gdpr-kitchen-bathroom

Introduction

Godfreys IT Limited, trading as Godfreys Kitchens and Bathrooms, adhere to the General Data Protection Regulation [GDPR]. We believe in full disclosure of how we use your information, and the ways in which you can control it.

If, when you finish reading this document you have any more questions please contact our Data Protection Officer at dpo@buyaparcel.uk. If you want to exercise any of your rights, as documented below, please email dpo.request@buyaparcel.uk.

As we change the way we operate, the suppliers we use and make improvements we will revise this document. However, your rights will not change.

The current version of this document is 1.0.

 

Godfreys IT as Data Controller

When you visit our store and buy from us, we act as data controller and we take our obligations to protect your data seriously.

What data do we collect?

  1. When you pay by card we keep a till receipt that is held by the Finance department.
  2. Your full name, for your order addressing and billing purposes and to know what to call you when we talk to you.
  3. Your billing address, for invoicing purposes, and where you open a credit account with us for credit control and checking purposes carried out by the Finance department.
  4. When you open a VAT free account, your registered address and VAT number, which by law we are required to validate on a regular basis.
  5. Where a delivery is to be made, the shipping address, so we know where to send the goods, how much sending the goods is going to cost.
  6. Your contact phone number, for shipping updates and problems with your order and on the rare occasion payment issues.
  7. The contents of your order.
  8. Any significant customer service interaction is noted in our CRM, so we know what you might need or have needed when you call up.
  9. Measurements and fitting information, and any dialogue with you about your project.
  10. 3D models in our CAD software.
  11. Customer leads in our customer leads document.

We use the following principles to treat your data properly.

Contractual Obligations

We need certain personal data in order to fulfil the contract you make with us when you buy from us. The following processing of your data is performed under this legal basis:

  • Recording a user account with your name, email address, phone number, billing address and shipping address against your order.
  • Using that information internally to generate invoice(s).
  • Recording and verifying finance agreements with Hitachi Finance.
  • Internal process automation in order to ship your order(s).
  • Transferring delivery address information, your specified contact number and contact email address to the carrier firm responsible for collecting order(s), where appropriate, from our warehouse(s) and taking them to your specified delivery address. The carrier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
  • Where it is not possible to ship your order from our warehouse(s) either due to stock control issues (such as damaged stock, outsize stock, or stock that we ship direct to you) then we are obliged to arrange shipment direct from our supplier to you. The supplier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
  • Where you have an issue with delivery, or a delivery has gone missing we will contact the carrier we used on your behalf to resolve the problem. To do this we may provide the tracking number to our account manager, and alternately your name and postcode to help locate the correct shipment.
  • Where your product(s) are covered by a warranty, we will maintain record keeping that allows us to validate your warranty rights until the end of the warranty, and if there is a claim we may be required to verify this with the product manufacturer where the liability is on them to replace or repair.

 

Legitimate Interest

We need to use certain personal data because its used in a way you would normally expect and/or it is necessary to achieve a balance between your rights and freedoms and our ability to ensure the rights of other customers and parties involved in the contract such as our business, the cardholder’s bank and the cardholder.  These are documented as follows:

  • We send you emails to keep you informed of your order progress and ask you questions about your requirements.
  • We send you emails to remind you to make payment of outstanding invoices.
  • We will store in our internal Customer Relationship Manager database your name, address, account identifier so that if you contact us for Customer Services purposes we can meet your expectations as a customer.
  • If you contact us then your details are automatically recorded in our Customer Services system, Zendesk so that we may reply to your customer services query. Once your query is closed, after 30 days it is automatically deleted except where it has a material effect on our relationship with you as a customer, in which case a note will be placed on our internal CRM against your account so that our agents know what has been previously actioned on your behalf.
  • If there is a specific problem with your order or a specific need to call you back our Customer Services agent(s) will attempt to contact you using first your phone number you provided with your account and subsequently via e-mail.

 

Legal Obligation

In some cases we have an obligation to comply with common law and statutory obligations and we have to either retain records and/or disclose records to relevant authorities.

