Logo

GLOBAL PRIVACY NOTICE

Effective date: 06 July 2026

I. Who we are

Quick guide

Meet the organisations behind this notice.

This section explains which Applegreen Group company may act as controller and how to contact the relevant privacy team.

This Global Privacy Notice is issued on behalf of the Applegreen Group (“Applegreen”, “we”, “us”, “our”).

The Applegreen Group includes a number of companies operating customer-facing services across Ireland, the United Kingdom and Northern Ireland, and the United States. This includes:

  • Petrogas Group Limited and Applegreen Electric IRL Service Areas Limited: Block 17, Joyce Way, Park West Business Park, D12 F2V3, Dublin, Ireland;

  • Welcome Break Limited and Applegreen Electric UK Service Areas: 2 Vantage Court, Tickford Street, Newport Pagnell, MK16 9EZ, UK;

  • Petrogas Group US Inc: 208 Harristown Road, Glen Rock, NJ, 07452, USA

Each of these entities may act as a data controller depending on the service you are using. References to “Applegreen”, “Welcome Break”, “we”, “us” or “our” in this Notice should be understood as referring to the relevant Applegreen Group company (or companies) responsible for the processing of your personal data in the context of the relevant service.

Contact details

Republic of Ireland and United States: dpo@applegreen.com

Please use this form for exercising privacy rights for Ireland: here

If you are a resident of Connecticut, Delaware, New Hampshire, New Jersey or Indiana, please use this form for exercising privacy rights for the USA: (here)

United Kingdom and Northern Ireland: dpo@welcomebreak.co.uk

Please use this form for exercising privacy rights: (here)

Please use this form for submitting privacy complaints if you are not satisfied with our answer to your privacy rights request: (insert the link here)

II. Purpose of this Privacy Notice

Quick guide

This section explains why the notice exists and when it applies - from website and apps to hotels, EV charging, loyalty programmes and more.

This is a global privacy notice which explains how we collect, use, share and protect personal data (or personally identifiable information) in connection with our customer-facing activities.

This Notice applies when you interact with us in any of the following contexts:

  • visiting our premises, including service stations, travel plazas, retail sites, EV charging locations, hotels and other customer facilities;

  • using our websites, mobile applications or other digital platforms;

  • creating or using a customer account across our services, including EV charging, Wi-Fi access, loyalty programs and fuel card services;

  • making hotel bookings, including individual and corporate/group bookings, purchases or using our services;

  • enrolling in and participating in our loyalty and rewards programs, including legacy programs and partner programs such as Wyndham Rewards;

  • using EV charging services, including initiating and completing charging sessions;

  • using fuel card services, including account management, transactions and billing;

  • receiving, accessing or redeeming personalized offers, promotions and vouchers;

  • contacting our customer service teams or interacting with us via email, phone or social media;

  • participating in surveys, promotions, prize draws, games rooms or customer feedback activities;

  • interacting with our marketing communications, including newsletters and promotional messaging;

  • visiting our sites where CCTV, vehicle monitoring or similar security systems are in operation; and

  • interacting with our websites or services through cookies and similar technologies.

III. Sources of personal data

Quick guide

Here you can see where personal data comes from: directly from you, automatically through services, from trusted third parties and, where relevant, from public sources.

We collect personal data:

  • directly from you, when you visit our premises, make a purchase or booking, sign up to newsletters or loyalty programs, contact us, or otherwise interact with our services;

  • automatically when you use our services, including through our websites, apps, Wi-Fi services and EV charging infrastructure;

  • from third parties, including booking platforms, EV charging providers, Wi-Fi providers, survey providers, parking providers and other Applegreen Group companies; and

  • from publicly available sources, where relevant.

IV. How we use your personal data

Quick guide

This is the core section of the notice. It introduces the data categories we process and explains the main processing activities, purposes and lawful bases.

We use your personal data depending on how you interact with us. The categories below are the standard category names used in the processing activity tables in this section.

A. Categories of personal data we process

Category of personal data 

Description / examples 

Account and membership data 

Customer account IDs, usernames, account identifiers, authentication data, login details, account status, linked services, membership IDs, program participation, linked users, and other account administration details 

Address information 

Billing, correspondence, postal and service addresses, including address details used for account administration, bookings, billing, delivery of services, or communications 

Adult gaming access and alert data 

Access alerts, attendance indicators, age-verification outcomes, self-exclusion indicators, access-control records and staff intervention alerts relating to adult gaming areas 

Aggregated or de-identified insights 

Aggregated, anonymized, pseudonymized or de-identified outputs, analytics and reports derived from personal data, including customer trends, usage insights and business planning information 

