- About Us
- Information
- My Account
- Our Official Sites
-
Choose your region
By selecting a currency you will see the equivalent prices in your preferred currency at the side of the sterling prices. You will be charged in sterling when you place an order..
Select Currency
PRIVACY POLICY
Norwich City Football Club PLC (company number 154044 of Carrow Road, Norwich NR1 1JE) (the “Club”, “us”, “we”, “our”) is committed to protecting and respecting your privacy.
When you interact with us through our sites (www.canaries.co.uk, tickets.canaries.co.uk, shop.canaries.co.uk, and deliascanarycatering.co.uk), the Club mobile application or otherwise (such as purchasing tickets or merchandise through the online retail store or when you attend events at our stadium), or apply for a job with the Club, you may provide, or we may collect, certain information from which you are personally identifiable (referred to as personal data). For the purposes of the Data Protection Act 2018 and the UK GDPR (and all other laws relating to the use your personal data) (collectively, the “Privacy Laws”), the Club is the “data controller”, meaning that we decide the reasons why your data is used.
Please read the following policy carefully to understand our views and practices regarding your personal data and how we will fulfil our commitment to protecting and respecting your privacy.
CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. However, we advise that you check this page regularly to keep up to date with any necessary changes.
This Privacy Policy was last updated in June 2025.
DATA THAT WE MAY COLLECT ABOUT YOU
We collect your personal data in the following ways:
Personal data you provide to us: You may provide us with the following types of personal data when you interact with us (for example through our website e.g. where you sign up to be on our mailing list or when you purchase tickets):
- Identity – Name, date of birth, account log-in information, personal description and photographs;
- Contact – Email address, telephone numbers and address;
- Financial – Payment card details, billing address, purchase information and payment history;
- Profile – Your preferences for marketing, other website or product preferences, your contact history and feedback on your Club experiences (through reviews and surveys); and
- Recruitment – Employment and education history, qualifications and additional information you include in your application.
Personal data that we automatically collect from you: With regards to each of your visits to our sites, we may automatically collect the following information:
- Usage – Website or app visitor information e.g. time spent on page, click-throughs, download errors, browsing patterns information about your visit, including products you viewed, searched for or purchased, page response times, download errors, page interaction information (such as scrolling, clicks and mouse-overs), and methods used to browse away from the page. When you register for our stadium Wi-Fi service we may collect: the time, date and location of registration for the service, the duration and frequency of use of the service and visits to Club venues, the approximate location of browsing devices whilst at a Club venue, the device’s internet browsing history whilst using the service, and your demographic information; and
- Technical – This may include device IDs, browser type, IP address, log-in information, hardware type, network and software identifiers, location data, time-zone setting, operating system and system configuration.
Personal data that we receive from third party sources: We may also receive some of these types of personal data from third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies).
Data enrichment: We carry out data enrichment and customer profiling to help us understand your preferences so that we can improve the products and services that we offer to you. This information falls within ‘Profile’ data.
WHAT IF YOU DO NOT PROVIDE PERSONAL DATA?
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract or otherwise provide you with products or services. In this case, we may have to cancel any contract you have with us and/or stop dealing with you. We will notify you if this is the case at the time.
WHY DO WE USE YOUR DATA AND WHAT ARE OUR LEGAL GROUNDS?
The table below sets out how we use your personal data and our lawful basis for doing so in each case.
|
Why we use your data |
What data we use |
Why we’re allowed to use your data for these purposes |
|
To maintain your online OneCity account profile. |
Identity, Contact, Profile. |
Perform our contract with you. |
|
To provide you with products and services you have purchased or requested, including tickets to matches and other events. |
Identity, Contact, Financial.
|
Perform our contract with you.
