accept cookies, or notifies you when a website tries to deposit a cookie into your computer. Our cookies do not contain confidential Personal Information such as your home address, telephone number, or credit card information. We do not exchange cookies with any third parties.

Build-A-Bear Workshop Cookie Declaration:

This website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising, and analytics partners, who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Cookies are small text files that can be used by websites to make a user’s experience more efficient. Applicable law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need a lawful basis for processing, which may include your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. By agreeing to the use of cookies on our website, you are directing us to disclose your Personal Information and data to our third party service providers for these purposes.

Specifically, the information that we collect through the cookies on our site is as follows:

  • Page Information, which is retained by Build-A-Bear for up to a year:
    • URL – the URL of the page you are viewing and
    • Title – the title of the page you are viewing.
  • Browser Information, which is retained by Build-A-Bear for up to a year:
    • Browser name – the type of browser you are using;
    • Viewport or Viewing pane – the size of the browser window you are using;
    • Screen resolution – the resolution of your screen;
    • Java enabled – whether or not you have Java enabled; and
    • Flash version – what version of Flash you are using.
  • User Information, which is retained by Build-A-Bear for up to a year:
    • Location – this is derived from the IP address where the hit originated (please note that the IP address itself is not available or retained by Build-A-Bear); and
    • Language – derived from the language settings of your browser.

We are committed to safeguarding your privacy and ensuring that your personal information is protected. Any Personal Information collected through the cookies on our Site will be protected by Build-A-Bear pursuant to this Privacy Policy.

It is always possible for you to visit our website without disclosing your Personal Information. This requires that you have disabled cookies. You can opt out of the processing of such information via the Cookie Consent Banner displayed at the bottom of the relevant site or through your browser settings. Please note, however, that without cookies you may not be able to use all of the features of our site or Services.

If you have any questions about the cookies on our website or any of the information, including, without limitation, Personal Information, gathered by the cookies, please contact Build-A-Bear‘s Data Protection Officer, whose contact information is below:

In the US and Canada:
Data Protection Officer
Build-A-Bear Workshop
415 S. 18th Street, Suite 200
St. Louis, MO 63103
privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the EU and United Kingdom:
Data Protection Officer
Build-A-Bear Workshop
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635

We are committed and required to respond to any of your inquiries on this issue within one month of receiving the complaint.

EU-U.S. Data Privacy Framework Dispute Resolution

In compliance with the EU-U.S. Data Privacy Framework Principles, Build-A-Bear Workshop commits to resolve complaints about our collection or use of your Personal Information. EU or UK individuals with inquiries or complaints regarding our EU-U.S. Data Privacy Framework policy should first contact Build-A-Bear Workshop’s Privacy Officer, who will, in accordance with Build-A-Bear Workshop’s Incident Response Policy and its Data Protection Retention Policy, as applicable, escalate it as necessary, at:

Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 870 224 5130

Suspected and confirmed Personal Information security incidents will be investigated by the Privacy Officer and/or other personnel as necessitated by the scope of the incident. Such investigation will include, but will not be limited to, determining the source of the breach, identifying the types of data affected, determining whether notifications must be made and instituting any remedial measures that may be necessary to avoid similar incidents in the future.

Build-A-Bear Workshop has further committed to refer unresolved EU-U.S. Data Privacy Framework complaints to the appropriate supervisory authority. Under the EU-U.S. Data Privacy Framework UK Extension, the Information Commissioner’s Office of the United Kingdom (“ICO”) is the data protection supervisory authority. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://ico.org.uk/make-a-complaint/uk-extension-to-the-eu-us-data-privacy-framework-complaints-tool/dpf-complaints-tool/ for more information or to file a complaint. The services of the ICO are provided at no cost to you.

For residents of other EU member countries subject to the EU-U.S. Data Privacy Framework, please visit the data protection authority of your specific country to file a complaint. The list from the European Data Protection Board can be found by visiting https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. Under certain limited circumstances, EU or UK individuals may invoke binding arbitration under the EU-U.S. Data Privacy Framework as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

The FTC has committed to reviewing, on a priority basis, referrals alleging non-compliance of the EU-U.S. Data Privacy Framework Principles received from independent dispute resolution bodies, among others. If the FTC concludes that it has reason to believe Section 5 of the FTC Act prohibiting unfair or deceptive trade practices has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect.

