Privacy Policy v6.0
August 2022
1 Introduction
MandM Direct Limited is one of the UK's largest online off-price retailers. We've been trading for over 30 years, selling the world's biggest brands direct to our customers at savings of up to 65% less than RRP.
At MandM Direct, we're committed to protecting and respecting people's privacy. Therefore, all Personal Data about our customers that we, as Data Controller, collect in the course of providing our services, is treated in the strictest confidence, and managed solely in line with this Privacy Policy.
If you have any comments or concerns regarding our use of your Personal Data, please contact our Data Protection Officer:
- by email at privacy@mandmdirect.com ; or
- by post at Data Protection Officer, MandM Direct, Clinton Road, Leominster, Herefordshire HR6 0SP, United Kingdom.
Customers outside the UK may prefer to contact our EU Representative at privacy.heartland@heartland.co. Based in Denmark, our EU Representative also acts as a point of contact for supervisory authorities across Europe.
2 What information do we collect about you, and when?
We'll collect information about you when you:
- browse this website (for more information about cookies operating on this website, and to choose which you are happy to accept, please see our Cookie List page)
- place a product order on this website;
- create an MandM Direct customer account (“MyAccount”) using this website (NB you must be aged 16 or over to create a MyAccount);
- contact us by phone, email or social media;
- enter a competition, promotion or survey organised by us; or
- subscribe to our marketing communications.
The information that we'll collect from you in these circumstances will contain your “Personal Data”. This is data by which you can be identified and which therefore includes your name, home address and email.
Via this website, we'll also take your credit card details if you make a purchase: however, we don't save these details on any of our systems. Indeed, we undergo a rigorous annual assessment to validate that our processes for managing credit card data are safe and secure, and to this extent, we are fully accredited.
Equally, we'll never ask for any Special Category Data about you (i.e. sensitive information about your ethnicity, religion, health etc).
3 How will we use that information?
We'll use your Personal Data only for the purposes listed in the table below. This table also explains:
- the lawful basis for processing your Personal Data, linked to each purpose;
- in what circumstances your Personal Data will be shared with a trusted third-party organisation; and
- for how long we'll keep your Personal Data.
Please note that data collected by cookies is not described below, but is explained in our Cookie List page.
Note on third-party organisations
In circumstances where we do share your Personal Data with a trusted third-party organisation, we always apply the following rules:
- we only ever provide the minimum amount of data that is absolutely necessary to them performing their specific services;
- we will always have a comprehensive contract and data processing agreement in place, so that the third-party organisation understands what they can, and cannot, do with your Personal Data, and to give us assurance that they understand their legal obligations to keep the data safe and secure;
- we never allow any third-party organisation, however trusted, to use your Personal Data for their own purposes;
- throughout the time we work with each third-party organisation, we will continue to monitor their performance in order to ensure that all contractual requirements are met, and that our customers' privacy is respected and protected at all times; and
- if we stop using their services, all Personal Data held by them is securely destroyed or returned to us.
When you make a purchase
Purpose for processing Personal Data | Lawful basis for processing Personal Data | Third party organisations with whom Personal Data is shared | Personal Data retention period |
---|---|---|---|
To fulfil purchases which you may make via this website | To meet the requirements of contract law |
Customers' Personal Data may be processed by the following:
|
6 years after a customer's last transaction |
To despatch goods that you have ordered from us | To meet the requirements of contract law |
Customers' Personal Data will be stored in Manhattan, which is our Warehouse Management System. We then use Evri (formerly Hermes) and DPD to deliver parcels to our customers (NB Evri and DPD will also use your Personal Data to keep you up-to-date with information regarding your delivery) |
6 years after a customer's last transaction |
To process customer requests for finance (please note that this includes data processing for the purposes of fraud prevention) | Customers will provide informed consent before their data is processed for the purposes of a finance application |
Data will be captured by one of our lending partners, dependent upon customer choice and selection. The relevant partner will then act as an independent Data Controller. Currently, our lending partners are:
|
6 years following expiry of the finance agreement |
To process credit / debit card payments, and inform you if there are any issues | To meet the requirements of contract law | For payments online, data will be shared with Adyen, our payment gateway provider. In processing this data, customer details will also be automatically checked for fraud prevention purposes | We do not keep credit / debit card data: however, anonymised token data is kept for 6 years |
To keep you informed about the progress of your order, or advise you about relevant order or account information (i.e. despatch updates, confirmation of password change, items left in your basket etc) | To meet the requirements of contract law |
Customers' Personal Data may be processed by the following:
|
6 years after a customer's last transaction |
To fulfil customer requests for returns | To meet the requirements of contract law |
We use ZigZag Global to enable customers to return parcels to us. This is supported by our courier partners, Evri and DPD |
Data is kept for 90 days unless a return is made, in which case data is kept for 7 years |
After-sales data processing
Purpose for processing Personal Data | Lawful basis for processing Personal Data | Third-party organisations with whom Personal Data is shared | Personal Data retention period |
---|---|---|---|
To provide customer services support by telephone or email: this includes the recording of telephone calls for quality and monitoring purposes | This is deemed legitimate, as it is in customers' interest that we can access their data in order to resolve any queries, questions, concerns or complaints |
