Information highway: Where your personal details are ending up.
But the retail giant also revealed that the personal information it collects on its customers may be sent to nations such as China, Pakistan, the Philippines, Mexico, the United Arab Emirates, the US and Britain.
Personal information can include name, contact and household details, transaction history and buying habits.
Coles' more detailed policy description was released just before the new Australian Privacy Principles come into force this week, which make businesses list likely overseas recipients of personal data and conform with stricter rules.
Businesses must also take reasonable steps to ensure foreign recipients do not breach the Australian principles or are operating under similar privacy laws in those countries.
A spokeswoman said Coles' global commercial partners had the highest standards of data security and that Coles followed all regulatory requirements and best practice disclosure.
In line with the new legislation, Coles' policy enables customers to access or correct personal information the retailer has collected about them. It does state requests may be rejected, although reasons must be provided if this happens.
Coles said it takes steps to ensure third parties protect the privacy and security of personal information and use the information only for agreed purposes, and it destroys or de-identifies personal information no longer needed. Whenever Coles' online services are used, the company logs the location at which it was used - in cases where this function has not been disabled by the user - as well as dates, times, file metadata and the links customers click on.
The Australian Privacy Foundation vice-chair David Vaile said companies such as Coles should have been revealing where the data was being sent for years and it was unlikely Australian customers would have any comeback if their data was misused overseas.
''You're suddenly at the mercy of someone who's done something wrong who doesn't have to answer to you or your country,'' Mr Vaile said.
''No one running data storage can say, 'your data is safe with us'.''
''At long last we have this new legislation and now we encourage companies to bite the bullet and not just reveal countries they give the data to but companies.''
University of Technology Sydney marketing lecturer Ingo Bentrott said data mining ''sounds very Big Brother but if it's done ethically and you're giving the customer what they want then I think it's OK".
''We already know sales of milk generally go up when customers buy more Milo but data mining is about finding unknown patterns in purchase behaviour. And any information a competitor doesn't have is an advantage,'' Dr Bentrott said.