Use of Human Resource Personal Information Subject to EU-U.S. Data Privacy Framework

Where a member of the Build-A-Bear Workshop group in the EU or UK transfers Personal Information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the U.S. participating in the EU-U.S. Data Privacy Framework, the transfer enjoys the benefits of the EU-U.S. Data Privacy Framework. In such cases, Build-A-Bear Workshop will comply with the EU-U.S. Data Privacy Framework Principles, make reasonable efforts to accommodate employee privacy preferences, and will not use employees’ exercise of their rights under EU-U.S. Data Privacy Framework to restrict employment opportunities or take punitive action against employees. Build-A Bear Workshop transfers Personal Information about its employees (past or present) collected in the context of the employment relationship relating to individuals in the EU and the UK via the EU-U.S. Data Privacy Framework and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses

Build-A-Bear Workshop collects Personal Information from its employees to administer employee evaluations, payroll, compensation surveys, benefits, and its Employee Discount Program. Build-A-Bear Workshop will comply with all relevant laws, and, as applicable, the EU-U.S. Data Privacy Framework Principles and other compliance mechanisms to ensure appropriate safeguards for such Personal Information as described in Article 46 of the GDPR, including data processing agreements incorporating the EU Standard Contractual Clauses, in the collection and use of employee-related Personal Information. To the extent and for the period necessary to avoid prejudicing the ability of Build-A-Bear Workshop in making promotions, appointments, or other similar employment decisions, we may not offer employees the notice and choice options described in the EU-U.S. Data Privacy Framework Principles. Similarly, for occasional employment-related operational needs, such as the booking of a flight, hotel room, or insurance coverage, transfers of Personal Information of a small number of employees may take place with limited access or the entering into a contract with the third-party transferee, provided that we otherwise comply with the EU-U.S. Data Privacy Framework Principles or such other compliance mechanisms, as applicable. Access must also be limited in the context of employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations.

Where employees in the EU or UK make complaints about violations of their Personal Information protection rights and are not satisfied with the results of our internal review, complaint, and appeal procedures, they will be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. Build-A-Bear Workshop commits to cooperate with competent EU or UK Data Protection Authorities in the investigation and resolution of EU-U.S. Data Privacy Framework complaints with regard to human resources Personal Information transferred from an EU country or the UK to the U.S. Build-A-Bear Workshop will comply with any advice given by the Data Protection Authorities where such authorities take the view that we need to take specific action to comply with the EU-U.S. Data Privacy Framework Principles.

Build-A-Bear Workshop has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved EU-U.S. Data Privacy Framework complaints concerning data transferred from the EU.

Changes to This Privacy Policy

We may amend this Privacy Policy at any time. If we make any changes in the way we collect, use, and/or share your Personal Information, we will notify you by sending you an email at the last email address that you provided us, or by prominently posting notice of the changes on the web sites covered by this Privacy Policy.

Contact Us

If you have questions or concerns regarding your privacy, please contact Build-A-Bear Workshop directly. Please feel free to use your native language when sending your questions or comments.

In the US and Canada:
Privacy Officer
Build-A-Bear Workshop, Inc.
415 S. 18th Street, Suite 200
St. Louis, MO 63103
Email: privacy@buildabear.com
Telephone: 1-877-789-BEAR (2327)

In the EU and United Kingdom:
Privacy Officer
Build-A-Bear Workshop UK Limited
2nd Floor, Aquasulis House
10 - 14 Bath Road
Slough, Berkshire SL1 3SA, United Kingdom
Email: privacy@buildabear.co.uk
Telephone: +44 (0) 800 542 0635

If you are a resident of the EU or the UK and you believe we maintain your Personal Information within the scope of this EU-U.S. Data Privacy Framework certification, you may direct any questions or complaints to our United Kingdom email and postal addresses above. We are committed and required to respond to any of your inquiries on this issue within one month of receiving the complaint.

Country and State Specific Information
Canada

Build-A-Bear Workshop complies with Canadian Federal and Provincial privacy laws and regulations including the Personal Information Protection and Electronic Documents Act.

Build-A-Bear Workshop, Inc. will only use your Personal Information for the purposes intended and as detailed in the Privacy Policy unless we have obtained your consent to use it for other purposes.

United Kingdom

Your Personal Information is protected in the United Kingdom by the GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, together with any additional applicable data protection and privacy laws in force from time to time, in the UK. Under these laws, we will only process your Personal Information in a lawful, fair and transparent manner and your Personal Information will only be collected for specified and legitimate purposes. We will secure your Personal Information to prevent unauthorized access by third parties.