Billing and payment information 

Billing details, invoices, payment history, transaction records, bank or payment details, refunds, financial records, VAT information where applicable, and other payment administration data 

Biometric and facial pattern data 

Facial image data, facial pattern data, biometric templates or video-derived facial data used for age estimation, access control, limited identification, demographic estimation, visitor analytics or responsible gambling controls where applicable 

Booking and stay information 

Booking dates and times, booking source or channel, booking status, hotel ID and name, check-in and check-out dates, stay history, visit history, last visit date and location, and related hotel service details 

Business information 

Company name, business details, VAT information and other information used to verify eligibility, manage corporate or business accounts and administer business services 

Charging and session data 

EV charging session details, including charger ID, site location, charging start and end time, energy consumption, total cost, service usage and charging records 

Communication and correspondence data 

Emails, phone calls, social media messages, online form submissions, support communications, inquiry content, complaint correspondence, response records and customer service interactions 

Complaint, investigation and outcome data 

Complaint details, investigation notes, suspicious activity flags, internal notes, evidence, resolution records, outcome records, control records and dispute-related information 

Contact details 

Email address, mobile or telephone number, postal address and other contact information used to communicate with you about accounts, bookings, services, support, marketing or legal requests 

Cookie and online identifiers 

Cookie IDs, IP addresses, online identifiers, device/browser identifiers, consent management identifiers and similar technologies used on websites, apps and digital platforms 

CCTV and video footage 

CCTV footage, video recordings, video-derived data and imagery captured at sites, including footage of individuals, vehicles, incidents, site activity and security events 

Demographic and profile data 

Date of birth, approximate age range, broad gender categories, postcode, travel reason, customer profile information, stay preferences, interests and other profile information provided or estimated where applicable 

Device and technical information 

Device type, operating system, browser type and version, app or website log data, login timestamps, technical usage data, IP address, page response times, account security data and troubleshooting information 

Feedback and survey data 

Survey responses, customer comments, ratings, sentiment, satisfaction scores, NPS data, review data, service-specific feedback and survey participation information 

Fuel card and account data 

Fuel card number, fuel card account status, linked users, authorized user details, fuel card usage records and related account management information 

Gaming session and intervention data 

Session-level gaming machine data, duration and usage patterns, on-site observational data, intervention records and responsible gambling monitoring records 

Identity information 

First name, last name, surname, title, customer ID, account ID, identity details and other identifiers used to recognize, verify or administer customer relationships 

Incident and security data 

Security monitoring data, fraud-related data, risk flags, incident records, unauthorized activity records, evidence, misuse indicators and security investigation information 

Location and movement data 

Site location, redemption location, EV charger location, location-based app data, entry and exit times, vehicle movement data, heat mapping data and movement or attendance information 

Loyalty and rewards data 

Points, balances, tier level, benefits, reward activity, loyalty status, membership details, loyalty program participation and partner program data, including legacy and partner schemes 

Marketing and advertising data 

Marketing opt-ins and opt-outs, campaign interactions, advertising interaction data, email opens and clicks, push notification preferences, SMS preferences and marketing engagement information 

Preferences and consent data 

Communication preferences, cookie choices, consent records, saved settings, app preferences, opt-ins, opt-outs, interests and engagement preferences 

Promotion, voucher and redemption data 

Promotion IDs, voucher issuance and redemption records, voucher values, items purchased, offer eligibility, redemption date/time/location and campaign engagement data 

Request and verification data 

Privacy request details, type and scope of requests, proof of identity documentation, verification documentation and records needed to respond to legal or data subject rights requests 

Service-related and contextual data 

Information about the service you used or contacted us about, including booking, EV charging, hotel, fuel card, Wi-Fi, account, support and contextual details needed to provide or improve services 

Transaction and usage data 

Purchases, stays, visits, service use, booking activity, charging sessions, fuel purchases, transaction date/time/location, spend, voucher redemptions, account activity, app use and operational usage records 

Vehicle information 

Vehicle registration numbers, vehicle type, make, model, year, vehicle usage patterns, fuel usage patterns and vehicle-related records linked to EV charging, fuel cards, parking, access or site security 

Wi-Fi and access data 

Wi-Fi login details, access details, basic session data, connectivity records and technical access data required to provide and secure internet access and other on-site services 

B. Processing activities

1. Digital interactions

Quick guide

Covers websites, cookies, app and digital platforms - including analytics, functionality, security and online preferences.

1.1 When you visit our website

When you visit our website, we automatically collect certain information about your device and browsing activity to ensure the website functions properly, remains secure, and provides an optimal user experience.

