Personal data is any information relating to a living individual who can be identified directly or indirectly, often by name, customer number, location, an online identifier or other factors specific to their identity.

Personal data may include “special category data” such as personal data relating to racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, and criminal records and allegations. Whilst the primary purpose of our processing of your personal data does not include special categories of personal data, where any special categories of personal data are processed, we will at all times ensure we have a valid lawful basis for processing.

Information disclosed to us, by you, in the course of communications with us will be retained automatically as part of your correspondence and may as a result include special categories of personal data. Further protection and safeguards are placed upon sensitive information we process.

When we collect personal data from you we will indicate whether it is mandatory or voluntary.

Types of data we may process on you includes but is not limited to:

Personal details

Name, address, email address, telephone number;

Order details

Delivery address(es), order and delivery times, contact information, complaint / enquiry information, delivery photographs;

Payment details

We never store your payment details in full, we only store an encrypted token that represents your payment card;

Account details

Identification, purchase history and trends, account activity, log in details; and

Online Activity Details

Details of your operating system, browser software, IP (Internet Protocol) address and Uniform Resource Locator (URL), including the date and time of your visit.

Supplier details

Name, contact details, business information and/or payment details of suppliers may be stored on our systems, or on third party systems, for the purpose of providing a service, access and fulfilling contractual obligations.

We gather information from you through, for example, the use of our websites, apps, products or services. This includes tailoring the information we share with you to ensure that it is relevant, useful, timely and non-intrusive.

The information we process may be done so for a number of purposes and these are detailed, non exhaustively, under the lawful basis of processing section below.

The lawful basis we rely upon to process your personal data may differ for each processing activity. Dependent upon the purpose for processing as detailed below, and the business area processing your data, one of the following lawful basis of processing may apply:

Article 6 (1) (a) GDPR Consent:

Telephone marketing to numbers registered on the Telephone Preference Service List;

Automated phone marketing;

SMS reminders concerning deliveries and services;

Direct mail marketing to Customers on the Mail Preference Services List;

Electronic marketing of third party products and services;

Sending push notifications, where your device requests an affirmed action;

Sharing or publishing of personal data where required; and

To process any personal data for other purposes where your consent has been freely given, specific and informed.

Article 6 (1) (b) GDPR Performance of a contract:

Registering you as a customer;

Providing a service and processing your orders and returns;

Arranging deliveries and collections;

Processing payments and transactions;

To respond to complaints, rights requests and enquiries;

To provide online account management, subscription and related services;

To fulfil any agreed terms and conditions such as for use of our website, our app or entering a competition; and

Contacting or registering suppliers for the purposes of accessing data insights, and further processing required to meet the terms and conditions of membership to any services.

To meet any other contractual obligation.

Processing third party information for the purposes of providing a service, administering access and fulfilling contractual obligations

Article 6 (1) (c) GDPR Legal Obligation:

To allow us to comply with any requirements imposed on us by law or court order, including disclosure to law or tax enforcement agencies or authorities, or pursuant to legal proceedings;

To maintain records to meet legal, audit, regulatory and tax requirements;

To help us defend legal claims, or to exercise legal rights;

To contact affected Customers and process personal data in connection with product recalls, other similar product quality issues and product liability purposes;

To comply with our legal obligations in connection with the sale of age restricted products;

Prevention and detection of fraud, crime and anti-money laundering;

Suppression lists and managing communication opt-out requests;

To meet government legal guidance, such as track and trace for Covid 19; and

To meet any other legal or regulatory obligation.

Article 6 (1) (f) GDPR Legitimate interests: These include:

Training, communications and awareness;

Audit, quality control, performance management and monitoring;

Market research, management information, data aggregation and product performance, either for own purposes, or for the purposes of collaboration partners;

Understanding and publishing trends, customer behaviours and other data insights, and/or to improve usefulness and content of our websites, apps, products and services, and/or to promote products and services either for own or third party purposes;

To develop, and provide the most relevant products and services and gain a wider understanding of our Customers;

To monitor the use of our websites and apps, and to ensure data security, data loss prevention and improve its facilities;

To process feedback, and customer engagement and determine the effectiveness and performance of our products and services;

Reviewing, deleting and publishing reviews made directly or via third parties;

To personalise, target and improve your experience of our products and services;

Direct marketing of our own products and services;

Data shares for the purposes of marketing or promotional activities;

Tracking activity on our websites, apps and third party platforms (such as Social Media) to provide a more personalised online experience;

Linking with social media sites and services, for example, for advertising purposes;

Operating and improving our products, services, websites, mobile applications and other digital assets as well as developing new products and services; and

Processing for competitions, promotions and other marketing purposes.