|
|
Notify you of changes to our Privacy Policy or Terms and Conditions. |
Identity, Contact. |
Perform our contract with you. Necessary to comply with a legal obligation. |
|
Internal administration and record keeping purposes. |
All. |
Perform our contract with you. Necessary to comply with a legal obligation. Our legitimate interests (for the effective operation of our business). |
|
Verify your identity and detect fraud and security issues. |
All. |
Our legitimate interests (to prevent/detect fraud and criminal activity and ensure compliance with our legal and regulatory requirements). |
|
Administer and protect our company, our website and our products (including troubleshooting, data analysis, testing, maintenance and support). |
Identity, Contact, Technical, Usage. |
Our legitimate interests (for the effective administration of our business, website and products). Necessary to comply with a legal obligation. |
|
Use data analytics to improve our website, products/services, marketing, user relationships and experiences. |
Identity, Contact, Technical, Usage. |
Our legitimate interests (to keep our website updated and relevant, to improve the services we offer, to develop our organisation and to inform our marketing strategy). |
|
Send you service messages by email and SMS in relation to your use of our products. |
Identity, Contact. |
Perform our contract with you. |
|
Providing customer support, including answering your questions by e-mail or phone. |
All. |
Perform our contract with you. Our legitimate interests (to ensure our customers are satisfied with our products and services). |
|
To understand who is using our website and products. |
Identity, Contact, Technical, Usage. |
Our legitimate interests (to develop our business and understand our customer base to inform our marketing strategy). |
|
Get in touch with you about relevant Club services and products. |
Identity, Contact, Profile. |
Our legitimate interests (to promote our products/services). Consent. |
|
Improve and personalise your user experience by delivering more relevant content whilst you browse, ensuring that our content is presented in the most effective manner for you and for your computer/device, to remember your preferences and to enable you to participate in interactive features of our website and products. |
Identity, Contact, Profile, Technical, Usage. |
Our legitimate interests (to develop our business, improve our user experience and inform our marketing strategy). |
|
Enable you to participate in a competition or prize draw. |
Identity, Contact. |
Perform our contract with you. |
|
Enable you to feedback to the Club through reviews and surveys. |
Identity, Contact, Profile, Technical, Usage. |
Our legitimate interests (to develop our business, services and products). |
|
For recruitment purposes, including: · assessing your application; · communicating with you about the recruitment process; and · keeping records of the recruitment process. |
Identity, Contact, Recruitment. |
Perform a contract with you. Our legitimate interests (to ensure we make appropriate and informed recruitment decisions). |
We also anonymise and aggregate personal data (so that it does not personally identify you). This is not personally identifiable, so we are allowed to use this for any purpose (such as testing our systems and carrying out customer research and analysis).
SPECIAL CATEGORY (SENSITIVE) DATA
Certain data is known as ‘special category data’ and is subject to additional rules and protections. Special category data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, personal data concerning a person’s health, sex life or sexual orientation, as well as genetic data and biometric data. It also includes personal data relating to criminal convictions and offences.
We do not routinely collect special category personal data through our websites or apps unless we are legally required to do so, or you volunteer this information to us in order for us to help improve your experience with the Club. An example of this is the ability for individuals to inform us of their disability or access requirements when using our sites and app, or accessing our stadium.
We may from time to time ask you questions regarding special category personal data for internal surveys to help us with our equality and diversity objectives. This is entirely voluntary, and we’ll never record this type of information without your consent.
Where our processing activities involve the processing of special categories of personal data or personal data relating to criminal convictions or offences, we rely on the following lawful bases to legitimise our processing:
- you have given your explicit consent to the processing for one or more specified purposes;
- the processing is necessary for the establishment, exercise or defence of legal claims; or
- the processing is necessary for reasons of substantial public interest.
MARKETING AND SOCIAL MEDIA
Depending on your marketing preferences, the Club may use your personal data to send you marketing messages, including by email and SMS. To unsubscribe from Club newsletters or any other marketing emails, you simply need to click on the unsubscribe link at the bottom of the relevant communication you have received. Alternatively, please contact us (as detailed below) to opt-out of these communications. Where you have opted out of receiving marketing communications from us, we will need to retain some residual personal data necessary to ensure we no-longer communicate with you.
You may also see adverts for the Club on social media and third party owned and operated websites. This may be because we have engaged the relevant media to show adverts to users who match our customer demographic, but in some cases may be because we have shared your personal data (such as email address and cookie data) to create relevant marketing lists.
COOKIES
We collect certain information automatically when you use our website and applications by using cookies and other similar technologies to distinguish you from other users of our sites. This helps us to provide you with a good experience when you browse our website and also allows us to improve our sites. You can find out more information on the cookies we use and the purposes for which we use them in our Cookie Policy (shop.canaries.co.uk/page/cookiepolicy).
DO WE TRANSFER/HANDLE YOUR DATA OUTSIDE OF THE UK?
Where necessary, we may store or share the personal data we collect outside of the UK. Whenever we transfer your information out of the UK, we ensure a similar level of protection is given to it. This is achieved either because the protections available have been deemed adequate by the applicable authorities, or by implementing additional safeguards such as additional contracts or security measures. If you require more information about the safeguards used or where your data is stored, please contact us using the details below.
SHARING OF YOUR INFORMATION
We will only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data and to comply with our data protection, confidentiality and security standards. We may disclose your personal data to the following types of third parties:
- other companies within our corporate group;
- our service providers, including IT providers, analytics providers, event partners and suppliers, mailing service providers and payment services providers;
- companies who assist with our marketing, customer surveys and feedback tools and administration of our promotions and competitions;
- auditors, lawyers and other professional advisors;
- our sponsors and other commercial partners;
- law enforcement or other government and regulatory agencies or third parties as required by and in accordance with applicable law or regulation;
- other third parties who help us detect fraud or criminal activity; and
- other football and sporting stakeholders, including The FA or agents acting on their behalf.