Personal data category 

Purpose of processing 

Lawful basis 

Device and technical information 

Website security, fraud prevention, and basic functionality 

Legitimate interests 

Device and technical information 

Ensure compatibility and optimize website performance 

Legitimate interests 

Transaction and usage data 

Analyze website usage and improve content and structure 

Legitimate interests 

Transaction and usage data 

Maintain logs, troubleshoot issues, and ensure system integrity 

Legitimate interests 

Transaction and usage data 

Improve usability and user experience 

Legitimate interests 

1.2 Cookies and tracking technologies

We use cookies and similar technologies on our website and applications to enhance your browsing experience, analyze traffic, support functionality and, where applicable, marketing activities.

Personal data category 

Purpose of processing 

Lawful basis 

Cookie and online identifiers 

Enable essential website functionality 

Legitimate interests 

Preferences and consent data 

Record and manage your cookie choices 

Legal obligation 

Aggregated or de-identified insights 

Analyze traffic and improve website performance 

Consent (for non-essential cookies); legitimate interests (for essential cookies) 

Marketing and advertising data 

Deliver and measure advertising effectiveness (where applicable) 

Consent (UK/EEA); applicable law (US jurisdictions) 

Device and technical information 

Ensure proper functioning and security of digital services 

Legitimate interests 

1.3 When you use our apps or digital platforms

When you use our mobile applications or other digital platforms, such as EV charging apps or customer accounts, we collect and process personal data to provide functionality, manage your account and support service delivery.

Personal data category 

Purpose of processing 

Lawful basis 

Account and membership data 

Create and manage your account 

Performance of a contract 

Contact details 

Communicate with you about services or support 

Performance of a contract 

Transaction and usage data 

Monitor performance and improve functionality 

Legitimate interests 

Device and technical information 

Ensure compatibility, security, and troubleshooting 

Legitimate interests 

Location and movement data 

Provide location-based services (e.g. nearby EV chargers) 

Performance of a contract; consent (where required) 

Preferences and consent data 

Personalize your experience and remember choices 

Legitimate interests; consent (where applicable) 

1.4 Social media links

Our websites may include social media links to our official social media channels, including LinkedIn, Instagram and Facebook.

These are links to third-party platforms. They do not, by themselves, mean that we collect personal data from those platforms while you are browsing our website. If you click a social media link, you will leave our website and be directed to the relevant third-party platform.

When you visit or interact with our social media pages or content on those platforms, the relevant platform may collect and use personal data about you in accordance with its own privacy notice, cookie policy and account settings. This may include information about your account, device, browser and interactions with our page or content.

We do not control how these third-party platforms process your personal data. We encourage you to review their privacy notices before interacting with them:

·       LinkedIn Privacy Policy

·       Instagram Privacy Policy

·       Facebook / Meta Privacy Policy

Where you interact with us through our social media pages, for example by sending us a message, commenting on our posts, liking or sharing our content, tagging us or mentioning us, we may process information relating to that interaction to respond to you, manage our social media presence, understand engagement with our content, and protect our rights and reputation.

Personal data category 

Purpose of processing 

Lawful basis 

Social media interaction data; Communication and correspondence data 

Manage and respond to comments, messages, tags, mentions or inquiries through our social media pages 

Legitimate interests; performance of a contract where the inquiry relates to a service 

Social media interaction data 

Manage our social media presence and understand engagement with our pages and content 

Legitimate interests 

Communication and correspondence data; Complaint, investigation and outcome data 

Investigate and respond to complaints, issues or service-related concerns raised through social media 

Legitimate interests 

Aggregated or de-identified insights 

Review platform-provided aggregated insights about engagement with our social media content and improve our communications 

Legitimate interests 

2. Creating and managing your account and loyalty programs

Quick guide

Explains how we set up and manage accounts, authenticate users, administer memberships and operate loyatly and rewards schemes.

2.1 Creating and managing your account

When you create and use an account across our services, including EV charging, Wi-Fi, hotels or other digital services, we process personal data to set up your account, provide access to services and manage your ongoing relationship with us.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Create and register your account 

Performance of a contract 

Account and membership data 

Authenticate access and manage account security 

Performance of a contract 

Address information; Billing and payment information 

Support account administration and service delivery 

Performance of a contract 

Preferences and consent data 

Manage communication choices and consent records 

Legal obligation; legitimate interests 

Transaction and usage data 

Manage your account and provide services 

Performance of a contract; legitimate interests 

Device and technical information 

Ensure account security and detect unauthorized access 

Legitimate interests 

2.2 Loyalty programs and rewards schemes

When you enroll in and participate in our loyalty or rewards programs, including legacy programs and partner programs such as Wyndham Rewards, we process personal data to administer your membership, provide benefits and enhance your experience.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Register and administer your loyalty membership 