We share and publish promotional and PR articles online which sometimes include insights and statistics gathered from analysing, for example, our customers’ shopping and browsing behaviour (such as products purchased and pages visited). Any insights and statistics we publish will always be presented in an aggregated and anonymised form.

Any insights and statistics we publish or share with third parties, whether for any financial gain, or not, will always be presented in an aggregated and anonymised form. For example, the data that may be provided to our suppliers to assist them in their sales performance and forecasting will never include personal identifiable information.

We do not tend to ask for, or process, “special category data” about visitors to our websites/apps or our customers or suppliers for our primary purposes of providing our products and services. However, we may process information regarding a disability or vulnerability to facilitate us in providing our service in an appropriate way and to make such reasonable adjustments as may be required.

Should we identify suspected criminal activity such as fraudulent claims, transactions or the use of stolen payment card details we will document the suspected criminal activity and may take appropriate action, including refusing to accept orders, make payments or give refunds. We may also report the incident to the relevant bank or payment card issuer, the police or other appropriate authorities.

Should we process information defined as “special category” the following lawful basis for processing may be relied upon:

Article 9 (2) (a) GDPR Explicit Consent:

Your permission has been granted and documented directly to us.

Article 9 (2) (f) GDPR Establishing, exercising or defending a legal claim:

Such as litigation against a business, supplier or fraudulent person.

Article 9 (2) (g) Reasons of substantial public interest (with a basis in law).

Article 9 (2) (h) Health or social care (with a basis in law).

Article 9 (2) (i) Public health (with a basis in law).

Article 9 (2) (j) Archiving, research and statistics (with a basis in law).

Where we rely on conditions (h), (i) or (j) above, we commit to meeting associated conditions in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.

Where we rely on the substantial public interest condition in Article 9 (2) (g) above, we commit to meeting one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.

We know how important it is to protect and manage your personal data and we take the security of your personal data seriously, by implementing technical and organisational measures to protect its integrity and privacy.

Our security measures

Our websites use Secure Sockets Layer (SSL) encryption technology to protect the transfer of your information to and from our websites. Our web page URLs will start with https and a padlock will be displayed in front of the URL bar to show that we always encrypt the information that you send us.

We maintain and enforce physical, electronic, and procedural safeguards in connection with the collection, storage and disclosure of your personal data. However, whilst we take appropriate technical and organisational measures to ensure the protection of your personal data, we cannot guarantee the security of all personal data that you transfer over the internet to us in every circumstance, for example, if we suffer a sophisticated cyber-attack.

Our security procedures mean that we may occasionally request proof of identity before we disclose personal data to you, including in relation to a request by you for the data we hold on you (a subject access request).

Keeping your payment details secure

We are committed to ensuring the protection of your payment card details and are compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Payments made via our sites are processed and managed by specialist payment card companies which are not part of Britmal Ltd. We only store and display the first six and last four digits of your payment card number, the card type and the card expiry date. The full payment card number is never stored on any of our systems and is only stored and processed by a payment card processing company approved by us.

We keep an encrypted authentication token to represent your card and this token is transmitted to the relevant payment card processing company during the order processing.

We use 3D Secure to provide additional fraud protection and to protect your payment card from unauthorised use. During the checkout process, you may be asked by 3D Secure to provide your Verified by Visa or Mastercard Secure Code password.

We will never ask you to provide your personal data via email. If you receive an email like this that claims to be from us and contains a link to an external website, or a request for you to enter any personal data, treat it as suspicious and do not enter any personal data, even if the page appears legitimate. If you suspect that your account details are subject to such fraudulent activities, please let us know by calling us.

