Privacy Notice for Customer, Vendor & Business Related Personal Data


This Privacy Notice describes the ways in which The Original Factory Shop Group Limited ("TOFS", “we”, “us”, “ours”) processes and protects the personal data of our customers, vendors and other business contacts (“you”, “yours”).

We are both an in-store and an online retail outfit. The types of personal data that we process, as described in this Privacy Notice, are those necessary for us to provide our customers with an effective service locally, regionally and online, and to carry out various ancillary activities in relation to our vendors and business contacts.

We take very seriously our obligations to protect customer, vendor and business contact information, including personal data entrusted to us. The technical and organisational security measures that we employ to safeguard the information in our possession are regularly monitored, reviewed and enhanced in order to meet our responsibilities and the needs of our customers, vendors and business contacts.


1.1 The data controller responsible for Processing your Personal Data is The Original Factory Shop Group Limited which is registered with company number 02882042 and maintains its registered office at Orient Business Park, Billington Road, Burnley, East Lancashire, BB11 5UB.


2.1 Please direct all general communications or queries relating to this Privacy Notice to This email address is also provided for the convenience of data subjects wishing to exercise their rights under this Privacy Notice.


3.1 We may source, use and otherwise process personal data in different ways, as set out in the table below.

Categories of Personal Data


Contact details including email, mobile/home phone number and home address

Date of birth

Who do we collect this from?


Purpose of Processing

  • To send promotional materials (by email / phone / SMS / letter) to let you know about our products, services, events, promotions, special offers, or materials that may be of interest to you.
  • To process your order and to communicate with you about your order, including to confirm receipt and dispatch of an online order and to process any returns.
  • To verify age for purchases of age restricted products

Lawful Basis for Processing

Consent (where sending promotional materials to you by email and SMS)

Legitimate interests (where contacting you by letter or telephone for promotional purposes)

Performance of contract (to process your order)

Customers, vendors, business contacts and website visitors

  • Internal Record Keeping
  • Improving our products and services
  • To provide our website services to you
  • Establish and manage our relationship
  • Manage customer service enquiries
  • Security
  • To administer any competitions or other offers/promotions which you enter into
  • To ask whether you would like to review a purchase and help our products be the best they can be
  • To carry out market research so that we can improve the products and services we offer
  • Learn about how our products or service may be used
  • To complete a purchase and, where requested, to issue you an email receipt
  • To receive and address complaints (Tell TOFS)

Legitimate Interest

Legal obligation


Your bank account and payment card details and billing address. Voucher number.

Online Customers

  • To process payments, including to enable you to redeem a voucher.

Performance of contract

How you interact with our emails. For example, how long it takes you to open an email, whether you click through to our website from that email and what device you are using when you open that email. We will not collect information about how you interact with our emails where your device settings prohibit us from doing so.

Recipients of our emails, such as members of the original factory shop Club card or email programme, as well as online registrants.

  • To review and improve our email marketing campaigns

Legitimate interest

CCTV images

Customers, vendors, business contacts, visitors to our premises

CCTV surveillance at The Original Factory Shop is intended for the purposes of:

  • protecting our buildings and company assets
  • investigating any health and safety related incidents involving colleagues, customers and/or visitors;
  • investigating allegations of misconduct involving our colleagues;
  • reducing the incidence of crime and anti-social behaviour (including theft and vandalism)

Legitimate interest

IP address

Website Visitors

  • Learn about our website(s) users’ browsing patterns and the performance of our website
  • Security
  • Shopify (Website Provider) will store an encrypted record of login and password for security purposes.

Legitimate interest

Demographic information such as your home address and date of birth

Your purchase history

Information relevant to customer surveys and/or offers

Website Visitors

  • To personalise and/ tailor any communications, including marketing communications, that we may send you and online advertising

Legitimate interest

Name, date of birth and home address

Visitors to our premises

  • For the purposes of reporting an accident

Legal obligation

Legitimate interest


The provision of your personal data is voluntary, however, if you do not provide certain personal data which we need in order to comply with our legal obligations or in order for us to enter into or perform a contract with you (such as your delivery and billing address when you place an online order), we may be unable to provide the goods or services you have requested


4.1 We will only use your personal data where we have a lawful basis to use it, for example:

  • Contract: In order to allow us to fulfil our contractual obligations with you, we may need to process your name, contact details and payment details, as set out above. If you contact us, we may keep a record of that correspondence.
  • Legitimate Interest:It is in our legitimate business interests to process your personal data in ways which might reasonably be expected as part of running our business and which do not materially impact your interests, rights or freedoms, such as:
    • business development;
    • responding to your customer services queries;
    • marketing to you by telephone and letter;
    • reviewing and improving our email marketing campaigns; and
    • personalising and/or tailoring the communications that we may send you by profiling, as explained further in the ‘Profiling’ section below.
  • Legal Obligation: We may sometimes need to use data to comply with our legal obligations (for example to report an accident).
  • Consent:Where we use your email or telephone number to communicate marketing information via email and SMS, we will seek your prior consent to do so. You can withdraw your consent at any time, by contacting us using the details provided above.