Customer data is held within our Google infrastructure Our telephony service is supported by IP Integration |
6 years after a customer's last transaction However, telephone call recordings will be kept for no more than 60 days |
To send emails asking you to submit a product review | This is deemed legitimate, as it enables you to provide feedback and information on the best products and services for the benefit of other customers |
Emails are sent on our behalf by Bloomreach. However please note that customer data will only be shared with our partners at TrustPilot if a customer chooses to submit a review, and thus consents to the data exchange |
6 years after a customer's last transaction Data held by Trustpilot will be kept for 3 years |
To collate social media communications | This is deemed legitimate, as it allows us to be able to acknowledge and respond effectively to customer enquiries | Social media messages are held in a platform managed by Falcon | Data is retained for 15 months |
Data processing for online services
Purpose for processing Personal Data | Lawful basis for processing Personal Data | Third-party organisations with whom Personal Data is shared | Personal Data retention period |
---|---|---|---|
To enable you to set up an online account | This is deemed legitimate, as it is customers' choice to set up an account | Data will be processed by Google, who supports our internal IT infrastructure including customer databases | 6 years after a customer's last transaction |
To deliver Push Notifications to users of our website | Users consent to Push Notifications via a bespoke pop-up message when they first access the site | Data is processed by Bloomreach, who facilitates the delivery of Push Notifications | 6 years after a customer's last transaction |
Data processing for marketing
Purpose for processing Personal Data | Lawful basis for processing Personal Data | Third-party organisations with whom Personal Data is shared | Personal Data retention period |
---|---|---|---|
To send you emails with information about special offers and promotions. In some cases, the content of the email will be based on your previous interactions with us: this is described more fully in section 6.8 below | This is deemed legitimate, as: (i) you provided the data directly to us, (ii) we are only sending you information about similar products, (iii) you can opt-out on our website, (iv) you can opt-out using any marketing email |
Emails are sent on our behalf by Bloomreach. Additionally, we use Validity to validate that email addresses are correct and up-to-date |
6 years after a customer's last transaction |
To send you emails where you have specifically requested these via our website or a third party sign-up | Consent |
Emails are sent on our behalf by Bloomreach. Additionally, we use Validity to validate that email addresses are correct and up-to-date |
6 years after a customer's last transaction |
To deliver advertising across social media and other online platforms (e.g. Google, Facebook) | Customers consent to these communications through the specific platforms. Additionally, only anonymised data is shared | Anonymised data only will be shared with various advertising partners | 6 years after a customer's last transaction |
Other data processing
Purpose for processing Personal Data | Lawful basis for processing Personal Data | Third-party organisations with whom Personal Data is shared | Personal Data retention period |
---|---|---|---|
To process competition entries and inform winners | Customers give consent when they submit competition entries | Data will be processed by Google, who supports our internal IT infrastructure including customer databases (NB where a competition is run by a third-party, any data sharing with us will be made clear in the corresponding terms & conditions) | 6 years after a customer's last transaction |
To match data that we hold in order to gain better insight about our customers both individually and at aggregate level | Customers consent to this processing by way of the cookies preference centre | Data will be processed by Google, who supports our internal IT infrastructure including customer databases | 6 years after a customer's last transaction |
4 Overseas transfers
We share your personal data within MandM Limited. This will involve transferring your data outside the UK.
Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside of the UK.
Whenever we transfer your Personal Data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data or where those providers have agreed to give personal data protection similar to the protection that it would have in the UK.
- Your Personal Data may be processed outside the EEA or UK by third-party organisations including the following, for the purposes described below:
Organisation name | Purpose for the overseas transfer | Areas where the data is processed |
---|---|---|
Falcon | To enable us to manage social media enquiries | USA |
IP Integration | Supporting our telephony services | India |
Partnerize | To support website tracking | Australia, Japan, USA, Singapore |
Qubit | To enable website personalisation | Ghana, USA |
Zendesk | To enable us to manage customer queries and complaints | USA |
5 Data privacy and security
All Personal Data that you provide to us will be stored on our secure servers which are located within either the United Kingdom or the EEA.
Information security is extremely important to us, and therefore we observe the following safeguards as a minimum:
- network security: we deploy security and monitoring tools that restrict access and alert us to any unauthorised behaviour on our network and systems;
- data transfers: all data transfers are carried out using multi-layered security measures to ensure data integrity and privacy;
- firewalls and encryption: we apply industry-standard firewall protection and use up-to-date, not compromised, encryption technology;
- auditing and testing: we carry out regular penetration testing and employ ethical hackers to ensure our infrastructure is secure and that any intrusion would be quickly detected;
- building entry controls: our premises and those of our partners are fully access controlled and monitored, with on-site security and CCTV traceability;
- access and control: we maintain strictly controlled access to systems and data based on the authorised roles of staff;
- training: we ensure our employees are trained in the importance of data security;
- breach notification: in the highly unlikely event we suffer a data security breach, we will notify the relevant regulator and you where we are required to do so.
