Privacy Policy
This privacy policy describes how The Hershey Company and its associated brands collect and handle personal data when individuals interact with their websites, in-person locations, and other related services. The policy covers various websites and online services that display this policy. It also applies to in-person interactions like visiting physical locations or attending events. However, this policy does not extend to Hershey Entertainment and Resorts Company, which includes The Hotel Hershey and Hersheypark, nor does it apply to the Hersheypark mobile app.
Depending on how someone interacts with the company, different types of personal data may be collected. Contact information includes name, street address, phone numbers, and email addresses. Demographic details such as birthdate, gender, and age may also be gathered. When purchases are made, payment information including credit card numbers and billing addresses is collected. Shopping history tracks items viewed, added to cart, purchased, or returned. Any content posted on the websites, such as recipe reviews or public messages, is also retained. Information submitted through surveys, promotions, or direct communications is collected as well. Visual information like photographs or video recordings may be captured when someone visits a physical location. Social media information from posts or profiles can also be obtained. Device and browser information, including IP address and operating system, is automatically collected. Correspondence and communications, including phone calls with customer support, may be recorded. Geolocation information derived from IP addresses is gathered, along with log and usage data like page visits and click patterns. Finally, inferences may be drawn from collected data to create profiles reflecting preferences and characteristics.
Personal data is collected directly from individuals when they use the websites, purchase products, register for promotions, submit recipe reviews, download reports, sign up for communications, contact customer support, interact on social media, or engage in person. Automated means such as cookies, pixel tags, and session replay tools also collect data about browsing behavior, including how users move through pages, where they click, and how they interact with forms. The company partners with certain technology providers to capture behavioral metrics, heatmaps, and session replays, all with user consent, for site optimization, fraud prevention, and advertising purposes. These tools do not capture sensitive personal information. Some partners act as independent controllers regarding the data they collect, and users can disable these features at any time through cookie preference settings. Data may also be received from third parties like service providers, business partners, analytics partners, advertising networks, social media platforms, and data aggregators.
The personal data collected is used for various business purposes. It helps provide and manage the services, including maintaining user accounts. It processes and fulfills orders, handles returns, and communicates product recalls. Communications include responding to inquiries, sending updates about accounts and policies, and providing customer support. Marketing and promotional communications are sent to those who have subscribed, with options to opt out at any time. Usage trends are identified to improve the websites and products. Personalization efforts use data to understand interests and customize experiences. Interest-based advertising relies on data to serve relevant ads across devices. Legal obligations are satisfied by complying with laws and responding to government requests. Security and fraud prevention activities monitor and protect systems and networks. Business transactions such as mergers or sales may involve transferring personal data. Other uses include protecting rights, safety, and property, as well as carrying out activities described at the time of data collection.
Personal data is disclosed to several categories of third parties. Affiliates and brands within the Hershey family receive data for business purposes. Service providers perform functions like operating the websites, preventing fraud, running promotions, and sending communications. Business partners such as co-sponsors of promotions or product distributors also receive data. Hershey Entertainment and Resorts Company may receive data when questions involve their properties. Licensees receive data to address complaints about licensed products. Research partners conduct surveys and projects. Analytics partners help measure content effectiveness and marketing efforts. Advertising partners including social media platforms and ad networks assist in serving and optimizing advertisements. Governmental and public authorities receive data in response to court orders or investigations. In connection with business transactions like mergers or bankruptcies, data may be transferred to relevant parties. Other disclosures occur at the direction of the individual, for winner lists of contests, or as necessary to protect rights and prevent fraud. De-identified or aggregated data may also be shared for purposes consistent with this policy.
Individuals have certain privacy choices and legal rights depending on their jurisdiction. They can opt out of marketing communications by using unsubscribe links or replying STOP to SMS messages. Cookies and similar technologies can be controlled through browser settings or the Cookie Preferences link on the websites. Legal rights may include knowing what personal data has been collected, accessing a copy in a portable format, correcting inaccurate information, requesting deletion subject to exceptions, restricting processing, objecting to processing based on legitimate interests, limiting use and disclosure, opting out of automated decision-making, and opting out of sales or sharing for targeted advertising. To exercise these rights, individuals can contact the company through the provided channels. Verification requires matching up to three pieces of personal data. Authorized agents may submit requests on behalf of others with proper documentation. Appeals of privacy rights decisions can be submitted through online forms or via email. Global Privacy Control signals are honored as valid opt-out requests for browsers that support them.
The websites are intended for adults, and the company does not knowingly collect personal data from anyone under sixteen. As a participant in an independent safe harbor program, the company undergoes audits and monitoring to ensure compliance with established online data collection practices. Parents who believe their child has provided personal data can request changes or deletion by contacting Consumer Relations.
Retention of personal data continues as long as necessary to fulfill the purposes outlined in the policy, unless longer retention is required by law. Retention periods consider the amount, nature, and sensitivity of the data, potential risks, purposes of use, and legal requirements. De-identified data is maintained and used without attempts to re-identify except as permitted by law.
Commercially reasonable security measures including physical, technical, and administrative safeguards are used to protect personal data from loss, misuse, and unauthorized access. However, no internet-based system is completely secure, and users are encouraged to protect their passwords and exercise caution online.
As a global organization, personal data may be transferred and stored in the United States or other countries where facilities or service providers are located. Transfers outside an individual’s country of residence are carried out in accordance with applicable law, often using standard contractual clauses or other lawful mechanisms. For individuals outside the United States, data may be subject to different levels of protection. The legal bases for processing include consent, contractual necessity, compliance with legal obligations, exercise of rights, and legitimate interests.
For residents of Brazil, Canada, Mexico, or India, additional privacy policies are available separately. For US residents, detailed disclosures are provided regarding categories of personal data collected, sources, disclosures for business purposes, and sales or sharing of data. The company may sell or share identifiers, commercial information, internet activity, geolocation data, and inferences with analytics and advertising partners. Sensitive personal information such as account login credentials is collected but only used to provide and maintain services. Financial incentives like discounts or promotions may be offered in exchange for receiving marketing communications, and individuals can opt out at any time. California residents have additional rights under the Shine the Light law to opt out of sharing personal data for third-party direct marketing purposes.
Questions or concerns about privacy practices can be directed to Consumer Relations. The policy is updated from time to time, and the last updated date indicates when changes were made. Material changes are accompanied by additional notice. Users are encouraged to review the policy periodically.
The Cookie and Ads Policy explains how cookies and similar technologies are used on the websites. Strictly necessary cookies are required for basic functions like logging in and filling forms. Functional cookies remember settings and preferences. Performance cookies collect statistics on visitor behavior and website performance. Targeting cookies are set by advertising partners to build interest profiles and deliver relevant ads across other online services. Users can control cookies through the Cookie Preferences link on the websites or through browser settings. Interest-based advertising choices can also be managed through industry opt-out tools provided by various advertising self-regulatory groups. Mobile device settings and available opt-out tools provide additional controls. Even after opting out, users may still see ads, but they will be less relevant.