Privacy Policy
Your privacy is important to us. This privacy policy describes the online information practices which we Fortnum & Mason plc ('we', 'our') employ in relation to the information which you, our customers ('you', 'your'), provide when using the www.fortnumandmason.com site ('Website').
It is important that you read this privacy policy together with any other notice which we may provide you on specific occasions when we are collecting or processing your personal information, so that you are fully aware of how and why we are using your information, and the legal rights that you have.
As part of you using our Website and during the course of us providing products and/or services to you, we may collect, use, store and transfer the following types of information about you:
We collect the majority of the personal information that we process about you directly from you when you provide this information to us by:
We may also collect technical information when you access and interact with the Website (see the section below on “How do we use cookies?”).
We do not collect data from people under the age of 16 and we will delete such data if we are informed we hold it.
We may also receive personal information about you from various third parties that we engage in order to assist us with providing products and/or services to you, including:
If we request that you do so and you fail to provide information to us, we may be prevented from exercising our rights and obligation and, in particular, we may be prevented from providing the products and/or services that you have asked us to provide. For example, if you fail to provide us with your full address details, it may not be possible for us to fulfil your delivery, or if you fail to provide us with your payment details then we will not be able to process payments for our products and cannot therefore supply them to you.
We use your personal information for the following purposes:
By law, when processing your personal information we are required to have a ‘legal basis’ to do so. A legal basis is essentially a legal justification for processing your personal information. The legal basis we use to process your personal information will generally be one or more of the following:
Sometimes we may ask for your consent to use your information for particular purposes (e.g. to send you marketing communications). Where we do so, this consent will be our legal basis for our use of the information. You can withdraw your consent at any time and we will then stop processing your information for that purpose. If you wish to withdraw your consent, then please contact us using the details at the end of this notice.
For more information on the specific legal basis we are relying on in relation to any of the individual processing activities we have highlighted above, please contact us using the contact details at the end of this notice.
If you are an existing customer or you have consented to receiving marketing communications by [email, web or text] we may send you information on any offers, events or news about our products and/or services that we believe may be of interest to you. Please note, if you do not choose to receive this information, we will be unable to keep you informed of any offers, events or news regarding our products and services.
We may also send you information on any offers, events or news about our products and/or services that we believe may be of interest to you by post.
If you agree to us doing so, we may also use Google Customer Match. This service matches a list of email addresses we hold to users signed in with Google in order to allow the display of personalised advertising on your internet browser.
You can ask us to stop sending you marketing messages (whether by email, web, text or post) or using Google Customer Match at any time by sending a request to marketing@fortnumandmason.co.uk.
We want to ensure you enjoy the best experience of all Fortnum’s has to offer, whether it be the shopping experience you have on our website or through our communications with you. We believe sharing timely and relevant information with you, provides a more tailored, and so better, experience. We achieve this by combining all the data we have about you; how you’ve previously used our website, the products you’ve purchased and how you’ve responded to our direct communications. This enables us to showcase to you a more relevant set of products on our website & share news of the most relevant products, offers and events. The data privacy law allows this as part of our legitimate interest in understanding our customers and our promise to provide the highest levels of service.
If you wish to change how we use your data, please contact us using the contact details at the end of this notice. Please note that if you choose not to share your personal details with us, or refuse certain contact permissions, we might not be able to provide some of the services you’ve asked for.
We only share your personal information with our other offices, our agents or third parties where necessary so that they can assist us in providing products and/or services to you.
Where we share your personal information with third parties who process your information on our behalf, they will only process your information on our instructions and we will remain responsible for ensuring that it is protected and processed lawfully.
Where we share your personal information with third parties who process it for their own purposes (such as government bodies), those third parties will have their own legal obligations to protect your information and you will have legal rights that you can enforce directly against them.
In particular, we may share your personal information with third parties for the following purposes:
In some circumstances, you will receive notice before we share your personal information with third parties and you will have the opportunity to choose not to share your information.If you would like further information about the third parties with whom we share your personal information then please contact us on the details at the end of this notice.
In some instances, we (or the third parties that we share your personal information with) may transfer, process, hold or allow access to your personal information outside the European Economic Area (“EEA”). Where this occurs, we will put adequate safeguards in place to ensure that your personal information is protected in a manner that is consistent with how it would be protected under EU data protection laws.