4.2 As a user of our website we may process your personal data for the following purposes:

  • To enable you to purchase items online. You will have the option to register an account with us or to proceed through the checkout as a guest, in which case we will only collect the personal data which we require to process your order.
  • To handle any customer service issue, including any returns, [in accordance with our terms and conditions].
  • To improve your online shopping experience, such as to notify you by email when items in your basket have been abandoned.
  • To enroll you into our original factory shop Club card or email programme, to receive promotional materials.
  • As our website user we may collect your cookie data allow us to distinguish you from other users of our website, which helps us to provide you with a personalised experience when browsing our website and allows us to improve our site, as well as to keep track of what you have in your basket, and to analyse visitor information. To find out more about how we use cookies please see our Cookie Notice
  • Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over the external website(s) and these website(s) will have their own privacy notices, for which we do not accept any responsibility for. You should exercise caution and look at the privacy notice applicable to the website in question.


5.1 We may collect this information in a variety of ways, e.g.:

    1. When you provide your personal data during the check-out process on our website,
    2. data might be collected through application for an original factory shop Club card,
    3. when you sign up to our email programme,
    4. when you update your details in store/online/via customer services, or
    5. when you return an item into store or online, or vendors expressing interest to supply us goods or services.


6.1 We use your purchase history and demographic information (such as your home address and date of birth) to build a picture of your preferences and interests, which we use where it is in our legitimate interests to tailor the marketing that we provide to you by email, SMS, telephone and post to you and your shopping habits.

6.2 If you would like any further information about the information that we use to create this profile please contact our Chief Privacy Officer –


7.1 When you are browsing on apps and other websites, such as Facebook, we will display advertising about products and services which we think will be of interest to you based on your use of our website (such as the content you read on the website) and your shopping habits. We do this using services offered by sites and social networks, for example, Facebook's Custom Audiences, and using pixels on our website.


8.1 In the below circumstances the data will be subject to confidentiality arrangements with our selected third parties:

  • original factory shop Club and online orders – your data is processed by our data and campaign management agency to ensure all marketing campaigns are sent in accordance with this privacy policy. The agency specifically uses your information for profiling, as described in the ‘Profiling’ section above.
  • Tell tofs – your data is processed by our data management agency in the USA, the comments/feedback that you provide us helps us to make improvements to our products and services.
  • Accident reporting / CCTV / Third party vendors – this information is generally not shared with any external bodies unless we are required to do so by law.
  • Delivery Partners – if you place an order for delivery, we will pass your contact details to our delivery partners so that they can arrange for, and fulfil the delivery.
  • Website Provider– your data may be processed by our website provider, Shopify, in order for them to assist us in the provision of the site and to provide data to our data and campaign management agency.
  • Payment Processors – when you place an online order your data will be transferred to Stripe or Paypal (whichever payment processor you select) to process your payment.

8.2 Your information may be shared internally with our personnel if access to the data is necessary for performance of their roles.

8.3 Where the parties we engage with are located outside the UK/European Economic Area, in particular the United States, then (unless an exemption applies) these transfers are governed by the EU Commission-approved Standard Contractual Clauses, Binding Corporate Rules for Controllers or Processors or the transfer is to a country which is the subject of an adequacy-decision by the European Commission;


9.1 We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our colleagues in the performance of their duties and our approved service providers. This includes using individual passwords and restricted access to folders and systems on our IT network.

9.2 Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.


10.1 We will hold your personal data for the following duration/s:

  • original factory shop club card and email programme
    • name, contact details and, where you are a club card holder, transaction information – up to 7 years
  • Online order data
    • name, contact details and transaction information – up to 7 years
  • customer queries/complaints and returns
    • name, email, telephone number – 400 days
  • tell tofs
    • name, email, transaction details and ip address – 400 days
  • Accident reporting
    • name, address, date of birth and telephone number – 3 ½ years
  • CCTV
    • Images are over written each month unless we are required to keep them to deal with a particular issue
  • Vendors
    • name, email, telephone number – kept for as long as we have supplier/retailer relationship
    • visitor book – name, company & car registration – 6 months


11.1 The GDPR provides you with certain rights in relation to the Processing of your Personal Data, including to:

  • Request access to Personal Data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you.
  • Request rectification, correction, or updating to any of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to Process it. You also have the right to ask us to delete or remove Personal Data where you have exercised your right to object to Processing (see below).
  • Request the restriction of Processing of your Personal Data. This enables you to ask us to suspend the Processing of Personal Data about you (e.g. if you want us to establish its accuracy or the reason for Processing it).
  • Request the transfer of Personal Data provided by you (“data portability”).

11.2 Object to the Processing of your Personal Data in certain circumstances.

Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data or we need to process your personal data to deal with a legal claim. This includes where we are carrying out profiling activities using your personal data.

11.3 The exercise of these rights is not absolute and may be subject to certain pre-conditions and exemptions under the GDPR. Should you wish to exercise the rights accorded by the GDPR, please contact our Chief Privacy Officer –


12.1 We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) to

12.2 You also have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO”) if you are not happy with how TOFS processes your personal data and we cannot provide you with a satisfactory resolution to your request.

This Notice may be amended from time to time. We will post any change to this Notice on our website.


This Notice was last updated on 6th August 2021.