Performance of a contract 

Account and membership data 

Manage your participation in the program 

Performance of a contract 

Transaction and usage data 

Track purchases, stays, and engagement 

Performance of a contract; legitimate interests 

Loyalty and rewards data 

Allocate points, rewards, and benefits 

Performance of a contract 

Preferences and consent data; Marketing and advertising data 

Personalize offers and improve program experience 

Legitimate interests 

Marketing and advertising data 

Send relevant communications and manage opt-ins/opt-outs 

Consent; legitimate interests (where permitted) 

Aggregated or de-identified insights 

Analyze program performance and customer engagement 

Legitimate interests 

3. Core business services

Quick guide

Covers the services customers use most often, including fast charging, hotels on-site amenities, fuel cards, marketing offers, and surveys.

This section explains how we process personal data when you use our core services, including Fast Charge services, hotel services, amenities and fuel card services.

3.1 Fast Charge services

When you use Applegreen Fast Charge or other EV charging services, we process personal data to provide charging functionality, manage your account, process transactions and operate the service efficiently.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Account and membership data 

Create and manage your EV charging account 

Performance of a contract 

Contact details 

Communicate with you regarding your account, charging sessions, and support 

Performance of a contract 

Charging and session data 

Deliver charging services and maintain usage records 

Performance of a contract 

Billing and payment information 

Process payments and manage financial transactions 

Performance of a contract 

Vehicle information 

Associate charging sessions with vehicles and ensure service functionality 

Performance of a contract; legitimate interests 

Location and movement data 

Enable charging services and location-based features (e.g. nearby chargers) 

Performance of a contract; consent (where applicable) 

Device and technical information; Transaction and usage data 

Maintain, troubleshoot, and improve service performance 

Legitimate interests 

Preferences and consent data 

Manage communication preferences and marketing choices 

Consent; legitimate interests (where permitted) 

3.2 Hotels (bookings, stays and related services)

When you make a booking, stay at one of our hotels, including walk-ins and group bookings, or interact with our hotel services, we process personal data to manage your reservation, provide your stay and support service delivery and operations.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Create and manage bookings and customer records 

Performance of a contract 

Booking and stay information 

Manage reservations, stays and operational delivery 

Performance of a contract 

Billing and payment information 

Process payments, refunds and financial records 

Performance of a contract 

Request and verification data 

Verify identity and comply with legal requirements (where applicable) 

Legal obligation; performance of a contract 

Preferences and consent data 

Personalize your stay and improve service experience 

Legitimate interests 

Communication and correspondence data 

Provide customer support and respond to inquiries 

Performance of a contract; legitimate interests 

Account and membership data 

Manage participation in loyalty programs and allocate rewards 

Performance of a contract; legitimate interests 

Marketing and advertising data 

Manage opt-ins/opt-outs and deliver marketing communications 

Consent; legitimate interests (where permitted) 

Booking and stay information; Aggregated or de-identified insights 

Analyze trends, improve services, and support business operations 

Legitimate interests 

3.3 Amenities and on-site services

When you use our on-site amenities and services, such as Wi-Fi, feedback surveys, games rooms or newsletter sign-ups, we process personal data to provide access to services, understand customer needs and improve your experience.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Provide access to amenities (e.g. Wi-Fi), manage registrations, and enable follow-up where required 

Performance of a contract; legitimate interests 

Wi-Fi and access data; Device and technical information 

Enable and manage internet access, ensure network security, and maintain service functionality 

Performance of a contract; legitimate interests 

Demographic and profile data 

Understand customer profiles and improve services and offerings 

Legitimate interests 

Transaction and usage data 

Analyze customer behavior and improve site experience and operations 

Legitimate interests 

Feedback and survey data 

Collect customer feedback, measure satisfaction (e.g. NPS), and improve services 

Legitimate interests 

Service-related and contextual data; Feedback and survey data 

Understand usage of specific services and improve offering (e.g. EV infrastructure) 

Legitimate interests 

Marketing and advertising data 

Record and manage consent for communications and marketing 

Legal obligation; consent 

Marketing and advertising data 

Send marketing communications where you have opted in or where permitted by law 

Consent; legitimate interests (soft opt-in, where applicable) 

Aggregated or de-identified insights 

Perform analytics and improve customer experience and service delivery 

Legitimate interests 

3.4 Fuel card services

When you apply for, use or manage a fuel card with us, we process personal data to provide fuel card services, manage accounts, process transactions and ensure secure and compliant operation of the service.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Onboard customers and create fuel card accounts 

