The Information we Collect
As part of you using our Website and during the course of us providing products and/or services to you, we may collect, use, store and transfer the following types of information about you:
- Identity information including your first name, last name, marital status, title and gender.
- Contact information including your address, e-mail address and telephone numbers.
- Financial information including bank details and credit/ debit card information.
- Technical information including your IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other technology on the devices you use to access our website.
- Profile information including your username and password.
- Communications information including your correspondence with us and any feedback that you provide us with.
How and when do we collect your personal information?
We collect the majority of the personal information that we process about you directly from you when you provide this information to us by:
- registering on the Website for an online account or otherwise contact us to obtain information relating to us or our products and/or services;
- placing orders on the Website;
- updating the 'Your Online Account', 'Your Address Book' or 'Your Order Details' section of the Website; and
- communicating with us by phone, e-mail or otherwise, or when you complete a questionnaire or competition entry form
- subscribing to our e-newsletter
We do not collect data from people under the age of 16 and we will delete such data if we are informed we hold it.
Information from other sources
We may also receive personal information about you from various third parties that we engage in order to assist us with providing products and/or services to you, including:
- delivery and address information from our carriers who deliver products to you;
- marketing information from marketing companies who send customer communications and direct marketing materials on our behalf;
- data analytics information from companies that provide us with data analytics services; and
- information on your account, payment and credit history, including information from credit bureaus and sources we use to process payments.
How we use your personal information
We use your personal information for the following purposes:
- to register you as a new customer;
- to respond to your enquiries and complaints, and to manage our relationship with you;
- to handle orders, deliver items and process payments;
- to communicate with you about updates, orders, products, services and promotional offers;
- to update our records and maintain any online account you may have with us;
- to administer and protect our business and this site, including to prevent or detect fraud or abuses of our Website;
- for market research, reporting, analysis and modelling so as to improve the products and services we provide;
- to comply with our financial record keeping obligations;
- to use data analytics to improve our website, products, services and user experiences; and
- to enable third parties to carry out technical, logistical or other functions on our behalf.
- to enable us to perform the contracts that we have with you to supply you with products and/or services;
- where it is necessary for our legitimate interests in administering and managing our relationship with you, providing you with products and/or services, and running our business lawfully and effectively; or
- to enable us to comply with a legal or regulatory obligation.
Sometimes we may ask for your consent to use your information for particular purposes (e.g. to send you marketing communications). Where we do so, this consent will be our legal basis for our use of the information. You can withdraw your consent at any time and we will then stop processing your information for that purpose. If you wish to withdraw your consent, then please contact us using the details at the end of this notice.
For more information on the specific legal basis we are relying on in relation to any of the individual processing activities we have highlighted above, please contact us using the contact details at the end of this notice.
How do we use your personal information for marketing purposes?
If you are an existing customer or you have consented to receiving marketing communications by [email, web or text] we may send you information on any offers, events or news about our products and/or services that we believe may be of interest to you. Please note, if you do not choose to receive this information, we will be unable to keep you informed of any offers, events or news regarding our products and services.
We may also send you information on any offers, events or news about our products and/or services that we believe may be of interest to you by post.
If you agree to us doing so, we may also use Google Customer Match. This service matches a list of email addresses we hold to users signed in with Google in order to allow the display of personalised advertising on your internet browser.
You can ask us to stop sending you marketing messages (whether by email, web, text or post) or using Google Customer Match at any time by sending a request to firstname.lastname@example.org.
We want to ensure you enjoy the best experience of all Fortnum’s has to offer, whether it be the shopping experience you have on our website or through our communications with you. We believe sharing timely and relevant information with you, provides a more tailored, and so better, experience. We achieve this by combining all the data we have about you; how you’ve previously used our website, the products you’ve purchased and how you’ve responded to our direct communications. This enables us to showcase to you a more relevant set of products on our website & share news of the most relevant products, offers and events. The data privacy law allows this as part of our legitimate interest in understanding our customers and our promise to provide the highest levels of service.