In most cases, the safeguards that we put in place will be either:
Our Website may contain links to other websites whose information practices may be different to ours. You should consult the privacy notices of those third party sites as we have no control over information that is submitted to, collected, or processed by them.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer's hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. When you visit our Website we send you a cookie.
Cookies may be used in the following ways:
The cookies we use are set out in the table below.
Purpose | Supplier | Expiration | Cookie |
Analytics | |||
This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. By default it is set to expire after 2 years, although this is customisable by website owners. | Google Analytics | 1 day | _gid |
This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. By default it is set to expire after 2 years, although this is customisable by website owners. | Google Analytics | 2 years | _ga |
Performance | |||
The '__cfduid' cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. More information here. | CloudFlare | 5 years | __cfduid |
The Facebook pixel collects cookie data for targeting and measurement for Facebook and Instagram marketing activity. | 3 months | _fbp | |
Google Marketing Platform cookies are used for conversion tracking, audience profiling and retargeting. More information can be found here. https://policies.google.com/technologies/types?hl=en-US | Google Marketing Platform | Session | XSRF-TOKEN |
Session | S | ||
7 Days | .DDMMUI-PROFILE | ||
13 Days | DSID | ||
End Of Month | 1P_JAR | ||
6 Months | SEARCH_SAMESITE | ||
7 Months | NID | ||
1 Year | ANID | ||
1 year | IDE | ||
1 year | SIDCC | ||
1 year | __Secure-3PSIDCC | ||
2 Years | SID | ||
2 Years | __Secure-3PSID | ||
2 Years | HSID | ||
2 Years | SSID | ||
2 Years | APISID | ||
2 Years | SAPISID | ||
2 Years | __Secure-3PAPISID | ||
3 years | permutive-id | ||
38 Years | CONSENT | ||
Criteo cookies are used to for conversion tracking, audience profiling and retargeting. More information can be found here.https://ailab.criteo.com/cookie-declaration/ | Criteo | Session | _hjTLDTest |
Session | amplitude_idun definedcriteo.com | ||
7 Days | intercom-session-bx9cew01 | ||
1 Year | _hjid | ||
1 Year | uid | ||
1 Year | .criteo.com | ||
1 Year | ajs_anonymous_id | ||
1 Year | ajs_user_id | ||
20 Years | amplitude_id_b37 a423901694056906 133c8c13c895d criteo.com | ||
AWIN 1st or 2nd party cookies are set when you click on an affiliate link. AWIN store IDs for the referring website, advertisement on which was clicked, group of advertisement as to which the advertisement belongs, time it was clicked on, ID for the type of advertisement, ID for the product and any reference the referring site adds to the click. | Affiliate Window | 30 days |
1st: _aw_m_5682 2nd: Aw5682 |
From a partner's site, when a user clicks on an ad/banner, the user is then directed to the Impact tracking server which drops this cookie behind the scene. This cookie stores a unique UUID key so that next time when the user hits the tracking servers, it gives the identity info of the same user. | Impact Radius | 2 years | BRSWR |
Impact radius tracking is set on advertisers page and drops cookies when the user clicks on banner/ad. These are first party cookie's which are set on advertisers domain. This part of UTT javascript functions and works based on unique identifier UUID keys. Value : new Date().getTime().toString() + '-' + Math.random().toString(36).substring(2, 15) |
Impact Radius | 2 years | IR_PI |
The Last click cookie which is used to eliminate the duplicate clicks during checkout/conversion. | Impact Radius | 180 days | IRLD |
Impact Radius tracking application primarily lives on AWS cloud. The tracking servers in our private datacenters and interact with clients and relay data to the tracking servers in our private data centers for further processing. This AWSELB is the load balancer cookie for AWS | Impact Radius | Expires when the session ends | AWSELB |
This is base domain cookie, set on host site. This is under the part of UTT tracking of web events. | Impact Radius | Expires when the session ends | IR_GBD |
This is a current session cookie, The activity is updated everytime the page loads. This is as part of UTT API implementation for tracking web events. Value : last_activity_timestamp|source id|session_id |
Impact Radius | Expires when the session ends | IR_(Campaign_ID) |
This is a session cookie generated by the load balancer, we have tracking servers in Amazon EC2. The cookie may vary depending on the type of data center (Impact's Data centers) F5 | Impact Radius | Expires when the session ends | EPERSIST |
This cookie is used to control action tracker test flow. Testing the integration works | Impact Radius | Expires either at end of session OR once the test is complete | IRBCN |
A session cookie (apptus.sessionKey) is used to track a visitor’s browsing experience throughout their journey in terms of search, navigation (product lists) and recommendation products | Apptus | Expires when the session ends | apptus.sessionKey |
Used to distinguish visitors, track a visitor across sessions, and also to potentially provide a personalised browsing experience in terms of search, navigation (product lists) and recommendation products | Apptus | 1 Year | apptus.customerKey |
You can accept or decline 'cookies' by modifying the setting in your browser. Please note that if you disable 'cookies' you may not be able to use all the features of our Website.