  • We need to retain a record of financial information for compliance with HMRC guidelines for a minimum of 6 years, longer may be required if a compliance check is required.
  • We need to retain a record of all VAT records, which would include VAT numbers, checks we made to establish VAT bonafides for a minimum of 6 years in the UK.
  • Law enforcement may demand information from us in relation to fraud prevention and/or criminal activity.

 

Consent

We may also ask you if you agree for your information to be used for another purpose. Such agreement is always opt-in and you may opt-out or back in again at any time. Such purposes include:

  • Asking you if you agree to be on a mailing list to receive offers, specifically for marketing purposes.
  • Asking you if you agree for us to record your information on our leads database to follow up with you at a later date, when you express an interest in our products and services.
  • Where, due to stock control errors (example: damage or quality control failure(s)) we cannot supply products that we haven’t previously advised you are Direct from supplier our Customer Services Agent(s) will advise you that we are having to go Direct and the supplier in question. If you subsequently decide that you do not wish for this to take place, we will agree to terminate the order in full or in part and refund whatever is due.

 

Which third parties may process your data

We have Data Processor agreements in place with each company we use as a supplier to achieve contractual obligations to ensure they meet the same standards and practices we comply with. We only provide the information required to meet the specific objective, and they may only use the data for that purpose under agreement.

  • When you purchase sufficient bulk to require a pallet, then your contact details and delivery address is shared with the Palletways organisation.
  • When you purchase sufficient quantity to require a parcel, letter or packet sized package your contact details and delivery address is shared with the UKMail organisation.
  • For Customer Services purposes we use the following providers:
  • Third party suppliers who will provide goods on demand to fulfil your order are listed below:
    • Smeg
    • Omega
    • Maurice Lay
    • IDS
    • Eastbrook
    • Kartell
    • Ipswich Plastics
    • AKW
    • Bristan
    • Waterline
    • DF Sales
    • Woodstock
    • HAFELE

 

Your Rights

You may exercise any of your rights in writing to:

dpo.request@buyaparcel.uk.

Or, where you have previously opted into receiving marketing, you can remove your consent at:

https://outreach.buyaparcel.com:8080

You have the right to be informed:

  • We have provided this policy as a full and transparent disclosure of how we process your information and why. If you have further questions please write to dpo.request@buyaparcel.uk and we will endeavour to clarify.

You have the right to request:

  • Access to the personal data we hold about you, free of change in most cases.
  • To make corrections to personal data when incorrect, out of date, or incomplete.
  • That you withdraw consent and no overriding interest applies (legal, contractual, legitimate) that your information is deleted.
  • That we stop any processing based on consent.
  • That we erase any data we hold about you, unless an overriding legal basis applies.
  • That we archive your information so that whilst it is retained for an overriding legal basis it is not processed.

There are additional rights that you have, which govern uses of data that we have evaluated does not apply to us (we do not use your data in that way, or it is overridden by a legal basis to perform a contract or comply with a law).

To learn more, please take a look at the ICO guide:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

To ask for any of these actions to be taken, you must email a subject access request to dpo.request@buyaparcel.uk or via post to:

Data Protection Officer

Godfreys IT Limited

5-7 Pinbush Road

Lowestoft

NR33 7NL

 

If your request relates to an individual order that has not been shipped yet, please contact Customer Services (see Contact Us).

If your request relates to address information held about you for future ordering purposes, please log into the website and access your account to correct your information. To change your account sign-in details (your email address) you will need to submit a request to Customer Services which will be verified by the Data Protection Officer to ensure that a security breach does not occur.

If for any reason we cannot action your request in part, or in full we will write to you explaining our reasons.

Making a request to our DPO

Our DPO will contact you to verify your identity before actioning any request. If you fail to provide means to identify you then your request will be denied.

Problems and issues

If we have not actioned your request in a way you deem correct or appropriate, you may contact the Information Commissioner’s Office. In the wider EEA you must refer your matter to the ICO equivalent in your country.