Data controller details
The data controller in relation to the processing of Personal Information that you provide to us is Build-A-Bear Workshop UK Limited. Our address is 10-14 Bath Road, Slough, Berkshire, United Kingdom, SL1 3SA, United Kingdom. The easiest ways to contact us are by email at privacy@buildabear.co.uk or by telephone at +44 (0) 870 224 5130. All Personal Information collection and processing in the United Kingdom by Build-A-Bear Workshop will be undertaken by Build-A-Bear Workshop UK Limited in accordance with the terms of this privacy policy.

Processing information
The information set out in this Privacy Policy is provided to individuals whose Personal Information we process, in compliance with our obligations under Articles 13 and 14 of the GDPR.

To make this information clear, we have divided the data we receive into the following groups, where each of which refers to: the particular category of information we collect and retain; the purpose and legal basis of processing and to whom we will (if applicable) disclose the information:

International transfers
Details of third parties to whom transfers of Personal Information may be made are set out above (click here for more information).

We will not transfer Personal Information relating to you to a country which is outside the UK unless: (1) the country or recipient is covered by an adequacy decision of the ICO under GDPR Article 45; (2) appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the ICO’s the international data transfer addendum to the European Commission’s Standard Contractual Clauses for transfers of Personal Information outside the UK); or (3) one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary) the transfer is necessary to perform, or to form, a contract to which we are a party; the transfer is necessary for the establishment, exercise or defense of legal claims; you have provided your explicit consent to the transfer; or the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

Retention of Personal Information
Different types of Personal Information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of data. In determining the appropriate retention period consideration is given to the following factors:

  • the purposes for which the Personal Information is processed;
  • the legal basis for processing that Personal Information;
  • legal requirements for retention (particularly employment and health and safety law); and
  • regulatory requirements.

In particular, except where otherwise required by applicable law or a request to delete or erase Personal Information, Build-A-Bear retains certain specific categories of Personal Information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

In addition, Build-A-Bear may retain anonymized Personal Information (data that is no longer in a form identifying or making identifiable the individual to which the Personal Information originally related).

Your rights in respect of your Personal Information
You have certain rights under the GDPR, including the right to (upon written request) access a copy of your Personal Information that we are processing. From May 25, 2018, in accordance with the GDPR you will have the following rights:

  • right to access: the right to request certain information about, access to and copies of the Personal Information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs) and this will be provided to you within one month of your request; and
  • right to rectification: the right to have your Personal Information rectified if it is inaccurate or incomplete.
  • In certain circumstances, you will also have the following rights:
  • right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of your Personal Information (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your Personal Information from our systems (however, this will not apply if we are required to hold on to the Personal Information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);
  • right to restriction of use of your Personal Information: the right to stop us from using your Personal Information or limit the way in which we can use it;
  • right to object: the right to object to our use of your Personal Information including where we use it for our legitimate interests or for marketing purposes; and
  • right to data portability: the right to request that we return any Personal Information that you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible.

As set out above, you are entitled to withdraw your consent to the processing of your Personal Information but please note that if you do withdraw your consent, we may not be able to carry out our contractual obligations to you or provide you with access to all or certain parts of our Services.

Under the Access Principle of the EU-U.S. Data Privacy Framework, if the burden or expense of providing access (Right to Access, Right to Rectification, and Right to Erasure) would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated, a request may be denied. If this happens and you would like to file a complaint, please see Complaints section below for information.

To exercise any of the rights listed above, you may click here and select the regulation under which you are a subject and enter your name and email address for which you want to exercise these rights. You may also email, write, or call the Privacy Officer as indicated in the Contact Us section of this Privacy Policy.

Complaints

For residents of the United Kingdom, if you consider our use of your Personal Information to be unlawful, you have the right to lodge a complaint with the UK ICO. Please see further information on their website: www.ico.org.uk. Build-A-Bear Workshop and Build-A-Bear Workshop UK Limited are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

For residents of other EU member countries subject to the EU-U.S. Data Privacy Framework, please visit the data protection authority of your specific country to file a complaint. The list from the European Data Protection Board can be found by visiting https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

Automatic decision making
We do not make decisions in relation to your Personal Information that are based solely on automated data processing (including profiling).

United States

Build-A-Bear Workshop complies with the U.S. Federal and State privacy laws, including the Children’s Online Privacy Protection Act.

