Godfreys IT Limited, trading as Buyaparcel.com adhere to the General Data Protection Regulation [GDPR]. We believe in full disclosure of how we use your information, and the ways in which you can control it.
If, when you finish reading this document you have any more questions please email our Data Protection Officer at firstname.lastname@example.org. If you want to exercise any of your rights, as documented below, please email email@example.com.
As we change the way we operate, the suppliers we use and make improvements we will revise this document. However, your rights will not change. We maintain a Change History which can be found at the bottom of this page.
The current version of this document is 1.0.
Godfreys IT as Data Controller
When you call us to buy from us, we act as data controller and we take our obligations to protect your data seriously.
What data do we collect?
Your email address, to update you with order progress and provide you with an order receipt and/or your phone number for fraud check calls, and problems.
Your full name, for your order addressing and billing purposes and to know what to call you when we talk to you.
Your billing address, for invoicing purposes and to provide to our payment processor.
Your shipping address, so we know where to send the goods, how much sending the goods is going to cost and what VAT to charge you.
The products and quantities you require which make up the order.
The outcome of your attempted purchase, and any anti-fraud scoring we might receive from the payment processor, SagePay, which may require our further action to check your purchase is legitimate.
Any significant customer service interaction is noted in our CRM, so we know what you might need or have needed when you call up.
We use the following principles to treat your data properly:
We need certain personal data in order to fulfil the contract you make with us when you buy from us. The following processing of your data is performed under this legal basis:
Recording a user account with your name, email address, phone number, billing address and shipping address against your order.
Using that information internally to generate invoice(s).
Internal process automation in order to ship your order(s).
Transferring delivery address information, your specified contact number and contact email address to the carrier firm responsible for collecting order(s) from our warehouse(s) and taking them to your specified delivery address. The carrier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
Where it is not possible to ship your order from our warehouse(s) either due to stock control issues (such as damaged stock, outsize stock, or stock that we ship direct to you) then we are obliged to arrange shipment direct from our supplier to you. The supplier firm acts as our Data Processor and we have a GDPR agreement on file with them to ensure that they comply with your rights.
Where you have an issue with delivery, or a delivery has gone missing we will contact the carrier we used on your behalf to resolve the problem. To do this we may provide the tracking number to our account manager, and alternately your name and postcode to help locate the correct shipment.
Where your product(s) are covered by a warranty, we will maintain record keeping that allows us to validate your warranty rights until the end of the warranty, and if there is a claim we may be required to verify this with the product manufacturer where the liability is on them to replace or repair.
We need to use certain personal data because its used in a way you would normally expect and/or it is necessary to achieve a balance between your rights and freedoms and our ability to ensure the rights of other customers and parties involved in the contract such as our business, the cardholder’s bank and the cardholder.
These are documented as follows:
We send you an email when you complete your order so you have a copy of what you bought and paid for.
We send you an email when your order has shipped, so that you know its on its way and the tracking id and service used.
We will store in our internal Customer Relationship Manager database your name, address, account identifier so that if you contact us for Customer Services purposes we can meet your expectations as a customer.
If you contact us on social media (Facebook, Twitter) or email then your details are automatically recorded in our Customer Services system, Zendesk so that we may reply to your customer services query. Once your query is closed, after 30 days it is automatically deleted except where it has a material effect on our relationship with you as a customer, in which case a note will be placed on our internal CRM against your account so that our agents know what has been previously actioned on your behalf.
If there is a specific problem with your order or a specific need to call you back our Customer Services agent(s) will attempt to contact you using first your phone number you provided with your account and subsequently via e-mail.
In some cases we have an obligation to comply with common law and statutory obligations and we have to either retain records and/or disclose records to relevant authorities.
We need to retain a record of financial information for compliance with HMRC guidelines for a minimum of 6 years, longer may be required if a compliance check is required.
We need to retain a record of all VAT records, which would include VAT numbers, checks we made to establish VAT bonafides for a minimum of 6 years in the UK. If you are an overseas customer VAT rules on records retention may differ, and the law of the country the VAT calculation is performed for applies.
Law enforcement may demand information from us in relation to fraud prevention and/or criminal activity.
We may also ask you if you agree for your information to be used for another purpose. Such agreement is always opt-in and you may opt-out or back in again at any time. Such purposes include:
Asking you if you agree to be on a mailing list to receive offers, specifically for marketing purposes.
Where, due to stock control errors (example: damage or quality control failure(s)) we cannot supply products that we haven’t previously advised you during purchase that are Direct To Customer our Customer Services Agent(s) will advise you that we are having to go Direct and the supplier in question. If you subsequently decide that you do not wish for this to take place, we will agree to terminate the order in full or in part and refund whatever is due.
Which third parties may process your data
We have Data Processor agreements in place with each company we use as a supplier to achieve contractual obligations to ensure they meet the same standards and practices we comply with. We only provide the information required to meet the specific objective, and they may only use the data for that purpose under agreement.
When you purchase sufficient bulk to require a pallet, then your contact details and delivery address is shared with the Palletways organisation.
When you purchase sufficient quantity to require a parcel, letter or packet sized package your contact details and delivery address is shared with the UKMail organisation.
When you buy some goods from some manufacturers we will advise you if it will be shipped Direct To Customer. This means in order to ship your product(s) we need to share information with a supplier.
The supplier(s) we have agreements with are:
For Customer Services purposes we use the following providers:
Ring Central https://www.ringcentral.co.uk, for telephone calls inbound and out.
Zendesk, https://www.zendesk.co.uk/about/, as our help desk.
GSuite, by Google for electronic mail.
We are registered with the UK Information Commissioner’s Office.
We do ship within the European Economic Area, and our compliance is governed under EU law by the UK ICO.
We do not ship outside the European Economic Area.
You may exercise any of your rights by emailing:
Or, where you have previously opted into receiving marketing, you can remove your consent by managing your subscriptions when you login to your account
You have the right to be informed:
We have provided this policy as a full and transparent disclosure of how we process your information and why. If you have further questions please write to firstname.lastname@example.org. and we will endeavour to clarify.
You have the right to request:
Access to the personal data we hold about you, free of change in most cases.
To make corrections to personal data when incorrect, out of date, or incomplete.
That you withdraw consent and no overriding interest applies (legal, contractual, legitimate) that your information is deleted.
That we stop any processing based on consent.
That we erase any data we hold about you, unless an overriding legal basis applies.
That we archive your information so that whilst it is retained for an overriding legal basis it is not processed.
There are additional rights that you have, which govern uses of data that we have evaluated does not apply to us (we do not use your data in that way, or it is overridden by a legal basis to perform a contract or comply with a law).
To learn more, please take a look at the ICO guide:
To ask for any of these actions to be taken, you must email a subject access request to email@example.com or via post to:
Data Protection Officer
Godfreys IT Limited
5-7 Pinbush Road
If your request relates to an individual order that has not been shipped yet, please contact our Customer Service Team.
If your request relates to address information held about you for future ordering purposes, please log into the website and access your account to correct your information. To change your account sign-in details (your email address) you will need to submit a request to Customer Services which will be verified by the Data Protection Officer to ensure that a security breach does not occur.
If for any reason we cannot action your request in part, or in full we will write to you explaining our reasons.
Making a request to our DPO
Our DPO will contact you to verify your identity before actioning any request. If you fail to provide means to identify you then your request will be denied.
Problems and issues
If we have not actioned your request in a way you deem correct or appropriate, you may contact the Information Commissioner’s Office. In the wider EEA you must refer your matter to the ICO equivalent in your country.
This document is version 1.0 and has not been changed since it was published.