Privacy Notice for Customer, TOFS Club Member, Vendor & Business Related Personal Data

 

INTRODUCTION

This Privacy Notice describes the ways in which The Original Factory Shop Group Limited ("TOFS", “we”, “us”, “ours”) processes and protects the personal data of our customers, vendors and other business contacts, users of our app/website and members of our TOFS Club loyalty programme (“you”, “yours”).

We are both an in-store and an online retail outfit. Customers can join our TOFS Club loyalty programme in-store or on our app. The benefits you are entitled to as a TOFS Club member may vary depending on whether you have registered in-store or on our app. If you join on our app, you will be a member of the TOFS Club+ loyalty programme but you will still be referred to as a ‘TOFS Club member’ throughout this Privacy Notice. Individuals can also sign up to our email programme to receive newsletters from us.

The types of personal data that we process, as described in this Privacy Notice, are those necessary for us to provide our customers and TOFS Club members with an effective service locally, regionally and online, and to carry out various ancillary activities in relation to our vendors, business contacts and users of our app/website.

We take very seriously our obligations to protect the personal data entrusted to us. The technical and organisational security measures that we employ to safeguard the information in our possession are regularly monitored, reviewed and enhanced in order to meet our responsibilities and the needs of our customers, vendors, TOFS Club members, app/website users and business contacts.

1. DATA CONTROLLER

1.1 The data controller responsible for processing your personal data is The Original Factory Shop Group Limited which is registered with company number 02882042 and maintains its registered office at Orient Business Park, Billington Road, Burnley, East Lancashire, BB11 5UB.                               

2. CONTACT US

2.1 Please direct all general communications or queries relating to this Privacy Notice to chiefprivacyofficer@tofs.com. This email address is also provided for the convenience of data subjects wishing to exercise their rights under this Privacy Notice.

3. WHAT INFORMATION DO WE COLLECT AND WHY

3.1 We may source, use and otherwise process personal data in different ways, as set out in the table below.

Categories of Personal Data

Name

Contact details including email, mobile/home phone number and home address

Date of birth

Who do we collect this from?

Customers

Purpose of Processing

  • To process your order and to communicate with you about your order, including to confirm receipt, dispatch an online order, process any returns and issue you an email receipt on request
  • To improve your online shopping experience, such as to notify you by email when items in your basket have been abandoned
  • To ask whether you would like to review a purchase and help our products be the best they can be
  • To verify age for purchases of age restricted products

Lawful Basis for Processing

  • Legitimate interests (where contacting you to improve your online shopping experience or to ask you to review a purchase)
  • Performance of contract (to process your order)
  • Legal obligation (to verify age for purchases of age restricted products)

TOFS Club members

  • To manage your membership, including providing you with any benefits you are entitled to and dealing with any queries or issues that arise

Performance of contract

Customers, TOFS Club members, individuals who have signed up to our email programme and app/website visitors

  • Where you create an account with us, to manage your account
  • To send promotional materials (by email / phone / SMS / letter / app push notifications) to let you know about our products, services, events, promotions, special offers, or materials that may be of interest to you

Performance of contract (to manage your account)

Consent (where sending promotional materials to you by email, SMS, and app push notifications)

Customers, vendors, business contacts, TOFS Club members and app/website visitors

  • Internal record keeping
  • Security
  • Improving our products and services
  • Manage customer service enquiries and complaints
  • To carry out market research so that we can improve the products and services we offer and learn about how our products or service may be used
  • To administer any competitions or other offers/promotions which you enter into
  • To provide our website and app services to you
  • Establish and manage our relationship

Legal obligation (record keeping and security)


Legitimate Interest (all)

Contract (competitions and promotions, providing website/app services and managing relationship)

 

 

 

Your bank account and payment card details and billing address. Voucher number.

Online Customers
  • To process payments, including to enable you to redeem a voucher.

Performance of contract

How you interact with our emails. For example, how long it takes you to open an email, whether you click through to our website or app from that email and what device you are using when you open that email. We will not collect information about how you interact with our emails where your device settings prohibit us from doing so.