California – CCPA Notice of Collection

This section applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”), excluding any of our employees or our Affiliates’ employees that reside in the State of California, which are covered by our employment policies and handbook. We adopt this notice to comply with the CCPA and any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect
Build-A-Bear Workshop collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (for purposes of this CCPA Notice, “personal information”). In particular, Build-A-Bear Workshop has collected the following categories of personal information from its consumers within the last twelve (12) months:

Uses for Site Guests
Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, and account name. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status. YES
D. Commercial information. Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. None No
F. Internet or other similar network activity. Browsing history, search history, information on a consumer‘s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio information, specifically voice recordings, in the case of consumers who purchase our Record Your Voice Chip. YES
I. Professional or employment-related information. Current or past job history or performance evaluations. YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person‘s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

For purposes of this CCPA Notice, personal information does not include:

  • Publicly available information from government records.
  • Lawfully obtained, truthful information that is a matter of public concern.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA‘s scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
    • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver‘s Privacy Protection Act of 1994.

Build-A-Bear Workshop obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you when you visit us in our retail locations or website. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our website.
  • From a third-party fraud assessment tool when you place an order via one of our websites.

Retention of Personal Information
Different types of personal information may need to be retained for different periods of time depending on the purposes for which the data is processed and the legal and regulatory retention requirements in relation to certain categories of personal information. In determining the appropriate retention period consideration is given to the following factors:

  • the purposes for which the personal information is processed;
  • the legal basis for processing that personal information;
  • legal requirements for retention (particularly employment and health and safety law); and
  • regulatory requirements.

In particular, except where otherwise required by applicable law or a request to delete personal information, Build-A-Bear retains the above categories of personal information in accordance with the periods set out in the Data Retention Schedule to this Policy (click here for more information).

In addition, Build-A-Bear may retain anonymized personal information (data that is no longer in a form identifying or making identifiable the individual to which the personal information originally related).

Use of Personal Information
We may use or disclose the personal information we collect for one or more of the business purposes set forth above under “How We Use Your Personal Information.” Build-A-Bear Workshop will not collect additional categories of personal information or use the personal information we collected for additional purposes without providing you notice.

Disclosing Personal Information for a Business Purpose
Build-A-Bear Workshop may disclose your personal information to a third party for a business purpose, including to help ensure the security and integrity of our Services, identify and repair errors that impair functionality of our Services, and performing services on behalf of us, such as providing customer services processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing advertising and marketing services (other than for cross-context behavioral advertising) and other similar services. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We disclose your personal information for a business purpose with the following categories of third parties:

  • Service providers
  • Data aggregators

Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:

  • Category A: Identifiers.
  • Category B: California Customer Records personal information categories.
  • Category C: Protected classification characteristics under California or federal law.
  • Category D: Commercial information.
  • Category F: Internet or other similar network activity.
  • Category G: Geolocation data.
  • Category I: Professional or employment-related information.
  • Category K: Inferences drawn from other personal information.

Sharing Personal Information for Cross-Context Behavioral Advertising
Build-A-Bear Workshop may share your personal information with a third party for cross-context behavioral advertising, which is the targeting of advertising to you based on your personal information obtained from your activity across businesses, distinctly-branded websites, applications, or services, other than those with which you intentionally interact. We share personal information with third parties for cross-context behavioral advertising for our commercial purposes and to provide you with advertising targeted to your interests and preferences.

We do not have actual knowledge that we share the personal information of consumers under 16 years of age for cross-context behavioral advertising. We will not share the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sharing may opt-out of future sales or sharing at any time.

We share your personal information for cross-context behavioral advertising with the following categories of third parties:

  • Advertising and marketing companies.
  • Lead generators.
  • Analytics providers.
  • Social media platforms.

In the preceding twelve (12) months, Build-A-Bear Workshop has shared the following categories of personal information for cross-context behavioral advertising:

  • Category A: Identifiers.
  • Category B: California Customer Records personal information categories.
  • Category D: Commercial information.
  • Category F: Internet or other similar network activity.
  • Category K: Inferences drawn from other personal information.

Pursuant to the CCPA, you have the right to direct us to not share your personal information for cross-context behavioral advertising. To exercise this right to opt-out, you (or your authorized agent) may submit a request to us by visiting the following link:

Do Not Share My Personal Information

You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognized by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sharing for that browser or device sending the signal, and, if known, for the consumer.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize sharing your personal information for cross-context behavioral advertising. However, you may change your mind and opt back in to sharing of your personal information at any time by:

Opt-In to Sharing Personal Information

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

No Personal Information Sales
We do not sell (as defined in the CCPA) any personal information that we collect or use. We do not have actual knowledge that we sell the personal information of consumers under 16 years of age.