If you wish to change how we use your data, please contact us using the contact details at the end of this notice. Please note that if you choose not to share your personal details with us, or refuse certain contact permissions, we might not be able to provide some of the services you’ve asked for.
When do we share your personal information?
We only share your personal information with our other offices, our agents or third parties where necessary so that they can assist us in providing products and/or services to you.
Where we share your personal information with third parties who process your information on our behalf, they will only process your information on our instructions and we will remain responsible for ensuring that it is protected and processed lawfully.
Where we share your personal information with third parties who process it for their own purposes (such as government bodies), those third parties will have their own legal obligations to protect your information and you will have legal rights that you can enforce directly against them.
In particular, we may share your personal information with third parties for the following purposes:
- we may need to share your personal information to other companies who we engage to perform functions on our behalf including; fulfilling orders, delivering packages, sending customer communications, analysing data, processing payments and providing customer services. They will have access to personal information needed to perform their functions, but may not use it for other purposes
- if we sell, transfer or merge parts of our business or our assets, or seek to acquire another business or merge with them, we may share your personal information with the other party to the transaction;
- where it is necessary to prevent fraud or reduce credit risk, we may share your personal information with other companies and organisations; and
- where requested or if we consider that it is reasonably required, we may share your personal information with government bodies, regulatory bodies or law enforcement organisations so that they can carry out their legal functions.
In some instances, we (or the third parties that we share your personal information with) may transfer, process, hold or allow access to your personal information outside the European Economic Area (“EEA”). Where this occurs, we will put adequate safeguards in place to ensure that your personal information is protected in a manner that is consistent with how it would be protected under EU data protection laws.
In most cases, the safeguards that we put in place will be either:
- a decision by the European Commission that the country to which the data is being transferred provides an adequate level or protection; or
- we will put in place a contract with the recipient of your personal information which contains the model clauses that have been approved by the European Commission.
Collection of Information by Third-Party Sites
Our Website may contain links to other websites whose information practices may be different to ours. You should consult the privacy notices of those third party sites as we have no control over information that is submitted to, collected, or processed by them.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer's hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. When you visit our Website we send you a cookie.
Cookies may be used in the following ways:
The cookies we use are set out in the table below.
|This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. By default it is set to expire after 2 years, although this is customisable by website owners.||Google Analytics||1 day||_gid|
|This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. By default it is set to expire after 2 years, although this is customisable by website owners.||Google Analytics||2 years||_ga|
|Inspectlet (3rd party)||1 year||__insp_targlpt|
|Inspectlet (3rd party)||1 year||__insp_targlpu|
|Inspectlet (3rd party)||1 year||__insp_nv|
|Inspectlet (3rd party)||1 year||__insp_wid|
|Inspectlet (3rd party)||long-term cookie that contains random ID assigned to visitor||__insp_uid|
|Inspectlet (3rd party)||1 year||__insp_slim|
|SLI provide the software for the ‘search’ function on our site. When you visit the search box at the top of our site and put in your search term, they will manage this process. They provide us with all search related data - such as what the most popular search terms are.||SLI Systems||Timestamp of last search, expiry 6 months||SLI4_1336870857|
|SLI provide the software for the ‘search’ function on our site. When you visit the search box at the top of our site and put in your search term, they will manage this process. They provide us with all search related data - such as what the most popular search terms are.||SLI Systems||Unique id for the user, expiry 2 years||SLIBeacon_1336870857|
|We use this cookie to keep track of guest user preferences until such time as they decide to create an account on the website.||Spree eCommerce||20 years||guest_token|
|Measuring anonymous click behaviour on the website and traffic to the website in order to improve user experience on the website.||Snowplow (3rd party)||Maximum 2 years||_sp_id.5768|
|The '__cfduid' cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. More information here.||CloudFlare||5 years||__cfduid|
|Implied Consent EU Cookie Law Banner||10 years||eu_cookie_banner|
|Used to store the most recently visted category page. Helpful when generating breadcrumbs that are more accurate to the users journey.||31 days||last_category_visited|
You can accept or decline 'cookies' by modifying the setting in your browser. Please note that if you disable 'cookies' you may not be able to use all the features of our Website.
How do we keep your information secure?