Performance of a contract 

Business information 

Verify eligibility and manage business accounts 

Performance of a contract; legitimate interests 

Account and membership data 

Issue and manage fuel cards and associated accounts 

Performance of a contract 

Transaction and usage data 

Record fuel purchases and monitor usage 

Performance of a contract 

Billing and payment information 

Process payments and manage invoicing and financial records 

Performance of a contract 

Transaction and usage data 

Associate transactions with vehicles and monitor usage 

Performance of a contract; legitimate interests 

Incident and security data 

Detect and prevent fraud, misuse and unauthorized transactions 

Legitimate interests; legal obligation 

Communication and correspondence data 

Provide customer support and resolve issues 

Performance of a contract; legitimate interests 

Marketing and advertising data 

Manage communication preferences and send marketing communications 

Consent; legitimate interests (where permitted) 

Transaction and usage data; Aggregated or de-identified insights 

Analyze usage, improve services, and support business operations 

Legitimate interests 

3.5 Marketing communications

We use your personal data to send marketing communications about our products, services, offers and updates, where you have chosen to receive them or where permitted by law.

Personal data category 

Purpose of processing 

Lawful basis 

Contact details 

Send marketing communications and updates 

Consent; legitimate interests (soft opt-in where applicable) 

Marketing and advertising data 

Record and manage consent and communication choices 

Legal obligation; consent 

Identity information 

Personalize communications (e.g. addressing you by name) 

Legitimate interests 

Marketing and advertising data 

Measure campaign effectiveness and improve communications 

Legitimate interests 

3.6 Personalized offers and promotions

We use personal data to provide tailored offers, promotions and vouchers, and to manage their issuance and redemption.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Account and membership data 

Identify you and link offers to your account 

Performance of a contract; legitimate interests 

Transaction and usage data 

Determine eligibility for offers and personalize promotions 

Legitimate interests 

Promotion, voucher and redemption data 

Issue, manage, and track promotions and vouchers 

Performance of a contract 

Location and movement data 

Validate and process voucher redemption 

Performance of a contract 

Marketing and advertising data; Promotion, voucher and redemption data 

Analyze engagement with offers and improve campaigns 

Legitimate interests 

Marketing and advertising data 

Ensure offers are sent in line with your choices 

Consent; legitimate interests (where permitted) 

3.7 Customer surveys and feedback

We use personal data to collect feedback and understand customer experience, including through surveys, reviews and satisfaction metrics.

Personal data category 

Purpose of processing 

Lawful basis 

Contact details 

Send survey invitations and follow-up communications 

Legitimate interests; consent (where required) 

Feedback and survey data 

Understand customer satisfaction and improve services 

Legitimate interests 

Feedback and survey data 

Measure performance and customer experience 

Legitimate interests 

Service-related and contextual data; Feedback and survey data 

Improve specific services (e.g. EV charging, hotels) 

Legitimate interests 

Transaction and usage data 

Monitor engagement with surveys and feedback activities 

Legitimate interests 

4. Customer support, inquiries and complaints

Quick guide

Explains how we handle support contacts, general enquiries, complaints and privacy rights requests.

This section explains how we process personal data when you contact us, request support, submit a complaint or exercise your privacy rights.

4.1 Customer support and general inquiries

When you contact us for support or with general inquiries, for example by email, phone, social media or online forms, we process personal data to respond to your request and provide assistance.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Identify you and respond to your inquiry 

Performance of a contract; legitimate interests 

Communication and correspondence data 

Manage and respond to support requests 

Legitimate interests 

Service-related and contextual data 

Investigate and resolve issues relating to our services 

Performance of a contract; legitimate interests 

Account and membership data 

Provide accurate and tailored support 

Legitimate interests 

4.2 Complaints handling

When you submit a complaint, we process personal data to investigate the matter, respond appropriately and maintain records for compliance and quality assurance purposes.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Identify you and manage the complaint 

Legitimate interests 

Communication and correspondence data 

Investigate and respond to complaints 

Legitimate interests 

Service-related and contextual data; Transaction and usage data 

Understand the circumstances of the complaint 

Legitimate interests 

Complaint, investigation and outcome data 

Maintain records and improve services 

Legitimate interests 

4.3 Privacy requests

When you exercise your rights under data protection law, such as requesting access to your personal data or asking for it to be corrected or deleted, we process personal data to handle and respond to your request.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Identify you and communicate regarding your request 

Legal obligation 

Request and verification data 

Process and fulfil your data subject rights request 

Legal obligation 

Request and verification data 

Confirm your identity before processing the request 

Legal obligation 

Communication and correspondence data 

Maintain records of requests and responses for compliance 

Legal obligation 

5. Physical environment and security

Quick guide

Describes how we keep our locations secure through CCTV, vehicle monitoring and certain analytics tools used to improve safety and operations.

This section explains how we process personal data to ensure the safety and security of customers, employees, sites and services, including through CCTV, vehicle monitoring and advanced monitoring technologies at certain locations.