Sensitive Personal Information
Build-A-Bear Workshop does not collect any sensitive personal information (as defined in the CCPA) of consumers. We have not sold (as defined in the CCPA) any sensitive personal information of consumers or shared any sensitive personal information of consumers for cross-context behavioral advertising in the last twelve (12) months.

Non-Discrimination
We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may, from time-to-time, offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to the value to us of your personal information and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent to join the Build-A-Bear Bonus Club, which you may revoke at any time pursuant to the terms and conditions of the Build-A-Bear Bonus Club. Click here for Bonus Club terms and conditions.

Other California Privacy Rights
Beginning January 1, 2005, under California’s “Shine the Light” law, California residents who provide Personal Information for uses identified above are entitled to request and obtain from us once a calendar year information about the customer Personal Information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared Personal Information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities).

Other U.S. State Privacy Laws

In addition to the CCPA, other U.S. state privacy laws provide residents of their respective states with specific rights regarding their Personal Information. This section describes these rights and explains how residents of those states can exercise those rights.

Access to Specific Information and Data Portability Rights
Pursuant to applicable law, you may have the right to request that Build-A-Bear disclose certain information to you about our collection and use of your Personal Information. Once we receive and verify your request (see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will disclose to you, as applicable:

  1. The categories of Personal Information we collected about you.
  2. The categories of sources for the Personal Information we collected about you.
  3. Our business or commercial purpose for collecting or sharing that Personal Information.
  4. The categories of third parties with whom we disclose that personal information.
  5. The specific pieces of Personal Information we collected about you (also called a data portability request).
  6. If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
    1. the Personal Information categories that we sold and for each category identified, the categories of third parties to whom we sold that particular category of Personal Information; and
    2. the Personal Information categories that we disclosed for a business purpose and for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Information.

Correction Request Rights
You may have the right to request that we correct inaccurate Personal Information about you. Once we receive and verify your request (please see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will use commercially reasonable efforts to correct the information to comply with your request. Not all U.S. state privacy laws may afford this right to their residents.

Deletion Request Rights
Pursuant to applicable law, you may have the right to request that Build-A-Bear Workshop delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and verify your request (see Exercising Access, Data Portability, Correction, and Deletion Rights below for more information), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. In responding to your request, we will inform you whether or not we have complied with the request, and, if we have not complied, provide you with an explanation as to why.

A service provider may not be required to comply with a deletion request submitted directly to the service provider.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Help to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for those purposes.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Exercise free speech, ensure the right of another consumer to exercise his/her free speech rights, or exercise another right provided for by law.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation

Sharing/Targeted Advertising Opt-Out and Opt-In Rights
Build-A-Bear Workshop may share your Personal Information with a third party for cross-context behavioral advertising (as such term is used under the CCPA) or process your Personal Information for targeted advertising (as such term is used under other U.S. state privacy laws). Pursuant to applicable law, you may have the right to direct us to not share your Personal Information for cross-context behavioral advertising or process your Personal Information for targeted advertising.

To exercise this right to opt-out, you (or your authorized agent) may submit a request to us by visiting the following link:

Do Not Share My Personal Information

You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognized by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sharing for that browser or device sending the signal, and, if known, for the individual.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize sharing your Personal Information for cross-context behavioral advertising or processing your Personal Information for targeted advertising. However, you may change your mind and opt back in to sharing of your Personal Information or processing of your Personal Information for targeted advertising at any time by:

Opt-In to Sharing Personal Information

You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Information provided in an opt-out request to review and comply with the request.

Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, correction, and deletion rights described above, please submit a verifiable request to us by either:

  • Calling us at 1-877-789-BEAR (2327)
  • Visiting the request page on our website here
  • Visiting a store location in a state which grants such rights to its residents, as applicable

When you use a request method above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification.

Only you, or a person properly authorized to act on your behalf, may make a verifiable request related to your Personal Information. You may also make a verifiable request on behalf of your minor child.

An authorized agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorized agent to submit a consumer request, we may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.

The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized agent of such person.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

Making a verifiable consumer request does not require you to create an account with us.

We will only use Personal Information provided in a verifiable consumer request to verify the requestor‘s identity or authority to make the request.

