This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Privacy Notice.
3.2 IF YOU FAIL TO PROVIDE PERSONAL DATA
The provision of your personal data is voluntary, however, if you do not provide certain personal data which we need in order to comply with our legal obligations or in order for us to enter into or perform a contract with you (such as your delivery and billing address when you place an online order), we may be unable to provide the goods or services you have requested.
4. LAWFUL BASIS
4.1 We will only use your personal data where we have a lawful basis to use it, for example:
Contract: In order to allow us to fulfil our contractual obligations with you, we may need to process your name, contact details and payment details, as set out above. If you contact us, we may keep a record of that correspondence.
Legitimate Interest: It is in our legitimate business interests to process your personal data in ways which might reasonably be expected as part of running our business and which do not materially impact your interests, rights or freedoms, such as:
- business development;
- responding to your customer services queries and complaints;
- marketing to you by telephone and letter;
- managing and improving our products, services, website and app; and
- personalising and/or tailoring the communications that we may send you and/or the online advertising we may display to you by profiling, as explained further in the ‘Profiling’ section below.
Legal Obligation: We may sometimes need to use data to comply with our legal obligations (for example to report an accident or crime).
Consent: Where we send you marketing information via email, app push notifications and/or SMS, we will seek your prior consent to do so. You can withdraw your consent at any time, by contacting us using the details provided above, using unsubscribe links in email and SMS communications or, for app push notifications, by updating your preferences within the app.
5. COOKIES AND WEBSITE LINKS
Our website and app may contain links to other websites of interest. However, once you have used these links to leave our website and app, you should note that we do not have any control over the external website(s) and these website(s) will have their own privacy notices, for which we do not accept any responsibility for. You should exercise caution and look at the privacy notice applicable to the website in question.
6. HOW WE SOURCE YOUR PERSONAL DATA
We may collect information about you in a variety of ways, e.g.:
- When you provide your personal data during the check-out process on our website or in-store,
- when you sign up to our TOFS Club loyalty programme in-store or on our app,
- when you sign up to our email programme,
- when you update your details in-store/online/via customer services,
- when you browse our website/app,
- when you return an item into store or online,
- from publicly available sources such as a public Facebook page or Instagram profile, or
- where you are a vendor, when you express an interest to supply us goods or services.
If you are a customer or a TOFS Club member, we may use the following types of personal data about you to build a profile of your preferences and interests:
- The data we collect directly from you including demographic information such as your home address, date of birth and gender;
- Your browsing activity on our app/website; and
- Your purchase activity in-store and online.
7.2 We use this profile where it is in our legitimate interests to tailor the marketing that we provide to you by email, app push notifications, SMS, telephone and post and the online advertisements we display to you and your shopping habits.
7.3 If you would like any further information about the information that we use to create this profile please contact our Chief Privacy Officer – firstname.lastname@example.org.
8. ONLINE ADVERTISEMENTS
8.1 When you are browsing on apps and other websites, such as Facebook, we will display advertising about products and services which we think will be of interest to you based on your use of our app and website (such as the content you read on the website) and your shopping habits. We do this using services offered by sites and social networks, for example, Facebook's Custom Audiences, and using pixels on our website.
9. WHO HAS ACCESS TO YOUR DATA?
9.1 In the below circumstances the data will be subject to confidentiality arrangements with our selected third parties:
TOFS Club and online orders – your data is processed by our data and campaign management agency to personalise marketing communications and ensure all marketing campaigns are sent in accordance with this Privacy Notice. The agency specifically uses your information for profiling, as described in the ‘Profiling’ section above.
App users – your data is processed by our app developer who is responsible for providing you with the benefits you are entitled to as a TOFS Club The app developer also uses your information for profiling to provide you with personalised content on the app, as described in the ‘Profiling’ section above.
Tell tofs – your data is processed by our data management agency in the USA, the comments/feedback that you provide us helps us to make improvements to our products and services.
Accident reporting / CCTV / Third party vendors – this information is generally not shared with any external bodies unless we are required to do so by law or as part of an investigation.
Delivery Partners – if you place an order for delivery, we will pass your contact details to our delivery partners so that they can arrange for, and fulfil the delivery.
Website Provider– your data may be processed by our website provider, Shopify, in order for them to assist us in the provision of the site and to provide data to our data and campaign management agency.
Payment Processors – when you place an online order your data will be transferred to Stripe or Paypal (whichever payment processor you select) to process your payment.
9.2 Your information may be shared internally with our personnel if access to the data is necessary for performance of their roles.
9.3 Where the parties we engage with are located outside the UK and European Economic Area (EEA), in particular the United States, then we have procedures in place to ensure your data receives the necessary protections. Where we transfer your personal information to service providers outside the UK and the EEA where no adequacy decision applies, we use standard contractual clauses or other transfer tools provided for in the applicable data protection legislation to protect your personal information.
10. HOW DO WE PROTECT DATA?
10.1 We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our colleagues in the performance of their duties and our approved service providers. This includes using individual passwords and restricted access to folders and systems on our IT network.
10.2 Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
11. FOR HOW LONG DO WE KEEP DATA?
11.1 We will hold your personal data for the following duration/s:
TOFS Club loyalty programme and email programme
- name, contact details and, where you are a TOFS Club member, transaction information – up to 7 years
Online order data
- name, contact details and transaction information – up to 7 years
customer queries/complaints and returns
- name, email, telephone number – 400 days
- name, email, transaction details and ip address – 400 days
- name, address, date of birth and telephone number – 3 ½ years
- Images are over written each month unless we are required to keep them to deal with a particular issue
- name, email, telephone number – kept for as long as we have supplier/retailer relationship
- visitor book – name, company & car registration – 6 months
12. YOUR RIGHTS
12.1 The GDPR provides you with certain rights in relation to the processing of your personal data, including to:
Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you.
Request rectification, correction, or updating to any of the personal data that we hold about you. this enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
Request the restriction of Processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).
- Request the transfer of personal data provided by you (“data portability”).
12.2 Object to the processing of your personal data in certain circumstances.
Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data or we need to process your personal data to deal with a legal claim. This includes where we are carrying out profiling activities using your personal data.
12.3 The exercise of these rights is not absolute and may be subject to certain pre-conditions and exemptions under the GDPR. Should you wish to exercise the rights accorded by the GDPR, please contact our Chief Privacy Officer – email@example.com
13.1 We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) to firstname.lastname@example.org.
13.2 You also have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO”) if you are not happy with how TOFS processes your personal data and we cannot provide you with a satisfactory resolution to your request.
14. AMENDMENTS TO THIS PRIVACY NOTICE
14.1 This Privacy Notice may be amended from time to time. We will post any change to this Privacy Notice on our website and app.
14.2 This Privacy Notice was last updated on 26/04/2022.