6 Your rights
Under the terms of data protection legislation, you have the following rights as a result of using this website:
- 6.1 Right to be informed
-
This Privacy Statement, together with our Cookies Policy, fulfils our obligation to tell you about the ways in which we use your Personal Data as a result of you using this website.
- 6.2 Right to access
-
You have the right to ask us, in writing, for a copy of any Personal Data that we hold about you. This is known as a “Subject Access Request”. Except in exceptional circumstances (which we would discuss and agree with you in advance), you can obtain this information at no cost. We will send you a copy of the information within 30 days of your request.
To make a Subject Access Request, please contact our Data Protection Officer by email at privacy@mandmdirect.com or by post at Data Protection Officer, MandM Direct, Clinton Road, Leominster, Herefordshire HR6 0SP, United Kingdom.
- 6.3 Right to rectification
-
If any of the Personal Data we hold about you is inaccurate, you can either:
- visit the "MyAccount" section of the website where you can make changes to some of the information that we hold about you; or
- contact our Data Protection Officer at privacy@mandmdirect.com. Any corrections that you request will be made as soon as possible, and certainly no later than 30 days following your notification.
- 6.4 Right to be forgotten
-
You can ask that we erase all Personal Data that we hold about you. Where it is appropriate that we comply, your request will be fully actioned within 30 days. For further information, please contact our Data Protection Officer at privacy@mandmdirect.com.
- 6.5 Right to object
-
You have the right to object to:
- the continued use of your Personal Data for any purpose listed in section 3 of this Privacy Statement for which consent is identified as the lawful basis of processing (i.e. you have the right to withdraw your consent at any time); or
- the continued use of your Personal Data for any purpose listed in section 3 of this Privacy Statement for which the lawful basis of processing is that it has been deemed legitimate.
For further information, please contact our Data Protection Officer at privacy@mandmdirect.com.
Please note that you can also exercise your right to object to our use of cookies by following the guidance in our Cookie List page.
- 6.6 Right to restrict processing
-
If you wish us to restrict the use of your Personal Data because (i) you think it is inaccurate but this will take time to validate, (ii) you believe our data processing is unlawful but you do not want your data erased, (iii) you want us to retain your Personal Data in order to establish, exercise or defend a legal claim, or (iv) you wish to object to the processing of your Personal Data, but we have yet to determine whether this is appropriate, please contact our Data Protection Officer at privacy@mandmdirect.com.
- 6.7 Right to data portability
-
If you would like us to move, copy or transfer the Personal Data that we hold about you to another organisation, please contact our Data Protection Officer at privacy@mandmdirect.com.
Please be advised that this only applies to certain data which has been submitted by you electronically for specific purposes only. Our Data Protection Officer can provide further advice.
- 6.8 Rights related to automated decision-making
-
In order that we can understand your preferences - and therefore send you emails that'll show products that we hope will be of particular relevance and interest to you - we use automation to review the information that you've provided to us, and your purchasing history and engagement with us. This is permitted under data protection laws as these processes cannot significantly harm you i.e. they won't lead to discrimination or affect your legal rights. However, if you don't want us to use automated processing, you can either object to the processing of your Personal Data (see section 6.5 above), or ask us to delete all your Personal Data (see section 6.4 above).
7 Disclaimers
Unfortunately, the transmission of information via the internet is not completely secure. Therefore, although we'll make every effort to protect your Personal Data at all times, we cannot absolutely guarantee the security of any data sent to our website: as such, any transmission is at your own risk. However, once we've received your Personal Data, we'll employ stringent security procedures aimed at preventing unauthorised access (see section 5 above).
Every effort is made to ensure that the information on this website, and in this Privacy Statement, is accurate and up-to-date, but no legal responsibility is accepted for any errors or omissions contained herein.
We cannot accept liability for the use made by you of the information on this website or in this Privacy Statement, nor do we warrant that the supply of the information will be uninterrupted. All material accessed or downloaded from this website is obtained at your own risk. It is your responsibility to use appropriate anti-virus software.
This Privacy Statement applies solely to the data collected by us, and therefore does not also apply to data collected by third-party websites and services that are not under our control. Furthermore, we cannot be held responsible for the Privacy Statements on third-party websites, and we advise users to read these carefully before registering any Personal Data.
8 General
Questions and comments regarding this Privacy Statement are welcomed, and should be sent to our Data Protection Officer at privacy@mandmdirect.com.
You can also contact our Data Protection Officer if you have any concerns or complaints about the ways in which your Personal Data has been handled as a result of you using this website.
Alternatively, you have the right to lodge a complaint with the Information Commissioner's Office ("ICO") who may be contacted at Wycliffe House, Water Lane, Wilmslow SK9 5AF or ico.org.uk (for details on how your data will be managed by the ICO, please refer to ico.org.uk/global/privacy-notice).