Recipients of our emails, such as TOFS Club members and individuals who have signed up to our email programme

  • To review and improve our email marketing campaigns

Legitimate interest

CCTV images

Customers, vendors, other business contacts, visitors to our premises

  • Protecting our buildings and company assets
  • Investigating any health and safety related incidents involving colleagues, customers and/or visitors
  • Investigating allegations of misconduct involving our colleagues
  • Reducing the incidence of crime and anti-social behaviour (including theft and vandalism)

Legitimate interest (all)


Legal obligation (investigating health and safety incidents and reducing crime and anti-social behaviour)

IP address and how you interact with our website/app

Customers, TOFS Club members and website/app visitors

  • Learn about our website and app users’ browsing patterns and the performance of our website and app
  • Security. Our website provider will store an encrypted record of your login and password for our website/app for security purposes

Legitimate interest

Demographic information such as your home address, date of birth, title and gender

Your purchase history


Your location (where you have turned on location services on the app)


Information relevant to customer surveys and/or offers


Your interests and preferences. For example, if you appear to be interested in products relating to fashion, home & gardening, kids, pets, holidays, crafting, sports, etc


Your feedback and survey responses


Your publicly available personal data, including any which you have shared via a public platform (such as public Facebook page or Instagram profile)

Customers, TOFS Club members and website/app visitors

  • To personalise and tailor any communications, including marketing communications, that we may send you and any online advertising that we display to you on our website and/or app

Consent (where sending marketing communications to you by email, SMS, and app push notifications)


Legitimate interest (where sending marketing communications to you by post or telephone and personalising and tailoring the communications we send to you)

Your location (where you have turned on location services on the app)

App visitors

  • For the purpose of assessing footfall near and within our stores

Legitimate interest

Name, date of birth and home address

Customers and visitors to our premises

  • For the purposes of reporting an accident

Legal obligation

Legitimate interest

This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Privacy Notice.

3.2 IF YOU FAIL TO PROVIDE PERSONAL DATA

The provision of your personal data is voluntary, however, if you do not provide certain personal data which we need in order to comply with our legal obligations or in order for us to enter into or perform a contract with you (such as your delivery and billing address when you place an online order), we may be unable to provide the goods or services you have requested.

4. LAWFUL BASIS

4.1 We will only use your personal data where we have a lawful basis to use it, for example:

  • Contract: In order to allow us to fulfil our contractual obligations with you, we may need to process your name, contact details and payment details, as set out above. If you contact us, we may keep a record of that correspondence.
  • Legitimate Interest: It is in our legitimate business interests to process your personal data in ways which might reasonably be expected as part of running our business and which do not materially impact your interests, rights or freedoms, such as:
    • business development;
    • responding to your customer services queries and complaints;
    • marketing to you by telephone and letter;
    • managing and improving our products, services, website and app; and
    • personalising and/or tailoring the communications that we may send you and/or the online advertising we may display to you by profiling, as explained further in the ‘Profiling’ section below.
  • Legal Obligation: We may sometimes need to use data to comply with our legal obligations (for example to report an accident or crime).
  • Consent: Where we send you marketing information via email, app push notifications and/or SMS, we will seek your prior consent to do so. You can withdraw your consent at any time, by contacting us using the details provided above, using unsubscribe links in email and SMS communications or, for app push notifications, by updating your preferences within the app.

5. COOKIES AND WEBSITE LINKS

If you use our website or app, we may collect your cookie data allow us to distinguish you from other users of our website/app, which helps us to provide you with a personalised experience when browsing and allows us to improve our website/app, as well as to keep track of what you have in your basket, and to analyse visitor information. To find out more about how we use cookies please see our Cookie Notice https://www.tofs.com/pages/cookie-declaration.

Our website and app may contain links to other websites of interest. However, once you have used these links to leave our website and app, you should note that we do not have any control over the external website(s) and these website(s) will have their own privacy notices, for which we do not accept any responsibility for. You should exercise caution and look at the privacy notice applicable to the website in question.

6. HOW WE SOURCE YOUR PERSONAL DATA

We may collect information about you in a variety of ways, e.g.:

    1. When you provide your personal data during the check-out process on our website or in-store,
    2. when you sign up to our TOFS Club loyalty programme in-store or on our app,
    3. when you sign up to our email programme,
    4. when you update your details in-store/online/via customer services,
    5. when you browse our website/app,
    6. when you return an item into store or online,
    7. from publicly available sources such as a public Facebook page or Instagram profile, or
    8. where you are a vendor, when you express an interest to supply us goods or services.

7. PROFILING

If you are a customer or a TOFS Club member, we may use the following types of personal data about you to build a profile of your preferences and interests:

    1. The data we collect directly from you including demographic information such as your home address, date of birth and gender;
    2. Your browsing activity on our app/website; and
    3. Your purchase activity in-store and online.