5.1 CCTV and security monitoring

When you visit our sites, we may use CCTV systems to monitor and record activity for safety, security and operational purposes.

Personal data category 

Purpose of processing 

Lawful basis 

CCTV and video footage 

Ensure safety and security of customers, staff, and property 

Legitimate interests 

CCTV and video footage 

Prevent and detect crime and anti-social behavior 

Legitimate interests 

CCTV and video footage; Incident and security data 

Investigate incidents and support law enforcement 

Legal obligation; legitimate interests 

Vehicle information 

Monitor site usage and investigate incidents 

Legitimate interests 

5.2 Vehicle monitoring

At certain locations, we may monitor vehicle movements, including ANPR where applicable, to manage site access, prevent misuse such as unauthorized parking, and support security.

Personal data category 

Purpose of processing 

Lawful basis 

Vehicle information 

Manage site access and prevent misuse 

Legitimate interests 

Vehicle information 

Monitor site usage and operational efficiency 

Legitimate interests 

Vehicle information; Incident and security data 

Investigate incidents and support enforcement actions 

Legitimate interests; legal obligation 

5.3 Advanced analytics technologies

At selected sites, we may use advanced technologies, including facial recognition, demographic estimation and heat mapping, to analyze visitor patterns and improve site operations and customer experience. These technologies are primarily used to generate aggregated statistical insights. Where possible, processing is carried out using anonymized or pseudonymized data, and data is often processed locally to minimize retention of personal data.

Personal data category 

Purpose of processing 

Lawful basis 

CCTV and video footage 

Count visitors and distinguish new vs returning visits 

Legitimate interests 

Biometric and facial pattern data; Aggregated or de-identified insights 

Generate visitor statistics and insights 

Legitimate interests 

Demographic and profile data 

Understand customer trends and improve site layout and services 

Legitimate interests 

Location and movement data 

Analyze how visitors move around sites to improve layout and operations 

Legitimate interests 

Additional safeguards: facial data is transformed where appropriate, such as being blurred, masked or converted into templates, to reduce identifiability. Data is not used to identify individuals for marketing purposes. Outputs are typically aggregated and not linked to identifiable individuals. You may object to this type of processing at any time by contacting us.

6. Adult gaming areas and responsible gaming controls

Quick guide

Explains age checks, self-excursion controls, and responsible gambling interventions used in the adult gaming areas at relevant locations.

At certain Welcome Break locations, we operate adult gaming areas. We process personal data in these environments to ensure compliance with legal obligations, protect customers and promote responsible gambling.

6.1 Age verification and access control

We use facial recognition technology in adult gaming areas to help ensure that only individuals aged 18 or over access these areas.

Personal data category 

Purpose of processing 

Lawful basis 

Biometric and facial pattern data 

Estimate age to prevent access by individuals under 18 

Legal obligation; legitimate interests 

Biometric and facial pattern data 

Identify individuals who may require intervention (e.g. self-excluded individuals or known risks) 

Legal obligation; substantial public interest (where applicable) 

Adult gaming access and alert data 

Notify staff to take appropriate action (e.g. deny entry) 

Legal obligation; legitimate interests 

Important information: facial images are analyzed in real time and are not retained for general age estimation purposes. Processing is limited to short-term analysis to determine access eligibility. Data is not used for marketing or unrelated purposes.

6.2 Self-exclusion and intervention measures

To comply with our obligations under the Gambling Commission Licence Conditions and Codes of Practice (LCCP), we implement controls to support individuals who have self-excluded or may require intervention.

Personal data category 

Purpose of processing 

Lawful basis 

Adult gaming access and alert data 

Enforce self-exclusion requests and prevent access 

Legal obligation 

Vehicle information 

Identify when self-excluded individuals may be on site 

Legal obligation; legitimate interests 

Vehicle information 

Support enforcement of self-exclusion measures 

Legal obligation 

Adult gaming access and alert data 

Enable staff to intervene where required 

Legal obligation; legitimate interests 

6.3 Responsible gambling monitoring and interventions

We may use limited data from gaming machines to support responsible gambling practices and identify when an intervention may be appropriate.

Personal data category 

Purpose of processing 

Lawful basis 

Gaming session and intervention data 

Identify patterns indicating a need for intervention 

Legal obligation; legitimate interests 

Gaming session and intervention data 

Support real-time staff intervention 

Legal obligation 

Gaming session and intervention data 

Record that an intervention occurred (without linking to identifiable individuals where possible) 

Legal obligation; legitimate interests 

Important safeguards: gaming machine session data is not linked to identifiable individuals on a continuous basis. Identification may only occur at the point of staff interaction, where necessary. We do not maintain records linking individuals to specific gaming sessions beyond what is required for compliance. Records focus on interventions rather than tracking individual behavior over time.

