gdpr-web

Our privacy policy – when you use our website

Introduction

Godfreys IT Limited, trading as Buyaparcel.com adhere to the General Data Protection Regulation [GDPR]. We believe in full disclosure of how we use your information, and the ways in which you can control it.

If, when you finish reading this document you have any more questions please email our Data Protection Officer at dpo@buyaparcel.uk.

If you want to exercise any of your rights, as documented below, please email dpo.request@buyaparcel.uk.

As we change the way we operate, the suppliers we use and make improvements we will revise this document. However, your rights will not change. We maintain a Change History which can be found at the bottom of this page.

The current version of this document is 1.0.

Godfreys IT as Data Controller

When you register on the site and buy from us, we act as data controller and we take our obligations to protect your data seriously.

What data do we collect?

  1. Your email address, to be used as a login credential for your account and to update you with order progress and provide you with an order.
  2. Your full name, for your order addressing and billing purposes and to know what to call you when we talk to you.
  3. Your billing address, for invoicing purposes and to provide to our payment processor.
  4. Your shipping address, so we know where to send the goods, how much sending the goods is going to cost and what VAT to charge you.
  5. Your contact phone number, for shipping updates, fraud check calls, and problems with your order.
  6. Your basket contents, which make up the order.
  7. Your IP address, for anti-fraud purposes.
  8. The outcome of your attempted purchase, and any anti-fraud scoring we might receive from the payment processor which may require our further action to check your purchase is legitimate.
  9. Any significant customer service interaction is noted in our CRM, so we know what you might need or have needed when you call up.

We use the following principles to treat your data properly:

Contractual Obligations

We need certain personal data in order to fulfil the contract you make with us when you buy from us. The following processing of your data is performed under this legal basis:

  • Recording a user account with your name, email address, phone number, billing address and shipping address against your order.
  • Using that information internally to generate invoice(s).
  • Using that information to pass to the payment processor of your choice so that you can check out and pay.
  • Internal process automation in order to ship your order(s).
  • Transferring delivery address information, your specified contact number and contact email address to the carrier firm responsible for collecting order(s) from our warehouse(s) and taking them to your specified delivery address. The carrier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
  • Where it is not possible to ship your order from our warehouse(s) either due to stock control issues (such as damaged stock, outsize stock, or stock that we ship direct to you) then we are obliged to arrange shipment direct from our supplier to you. The supplier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
  • Where you have an issue with delivery, or a delivery has gone missing we will contact the carrier we used on your behalf to resolve the problem. To do this we may provide the tracking number to our account manager, and alternately your name and postcode to help locate the correct shipment.
  • Where your product(s) are covered by a warranty, we will maintain record keeping that allows us to validate your warranty rights until the end of the warranty, and if there is a claim we may be required to verify this with the product manufacturer where the liability is on them to replace or repair.

Legitimate Interest

We need to use certain personal data because its used in a way you would normally expect and/or it is necessary to achieve a balance between your rights and freedoms and our ability to ensure the rights of other customers and parties involved in the contract such as our business, the cardholder’s bank and the cardholder. An example of this would be using standard internet security mechanisms to create a login account and recording your ip address when you log in during the length of your visit to help prevent others exploiting your session with our servers. These are documented as follows:

  • We use a session cookie to be able to provide you with a pseudo-conversational connection to our site, that allows you to add items to baskets, remove them, move from page to page and keep your information to you. This session cookie is announced on our website when you visit the first time. We use this to ensure that customers interactions are private to themselves.
  • We use Cloudflare as an intermediate between us the website and you the web browser to identify malicious attacks and prevent them. This involves Cloudflare acting as a Data Processor on our behalf to identify malicious sources of traffic by IP address and by actions the end user intends to take. We use this to decrease the risks to customer data and site compromise.
  • We send you an email when you set up an account for you to keep a record.
  • We send you an email when you complete checkout so you have a copy of what you bought and paid for.
  • We send you an email when your order has shipped, so that you know its on its way and the tracking ID and service used. This email will contain a no obligation invitation to leave feedback.
  • When we receive your order as paid we process the the information to identify possible fraud which is our obligation under our agreement with our merchant account and your card provider. If your order has been held for checks you will be notified on the transaction results page. Our trained anti-fraud administrators will then verify manually the reason why the order was held and make a determination whether to proceed based on:
    • Risk to the cardholder as identified by the payment processor (e.g. Sagepay)
    • The personal details provided, and whether they match the cardholder.
    • Whether the billing and shipping address match.
    • The team member in question may elect to call the number you have on file to discuss the hold up with you, and in certain cases explain why the order will not be accepted with the payment method provided.

Once your order has shipped, the information provided by the payment processor (e.g. Sagepay, Paypal) is automatically deleted from our systems.

  • We will store in our internal Customer Relationship Manager database your name, address, account identifier so that if you contact us for Customer Services purposes we can meet your expectations as a customer.
  • If you contact us on social media (Facebook, Twitter) or email then your details are automatically recorded in our Customer Services system, Zendesk so that we may reply to your customer services query. Once your query is closed, after 30 days it is automatically deleted except where it has a material effect on our relationship with you as a customer, in which case a note will be placed on our internal CRM against your account so that our agents know what has been previously actioned on your behalf.
  • If there is a specific problem with your order or a specific need to call you back our Customer Services agent(s) will attempt to contact you using first your phone number you provided with your account and subsequently via e-mail.
  • We use Google Analytics to provide information on Goal Conversions and the way people use our site and the general demographics thereof. Individual users are not identifiable and we share no other information with Google.