If we deny your request, you may have the right to appeal our decision. Further, if you appeal and your appeal is denied, you may the right to complain to your state’s attorney general. You may appeal your decision by contacting us at privacy@buildabear.com.

For instructions on exercising opt-out and opt-in rights, see Sharing/Targeted Advertising Opt-Out and Opt-In Rights above.

Response Timing and Format
In accordance with applicable law, we endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing.

We will deliver our written response by mail or electronically, at your option.

The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

You may make a consumer request for access or data portability free of charge twice within a 12-month period. Additional requests may be subject to a fee. We may charge a fee to process or respond to your requests if it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Europe

From May 25, 2018, Build-A-Bear Workshop’s practices are compliant with the GDPR in Europe.


Uses of Personal Information

Customers and visitors to our site
Uses for Site Guests
What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • postal address;
  • date of birth and/or age;
  • phone number;
  • sex/gender;
  • credit card information;
  • payment details;
  • product preference;
  • purchasing history;
  • IP address;
  • Device ID;
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of providing our Services or to enable you to make an in store or online purchase.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a customer relationship, including to suggest products and services which may of interest for you, obtaining evidence of identity of our customers, for insight purposes (e.g. to analyze market trends and demographics, and develop the service which we offer to you or other individuals in the future) or for online age verification purposes.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
  • If we obtain your consent: in order to:
  • conduct business with you
  • improve your experience with us
  • register your Build-A-Bear Workshop product in our Find-A-Bear® ID system
  • book a party
  • create a wish list
  • process, fulfill, and follow up on online purchases
  • create and maintain accounts
  • register for our Build-A-Bear Bonus Club program
  • handle guest service requests
  • maintain our Loyalty Program
  • send friends and families emails and e-cards on your behalf
  • send surveys
  • help you receive email and direct mail
  • help you receive text messages
  • help you register for contests, sweepstakes, promotions, lotteries, loyalty programs and competitions
  • help you send us testimonials, guest submissions, or other communications
  • help you submit a book review.
1. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
2. Please note that personal information we are holding about you may be shared with and processed by:
2.1. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
2.2. credit reference and fraud prevention agencies;
2.3. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
2.4. other parties and/or their professional advisers involved in a matter where required as part of the conduct of the Services;
2.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
2.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers and those organizations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;
2.7. third parties as part of the arrangements for any event for which you have expressed an interest in attending; and
2.8. another organization to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

 

Suppliers and supplier personnel
Uses for Supplier Personnel
What we collect: We may use your information for the following purposes, based on the following legal grounds: Recipients:
  • first and last names;
  • email address;
  • telephone numbers;
  • payment details
  • identification
  • If it is necessary for the performance of our contract or for the purposes of entering into a contract: for the purpose of negotiating and entering into contractual agreements with you, in the course of receiving services from you, for the purposes of making payments to you.
  • If it is in our legitimate business interests to do so: for internal record keeping for administration purposes, for the purpose of communications in relation to establishing a working relationship.
  • Compliance with a legal obligation: in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.
3. We may share information about you within the Build-A-Bear group, as more fully described above. (click here for more information).
4. Please note that personal information we are holding about you may be shared with and processed by:
4.1. our customers, in the course of providing services to them;
4.2. regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
4.3. credit reference and fraud prevention agencies;
4.4. any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);
4.5. our own professional advisers and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;
4.6. our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, our bank, payment processing providers; and
4.7. another organization to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

 

Personal Information Retention Periods

Category Information description (includes but not limited to) Retention Period (in absence of a deletion request, other request from a data subject or legal requirement)
Guest Data (Non-Bonus Club Member Data) Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Purchasing history;
IP address;
Device ID;
6 years
Bonus Club Member Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
Product preference;
Purchasing history;
IP address;
DOB’s;
Gender;
For as long as a bonus club account is active, and for 1 year after cancellation of account.
Guest Data (for Online Age Verification Only) Date of Birth;
Age Range;
Not retained beyond initial data entry point (deleted immediately following verification)
Supplier Data Names;
Addresses;
Transaction Information;
Payment details;
E-mail Addresses;
Telephone Numbers;
6 years after services have been provided
Supplier Contracts Contracts for supplier services;
Related sub-contracts;
12 + 1 years after services have ceased
Insurance Data Personal Information involving insurance claims;
Insurance policies;
Insurance related correspondence, outcomes and notices;
12 + 1 years
Health and Safety Assessments
Policy Statements
Records of consultations with safety representatives
Permanently

Click here to learn about cookies on buildabear.com and buildabear.co.uk.