You can exercise certain rights in regards to the data we hold on you:

The right to receive a copy of the information we hold about you

The right to have inaccurate information corrected or incomplete information completed

The right to have your information erased

The right to have the processing of your information restricted

The right to withdraw your consent or object to processing reliant upon legitimate interests

The right to have your information transferred to another organisation or yourself in a machine readable format

The right to request human intervention in regards to automated decision making

The applicability of these rights is dependent upon our purpose and the lawful basis of processing relied upon. There may be reasons why the above rights may be limited in some circumstances. For example, we can refuse to provide information if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required to retain by law, have compelling legitimate interests to keep, or need to access in order to fulfil our legal obligations. In such situations, we would only use your information for these purposes and not use or share your information in other ways. We will always protect your privacy and retain any personal data in accordance with the section entitled ’Data Retention’.

How to exercise your rights and timescales

You can exercise your rights either verbally or in writing. However, if you submit a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail.

We have an obligation to respond within one month of receiving your request. However, we also have the ability to extend the response time by two months should we determine the request is complex and requires additional time and resources to respond. If this is the case you will be informed of the extended response date, alongside an explanation, within the original one-month time frame.

The quickest and easiest way to make a data subject right request is to contact us directly by emailing info@britmal.co.uk.

To exercise a data subject right you can further email us at info@britmal.co.uk this includes but is not limited to the following requests:

To provide you with more information if required, on how we process your personal data

To request access to personal data where you have the right to access a copy of the personal data we hold about you. We utilise an online portal to provide data to you, in a machine-readable format. Personal data is information that relates to an identified or identifiable individual. Personal data must relate to you. Therefore, not all data is personal data, we are however happy to provide you with information held and feasible to retrieve with regards to your engagement and any account with us, that is not exempt from disclosure.

To inform us personal data we hold on you is incorrect or incomplete, so we can help you update it. In most instances you can update your personal data online within your account.

To withdraw consent at any time where we have asked for it, but this will not affect any processing that has already taken place. 

To ask us to delete, remove, or stop using your personal data if there is no need for us to keep it. You can also ask us to restrict the use of your personal data in certain circumstances. These rights are known as the right to object, the ’right to erasure’ and the ’right to restrict processing’. Should you request your data be deleted outside of our retention period, you will need to use a different email address, if you decide to re-register as a customer with us, as your old email address will no longer be valid. You may be unable to continue using our services if you require us to stop using your personal data, since this information is necessary for us to accurately fulfil and provide our services.

We use the term cookie to describe cookies and similar technologies such as tags and pixels. Cookies are small data files that websites place on your computer, laptop or mobile device.

We use Cookies for the following purposes:

To improve the performance of our websites by understanding which parts work well, and which don't.

To deliver relevant online advertising to you both on our websites and elsewhere. This is sometimes done by combining data that we already have about you with the data collected through Cookies.

These Cookies are placed by us and selected third parties and enable adverts to be presented to you on our and third party websites.

To measure how effective our online advertising and marketing communications are.

To enable us to collect information about how you and other people use our websites.

To improve your experience on our websites, for example we use Cookies to remember the products you’ve put in your basket and to personalise your experience.

We use the following Cookies:

Strictly necessary Cookies: These are Cookies that are required for the operation of our website. They are necessary for the safety, security and integrity of the site. For example they help support the structure of the pages that are displayed to you, help to improve navigation and allow you to return to pages you have previously visited. This type of Cookie only lasts for the duration of the time you are visiting the website. When you leave the website they are deleted automatically.

Performance Cookies or analytical Cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The data is aggregated and anonymised, which means we cannot identify you as an individual.

Functionality Cookies: These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). These Cookies will remain on your device until you choose to clear it. If you choose to do this, you will need to enter your details each time you visit the site.

Targeting Cookies: These Cookies will collect information about your browsing habits and allow us to show you adverts while you are browsing our site and other sites on the internet. They are set by us or by carefully selected third parties. They help us and the selected third parties to understand the performance of our marketing activities and improve the relevance of the adverts that you see.

You can stop Cookies being used on your device by activating the setting on your browser that allows you to block the deployment of all or some Cookies. Please visit www.allaboutcookies.org to find out how. Please note, if you use your browser settings to block Cookies you may not be able to access all or parts of our site.