7. Operations, fraud prevention and compliance

Quick guide

Covers fraud prevention, legal compliance, internal controls, analytics and the administration needed to run the business responsibly.

This section explains how we process personal data to protect our business, customers and services, meet legal and regulatory obligations, and improve how we operate.

7.1 Fraud prevention and security

We may process personal data to help prevent, detect and investigate fraud, misuse, unauthorized activity or other behavior that could harm our customers, employees, services or business.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Account and membership data 

Verify customers and detect suspicious activity 

Legitimate interests 

Transaction and usage data 

Prevent, detect, and investigate fraud, misuse, or unauthorized activity 

Legitimate interests 

Billing and payment information 

Identify irregular or fraudulent transactions 

Legitimate interests; legal obligation 

Device and technical information; Incident and security data 

Protect our systems, websites, apps, and customer accounts 

Legitimate interests 

Vehicle information; Incident and security data 

Investigate misuse of services or site-related incidents 

Legitimate interests 

Complaint, investigation and outcome data 

Support internal investigations and evidence gathering 

Legitimate interests; legal obligation 

7.2 Legal and regulatory compliance

We may process personal data where necessary to comply with applicable laws, regulations, legal processes, industry requirements or requests from public authorities.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Contact details 

Respond to legal, regulatory, or official requests 

Legal obligation 

Transaction and usage data 

Meet record-keeping, compliance, and statutory obligations 

Legal obligation 

Billing and payment information 

Comply with financial, tax, and audit requirements 

Legal obligation 

Communication and correspondence data 

Demonstrate compliance and handle regulatory inquiries 

Legal obligation 

CCTV and video footage; Vehicle information; Incident and security data 

Support investigations and legal or law enforcement requests 

Legal obligation; legitimate interests 

Request and verification data 

Meet identity verification and compliance requirements 

Legal obligation 

7.3 Auditing, reporting and internal controls

We may use personal data for internal governance purposes, including auditing, quality assurance, financial control, risk management and business reporting.

Personal data category 

Purpose of processing 

Lawful basis 

Transaction and usage data 

Maintain internal records and support audits 

Legitimate interests; legal obligation 

Billing and payment information 

Conduct internal financial reporting and controls 

Legal obligation; legitimate interests 

Transaction and usage data 

Monitor service delivery and business performance 

Legitimate interests 

Complaint, investigation and outcome data 

Review quality, controls, and risk management processes 

Legitimate interests 

Complaint, investigation and outcome data; Request and verification data 

Evidence governance and accountability measures 

Legitimate interests; legal obligation 

7.4 Analytics and service improvement

We may use personal data to understand how our customers use our services, identify trends, improve customer experience and develop or enhance our products, services and operations.

Personal data category 

Purpose of processing 

Lawful basis 

Transaction and usage data 

Understand how customers use our services 

Legitimate interests 

Transaction and usage data 

Improve service delivery, performance, and business processes 

Legitimate interests 

Feedback and survey data 

Improve customer experience and service quality 

Legitimate interests 

Preferences and consent data; Marketing and advertising data 

Tailor and refine services and customer journeys 

Legitimate interests 

Aggregated or de-identified insights 

Produce reports, identify trends, and support business planning 

Legitimate interests 

7.5 Business administration and corporate operations

We may process personal data as part of the day-to-day administration of our business, including record management, corporate governance, insurance, dispute handling and business continuity.

Personal data category 

Purpose of processing 

Lawful basis 

Identity information; Account and membership data 

Maintain business records and administer customer relationships 

Legitimate interests 

Transaction and usage data 

Support governance, insurance, and dispute resolution 

Legitimate interests 

Communication and correspondence data 

Manage claims, disputes, and business continuity issues 

Legitimate interests; legal obligation 

Service-related and contextual data 

Support internal administration and corporate governance 

Legitimate interests 

V. Who we share your data with

Quick guide

This section lists the types of recipients who may receive personal data, such as group companies, suppliers, partners, advisers, authorities and fraud prevention organisations.

We may share your personal data with third parties where necessary for the purposes described in this Privacy Notice. We only share personal data where there is a lawful basis to do so and appropriate safeguards are in place.

We may share your personal data with the following categories of recipients:

  • Group companies: We may share your personal data within the Applegreen Group, including Welcome Break and other affiliated entities, where necessary for group operations, service delivery and internal administration.