We employ security measures to prevent unauthorized access to information that we collect online and through POS. We use a secure online order form for all purchases made via the Website. All data transmitted via this form (including credit card details) is 128bit encrypted so it is transmitted securely. To verify this, when placing an order using the Website a padlock will appear in your browser. It is normally in the status bar, towards the right hand side, in the address bar of your browser window. You can double click this padlock to verify that the secure certificate has been issued to the Website.
Our security is certified by the certificate provider Verisign.
Please note that email correspondence with us is in free format text and cannot be encrypted. Accordingly please do not send any sensitive information such as credit card details or passwords via email.We use computer safeguards such as firewalls and data encryption, and we enforce physical access controls to our buildings and files to keep this data safe. We only authorise access to employees who need it to carry out their job responsibilities.
- We protect the security of your information while it is being transmitted by encrypting it using Secure Sockets Layer (SSL).
- We enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data. We may occasionally ask for proof of identity before we share your personal data with you.
We will only keep your personal data for as long as necessary for the purposes for which we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
Details of the retention period for different aspects of your personal information are available in our data retention policy, detailed in the table below and covering all key databases held by Fortnum & Mason Plc.
|Ref||Type of Data||Details||Purpose of data||Review Period||Retention Period or Criteria|
|1||Personal Details||Eg Name, Address, Title, Gender||To support email and whitemail marketing, customer reporting and analytics||12 months||5 years|
|2||Contact Details||Eg Billing Address, Delivery address, email address and phone number||To support email marketing & customer reporting||12 months||5 years|
|3||Image Data||Eg CCTV images, photographs if taken during an event and you have not objected to this||For security and PR||12 months||5 years|
|4||Financial||Eg Payment card details||To provide financial information with regard to purchases as well as to support fraud prevention||12 months||7 years|
|5||Transactional Data||Eg order information, product purchased, total cost, payment information, billing and delivery information||To support transactional queries, customer and product reporting & analytics||36 months||7 years|
|6||Technical Data||Eg Internet Protocol (IP) address, login data, browser type and version, time-zone setting and location, browser plug in types and versions, operating system and platform and other technology devices used to access the website, geographical location, length of visit, number of pages viewed||To support online reporting & analytics as well as operational information||12 months||5 years|
|7||Profile Data||Eg Order history, preferences, feedback on survey and response,||To support reporting, analytics and personalisation of marketing activity||12 months||5 years|
|8||Marketing Data||Eg Preferences in receiving marketing and communications||To support marketing activity||12 months||3 years|
|9||Instore Data||Eg products purchased, amount spent, payment information||To support transactional queries, customer and product reporting & analytics||12 months||7 years|
Your legal rights
You have the following rights in relation to the personal information that we hold about you:
- The right to request access to your personal information (commonly known as a “data subject access request”). This enables you to request a copy of the personal information we hold about you and to check we are processing it lawfully.
- The right to request correction of the personal information we hold about you. This enables you to request that we correct any incomplete or inaccurate information that we hold about you.
- The right to request erasure of your personal information in some circumstances. This enables you to request that we erase your personal information where there is no good reason for us continuing to process it.
- The right to object to us processing your personal information. This enables you to object to us processing your personal information where we are relying on a legitimate interest and it impacts on your fundamental rights and freedoms.
- The right to restrict our processing of your personal information. This enables you to ask us to suspend the processing of your personal information in certain circumstances.
- The right to data portability. In certain circumstance this enables you to request that we provide you, or a third party, with a copy of the personal information that you provided to us in a structured, commonly used, machine-readable format.
Revisions to this Privacy Statement
It is important that the personal information we hold about you is accurate and up-to-date. Please keep us informed of any changes to your personal information.
How to Contact us
Whilst we would appreciate the opportunity to deal with your concerns before you do so, if you are unhappy with how we have used your personal information you have the right to lodge a complaint at any time with a supervisory authority. The supervisory authority in the UK is the Information Commissioner’s Office (ICO).
Fortnum & Mason plc.
Registered in England : 00084909
Registered office: 181 Piccadilly, London W1A 1ER.