7.2 We use this profile where it is in our legitimate interests to tailor the marketing that we provide to you by email, app push notifications, SMS, telephone and post and the online advertisements we display to you and your shopping habits.

7.3 If you would like any further information about the information that we use to create this profile please contact our Chief Privacy Officer – chiefprivacyofficer@tofs.com.

8. ONLINE ADVERTISEMENTS

8.1 When you are browsing on apps and other websites, such as Facebook, we will display advertising about products and services which we think will be of interest to you based on your use of our app and website (such as the content you read on the website) and your shopping habits. We do this using services offered by sites and social networks, for example, Facebook's Custom Audiences, and using pixels on our website.

9. WHO HAS ACCESS TO YOUR DATA?

9.1 In the below circumstances the data will be subject to confidentiality arrangements with our selected third parties:

  • TOFS Club and online orders – your data is processed by our data and campaign management agency to personalise marketing communications and ensure all marketing campaigns are sent in accordance with this Privacy Notice. The agency specifically uses your information for profiling, as described in the ‘Profiling’ section above.
  • App users – your data is processed by our app developer who is responsible for providing you with the benefits you are entitled to as a TOFS Club The app developer also uses your information for profiling to provide you with personalised content on the app, as described in the ‘Profiling’ section above.
  • Tell tofs – your data is processed by our data management agency in the USA, the comments/feedback that you provide us helps us to make improvements to our products and services.
  • Accident reporting / CCTV / Third party vendors – this information is generally not shared with any external bodies unless we are required to do so by law or as part of an investigation.
  • Delivery Partners – if you place an order for delivery, we will pass your contact details to our delivery partners so that they can arrange for, and fulfil the delivery.
  • Website Provider– your data may be processed by our website provider, Shopify, in order for them to assist us in the provision of the site and to provide data to our data and campaign management agency.
  • Payment Processors – when you place an online order your data will be transferred to Stripe or Paypal (whichever payment processor you select) to process your payment.

9.2 Your information may be shared internally with our personnel if access to the data is necessary for performance of their roles.

9.3 Where the parties we engage with are located outside the UK and European Economic Area (EEA), in particular the United States, then we have procedures in place to ensure your data receives the necessary protections. Where we transfer your personal information to service providers outside the UK and the EEA where no adequacy decision applies, we use standard contractual clauses or other transfer tools provided for in the applicable data protection legislation to protect your personal information.

10. HOW DO WE PROTECT DATA?

10.1 We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our colleagues in the performance of their duties and our approved service providers. This includes using individual passwords and restricted access to folders and systems on our IT network.

10.2 Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

11. FOR HOW LONG DO WE KEEP DATA?

11.1 We will hold your personal data for the following duration/s:

  • TOFS Club loyalty programme and email programme
    • name, contact details and, where you are a TOFS Club member, transaction information – up to 7 years
  • Online order data
    • name, contact details and transaction information – up to 7 years
  • customer queries/complaints and returns
    • name, email, telephone number – 400 days
  • tell tofs
    • name, email, transaction details and ip address – 400 days
  • Accident reporting
    • name, address, date of birth and telephone number – 3 ½ years
  • CCTV
    • Images are over written each month unless we are required to keep them to deal with a particular issue
  • Vendors
    • name, email, telephone number – kept for as long as we have supplier/retailer relationship
    • visitor book – name, company & car registration – 6 months

12. YOUR RIGHTS

12.1 The GDPR provides you with certain rights in relation to the processing of your personal data, including to:

  • Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you.
  • Request rectification, correction, or updating to any of the personal data that we hold about you. this enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
  • Request the restriction of Processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).
  • Request the transfer of personal data provided by you (“data portability”).

12.2 Object to the processing of your personal data in certain circumstances.

Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data or we need to process your personal data to deal with a legal claim. This includes where we are carrying out profiling activities using your personal data.

12.3 The exercise of these rights is not absolute and may be subject to certain pre-conditions and exemptions under the GDPR. Should you wish to exercise the rights accorded by the GDPR, please contact our Chief Privacy Officer – chiefprivacyofficer@tofs.com

13. COMPLAINTS

13.1 We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) to chiefprivacyofficer@tofs.com.

13.2 You also have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO”) if you are not happy with how TOFS processes your personal data and we cannot provide you with a satisfactory resolution to your request.

14. AMENDMENTS TO THIS PRIVACY NOTICE

14.1 This Privacy Notice may be amended from time to time. We will post any change to this Privacy Notice on our website and app.

14.2 This Privacy Notice was last updated on 26/04/2022.