  • Service providers and data processors: We engage third-party service providers to support our business operations. These may include providers of IT systems and hosting, cloud services, customer relationship management (CRM) systems, payment processing, booking systems, loyalty program platforms, EV charging infrastructure, fuel card services, marketing and communications platforms, data analytics and survey tools. These providers process personal data on our behalf and are subject to contractual obligations to protect it.

  • Payment and financial service providers: We may share personal data with banks, payment processors and other financial institutions to process transactions, manage payments and prevent fraud.

  • Business partners: We may share personal data with partners involved in delivering services such as hotel bookings, loyalty and rewards programs, including partner programs such as Wyndham Rewards, EV charging services and promotions or campaigns.

  • Marketing and advertising partners: Where permitted by law, we may share data with marketing agencies, advertising platforms and analytics providers to deliver and measure marketing campaigns and promotions, in accordance with your preferences.

  • Professional advisers: We may share personal data with professional advisers such as lawyers, auditors, insurers and consultants where necessary for legal, compliance or business purposes.

  • Regulators, authorities and law enforcement: We may share personal data with regulators, supervisory authorities, police, courts and law enforcement agencies where required to comply with legal obligations or respond to lawful requests.

  • Fraud prevention and security organizations: We may share personal data with organizations that assist with fraud prevention, risk management and security monitoring.

  • Third parties in connection with business transactions: If we are involved in a merger, acquisition, restructuring or sale of assets, personal data may be shared with relevant third parties, subject to appropriate safeguards.

We require all third parties to respect the security of your personal data and to process it in accordance with applicable data protection laws. Where third parties act as our processors, they are only permitted to process your personal data in accordance with our instructions.

VI. International transfers of personal data

Quick guide

Explains when personal data may be transferred internationally and the safeguards used to protect those transfers.

We are an international organization and may transfer, store or access your personal data outside the European Economic Area (EEA) and the United Kingdom. This includes transfers within the Applegreen Group, as well as to service providers and partners located in other countries, where necessary to support our services and global operations.

Where such transfers take place, they are carried out in accordance with applicable data protection laws, including where the destination country benefits from an adequacy decision or where appropriate safeguards and recognized transfer mechanisms are in place.

VII. How long we keep your personal data

Quick guide

This section explains our retention approach - we keep data only as long as needed for the purpose, legal requirements or legitimate business needs.

We will only keep your personal data for as long as it is necessary for the purposes for which it was collected, or to meet legal, regulatory or business requirements.

The length of time we retain personal data depends on the type of data and how it is used. In some cases, we may need to retain it for longer to comply with legal obligations, resolve disputes or protect our business.

Once personal data is no longer required, we will securely delete it or anonymize it so that it can no longer be used to identify you.

VIII. Your privacy rights

Quick guide

Here you can find the privacy rights available to individual and how those rights can be exercised in different jurisdictions

USA

Quick guide

Meet the organisations behind this notice.

This section explains which Applegreen Group company may act as controller and how to contact the relevant privacy team.

We operate in a number of U.S. states that have their own privacy laws, including Connecticut, Delaware, New Hampshire, New Jersey and Indiana.

This section applies to residents of those states. Your privacy rights may vary depending on the state in which you reside, and we will update this Privacy Notice as additional state privacy laws become applicable to our business.

Residents of the states listed above may have some or all of the following rights under applicable state privacy laws:

  • the right to confirm whether we are processing your personally identifiable information (PII);

  • the right to access your PII;

  • the right to correct inaccuracies in your PII;

  • the right to delete your PII, subject to certain exceptions;

  • the right to obtain a copy of your PII in a portable format; and

  • the right to opt out of the processing of your PII for targeted advertising or the sale of personal data.

We do not sell personally identifiable information.

You can exercise your rights by completing our privacy request web form here or by contacting us at dpo@applegreen.com. We may need to verify your identity before processing your request.

IX. Data security

QUICK GUIDE

Meet the organisations behind this notice.

This section explains which Applegreen Group company may act as controller and how to contact the relevant privacy team.

We take appropriate technical and organizational measures to protect your personal data.

These measures are designed to safeguard your personal data against accidental loss, unauthorized access, use, disclosure or alteration.

While we take security seriously, please note that no method of transmitting data over the internet or storing information electronically is completely secure. As a result, we cannot guarantee absolute security.

X. Changes to this privacy notice

QUICK GUIDE

Meet the organisations behind this notice.

This section explains which Applegreen Group company may act as controller and how to contact the relevant privacy team.

We may update this Privacy Notice from time to time to reflect changes in our practices, services or legal requirements.

Any changes will be published on this page and, where appropriate, we will notify you. We encourage you to review this Privacy Notice periodically so that you remain informed about how we use your personal data.

XI. Contact us

If you have any questions, comments or concerns about this Privacy Notice or our data protection practices, you can contact us at: dpo@applegreen.com