Legal Obligation

In some cases we have an obligation to comply with common law and statutory obligations and we have to either retain records and/or disclose records to relevant authorities.

  • We need to retain a record of financial information for compliance with HMRC guidelines for a minimum of 6 years, longer may be required if a compliance check is required.
  • We need to retain a record of all VAT records, which would include VAT numbers, checks we made to establish VAT bonafides for a minimum of 6 years in the UK. If you are an overseas customer VAT rules on records retention may differ, and the law of the country the VAT calculation is performed for applies.
  • Law enforcement may demand information from us in relation to fraud prevention and/or criminal activity.

Consent

We may also ask you if you agree for your information to be used for another purpose. Such agreement is always opt-in and you may opt-out or back in again at any time. Such purposes include:

  • Asking you if you agree to be on a mailing list to receive offers, specifically for marketing purposes.
  • Where, due to stock control errors (example: damage or quality control failure(s)) we cannot supply products that we haven’t previously advised you during checkout are Direct To Customer our Customer Services Agent(s) will advise you that we are having to go Direct and the supplier in question. If you subsequently decide that you do not wish for this to take place, we will agree to terminate the order in full or in part and refund whatever is due.

Which third parties may process your data

We have Data Processor agreements in place with each company we use as a supplier to achieve contractual obligations to ensure they meet the same standards and practices we comply with. We only provide the information required to meet the specific objective, and they may only use the data for that purpose under agreement.

  • When you purchase sufficient bulk to require a pallet, then your contact details and delivery address is shared with the Palletways organisation.
  • When you purchase sufficient quantity to require a parcel, letter or packet sized package your contact details and delivery address is shared with the UKMail organisation.
  • When you buy some goods from some manufacturers through our site you will note a Direct To Customer identifier on the product and a Direct identifier in the basket. This means in order to ship your product(s) we need to share information with a supplier. The supplier(s) we have agreements with are:
    • Monarch
    • Merlin
    • Saniflo
    • Mira
    • Aquatiere
    • Calmag
    • Ultra Finishing
    • Stuart Turner
    • Tapworks
    • Scalemaster
    • Geberit
    • Aquadial
    • BWT
    • Manhattan
    • Adey
    • Techflow
    • Kartell
    • MX
    • Stanley
    • Showerwall
    • Dewalt
    • Faithfull
    • Bristan
    • Lawnflite
    • TacWise
    • Ryobi
    • Watersure
    • Zest4Leisure
    • Sealey
    • Mercury
    • AFK
    • Fiskars
    • Gardeo
    • Zarges
    • Triton
  • For Customer Services purposes we use the following providers:

International Orders

We are registered with the UK Information Commissioner’s Office.

We do ship within the European Economic Area, and our compliance is governed under EU law by the UK ICO.

We do not ship outside the European Economic Area.

Your Rights

You may exercise any of your rights by emailing: dpo.request@buyaparcel.uk.

Or, where you have previously opted into receiving marketing, you can remove your consent at: Stop marketing emails

If you are a registered user of our website, you can manage your consent here: Manage my account

You have the right to be informed:

  • We have provided this policy as a full and transparent disclosure of how we process your information and why. If you have further questions please email us at dpo.request@buyaparcel.uk and we will endeavour to clarify.

You have the right to request:

  • Access to the personal data we hold about you, free of change in most cases.
  • To make corrections to personal data when incorrect, out of date, or incomplete.
  • That you withdraw consent and no overriding interest applies (legal, contractual, legitimate) that your information is deleted.
  • That we stop any processing based on consent.
  • That we erase any data we hold about you, unless an overriding legal basis applies.
  • That we archive your information so that whilst it is retained for an overriding legal basis it is not processed.

There are additional rights that you have, which govern uses of data that we have evaluated does not apply to us (we do not use your data in that way, or it is overridden by a legal basis to perform a contract or comply with a law).

Find out more by visiting: The ICO Guide for Individuals to GDPR

To ask for any of these actions to be taken, you must email a subject access request to dpo.request@buyaparcel.uk or via post to:

Data Protection Officer

Godfreys IT Limited

5-7 Pinbush Road

Lowestoft

NR33 7NL

If your request relates to an individual order that has not been shipped yet, please contact our Customer Services Team.

If your request relates to address information held about you for future ordering purposes, please log into the website and access your account to correct your information. To change your account sign-in details (your email address) you will need to submit a request to Customer Services Team which will be verified by the Data Protection Officer to ensure that a security breach does not occur.

If for any reason we cannot action your request in part, or in full we will write to you explaining our reasons.

Making a request to our DPO

Our DPO will contact you to verify your identity before actioning any request. If you fail to provide means to identify you then your request will be denied.

Problems and issues

If we have not actioned your request in a way you deem correct or appropriate, you may contact the Information Commissioner’s Office. In the wider EEA you must refer your matter to the ICO equivalent in your country.

Change History

This document is version 1.0 and has not been changed since it was published.