We may also need to disclose your personal data in the following circumstances:
- if we are required to do so by law or pursuant to a binding regulatory request (in each case, such disclosure will be solely to the extent required by law or the applicable regulatory request);
- in the event that we sell or buy any business or assets we may be required to disclose certain of your personal data to the prospective seller or buyer of such business or assets; or
- in order to enforce or apply any of our other applicable terms and conditions for products, services, content or access provided by us (for example our ground regulations) and other agreements.
KEEPING YOUR DATA SECURE
We have implemented industry standard security measures to prevent unauthorised access to, use or loss of your data. Any payment transactions will be encrypted using SSL (secure sockets layer) technology. We also make sure that third parties who need to handle your data when helping us to deliver our services are bound by appropriate confidentiality and security obligations.
Despite the security measures that we implement, please be aware that the transmission of data via the internet is not 100% secure. Therefore, we are unable to guarantee the security of any information which you transmit to us via the internet and any transmission is at your own risk.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or products, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
HOW LONG WILL WE KEEP YOUR DATA?
We will keep your data for as long as required in connection with the original purpose for which that data was collected (e.g. for as long as you hold an account with us and/or where you are still happy to hear from us about our latest news, products and services). We may then destroy such personal data without further notice or liability.
However, in some circumstances we will retain your personal data for a different time period, including:
- where you have purchased a ticket or merchandise from us, we will keep a record of this purchase for the period necessary for invoicing, tax and warranty purposes;
- where we have a contract with you, we may keep your personal data for up to six (6) years after expiry of the contract;
- where such data is relevant to ongoing litigation or dispute; and
- where we are required to keep your date to comply with applicable laws (this includes CCTV footage).
THIRD PARTY SITES
Our sites and applications may contain links to third party websites and services. If you leave our sites via a link or otherwise, you will be subject to the policy of that website provider and this privacy policy will no longer apply. We have no control over third party policies or the terms of the relevant third party website and you should therefore check their policy before continuing to access the site.
USE OF CCTV
We have security measures in place at our stadium and our other premises including CCTV, body worn cameras and building access controls. There are signs in place showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis, for example to look into an incident. CCTV footage is typically overwritten after a short period of time unless an issue is identified that required investigation, in which case such footage is held for as long as necessary.
CHILDREN
Our sites, applications and other products and services are not intended for users under 14 years old, although we appreciate that they may appeal to children. Users under 14 years old should visit our Junior Canaries page, designed especially for younger children. We recommend that parents supervise their children when they are online.
If you are a parent or guardian of a child under 14, please ensure that you supervise your child’s use of our websites and applications, and our products and services and ensure they obtain your consent before submitting any personal data to us or requesting any products or services from us.
YOUR RIGHTS
Under the Privacy Laws, you have certain rights including:
- Your right of access – You have the right to ask us for a copy of the personal data we hold about you.
- Your right to rectification – You have the right to ask us to correct or update your personal data, which you can do yourself by logging into your account (if relevant) or if you would prefer, please contact us (as detailed below) and we can assist.
- Your right to erasure – You have the right to ask us to erase your personal data (and any personal data of a minor that you are a parent/guardian of).
- Your right to restriction of processing – You have the right to ask us to restrict the way we process your personal data.
- Your right to object to processing - You have the right to object to the processing of your personal data.
- Your right to data portability – You have the right to ask that we transfer your personal data (or some of it) to another organisation.
- Your right in relation to automated decision making and profiling– You have the right not to be subject to a decision when that is based on automated processing which produces a legal effect or a similarly significant effect on you without your consent. We can confirm that we do not use your data to make automated decisions that could have this effect on you.
Not all of these rights will apply in all circumstances and we will notify you and provide you with reasoning where we are unable to fulfil your request.
Please contact us (as detailed below) if you would like to exercise your rights, which you can do for free. The only time we may charge a reasonable fee is where your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. Otherwise, we will always respond within one month (unless there is a legal reason for us to take longer).
If it is not clear to us who is making the request, we may ask you to confirm your identity before we proceed.
CONTACT
If you have any questions, comments or requests in relation to this privacy policy please contact the Data Protection Officer at Norwich City Football Club, Carrow Road, Norwich NR1 1JE. You can also email us at [email protected].
You may also contact the ICO (Information Commissioner’s Office) if you have any concerns about the way we are handling your personal data. However, where possible, please speak to us first as we would appreciate the opportunity to help with your concern.
If you are dissatisfied with our response you have the right to raise this with the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (https://ico.org.uk).