We employ security measures to prevent unauthorized access to information that we collect online and through POS. We use a secure online order form for all purchases made via the Website. All data transmitted via this form (including credit card details) is 128bit encrypted so it is transmitted securely. To verify this, when placing an order using the Website a padlock will appear in your browser. It is normally in the status bar, towards the right hand side, in the address bar of your browser window. You can double click this padlock to verify that the secure certificate has been issued to the Website.
Our security is certified by the certificate provider Verisign.
Please note that email correspondence with us is in free format text and cannot be encrypted. Accordingly please do not send any sensitive information such as credit card details or passwords via email.
We use computer safeguards such as firewalls and data encryption, and we enforce physical access controls to our buildings and files to keep this data safe. We only authorise access to employees who need it to carry out their job responsibilities.We will only keep your personal data for as long as necessary for the purposes for which we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
Details of the retention period for different aspects of your personal information are available in our data retention policy, detailed in the table below and covering all key databases held by Fortnum & Mason Plc.
Ref | Type of Data | Details | Purpose of data | Review Period | Retention Period or Criteria |
1 | Personal Details | Eg Name, Address, Title, Gender | To support email and whitemail marketing, customer reporting and analytics | 12 months | 5 years |
2 |
Contact Details |
Eg Billing Address, Delivery address, email address and phone number | To support email marketing & customer reporting | 12 months | 5 years |
3 |
Image Data |
Eg CCTV images, photographs if taken during an event and you have not objected to this | For security and PR | 12 months | 5 years |
4 |
Financial |
Eg Payment card details | To provide financial information with regard to purchases as well as to support fraud prevention | 12 months | 7 years |
5 |
Transactional Data |
Eg order information, product purchased, total cost, payment information, billing and delivery information | To support transactional queries, customer and product reporting & analytics | 36 months | 7 years |
6 |
Technical Data |
Eg Internet Protocol (IP) address, login data, browser type and version, time-zone setting and location, browser plug in types and versions, operating system and platform and other technology devices used to access the website, geographical location, length of visit, number of pages viewed | To support online reporting & analytics as well as operational information | 12 months | 5 years |
7 | Profile Data | Eg Order history, preferences, feedback on survey and response, | To support reporting, analytics and personalisation of marketing activity | 12 months | 5 years |
8 | Marketing Data | Eg Preferences in receiving marketing and communications | To support marketing activity | 12 months | 3 years |
9 | Instore Data | Eg products purchased, amount spent, payment information | To support transactional queries, customer and product reporting & analytics | 12 months | 7 years |
You can accept or decline 'cookies' by modifying the setting in your browser. Please note that if you disable 'cookies' you may not be able to use all the features of our Website.
You have the following rights in relation to the personal information that we hold about you:
We reserve the right to revise this privacy policy or any part of it from time to time. Please review the privacy policy periodically for changes. This privacy policy was last updated on 22nd May 2018.
Unless stated otherwise, our current privacy policy applies from time to time to all information that we have about you.
It is important that the personal information we hold about you is accurate and up-to-date. Please keep us informed of any changes to your personal information.
If you have any questions or concerns about this privacy policy, would like further details on any of the information contained in this notice, or to exercise any of your legal rights please contact us by email at marketing@fortnumandmason.co.uk
Whilst we would appreciate the opportunity to deal with your concerns before you do so, if you are unhappy with how we have used your personal information you have the right to lodge a complaint at any time with a supervisory authority. The supervisory authority in the UK is the Information Commissioner’s Office (ICO).