Penelopetom Direct (“We”) are committed to protecting and respecting your privacy.
This policy (together with our Terms and Conditions and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting Penelopetom.co.uk (“our site”) you are accepting and consenting to the practices described in this policy.
For the purpose of the General Data Protection Regulation 2016 (the Act), the data controller is Penelopetom Direct Ltd of 30 Fore Street, Totnes, Devon, TQ9 5RP with company number 08671135.

When do we collect your personal data?

  • When you ask to open an account with us or create an online account.
  • When you make an online purchase and use your account to buy products and services on the phone or online.
  • When you make an online purchase and check out as a guest.
  • When you make a purchase in store or by phone but don’t have (or don’t use) an account and require the goods to be delivered or ordered.
  • When you engage with us on social media.
  • When you contact us regarding a query or complaint etc.
  • If we email or post you information about a product.
  • When you enter prize draws or competitions.
  • When you comment on or review our products and services.
  • When you fill in any forms. For example, if an accident happens in store, a staff member may collect your personal data.
  • When you use our car park and shops which have CCTV systems operating for the security of both customers and staff. These systems may record your image during your visit.

What sort of personal data do we collect?

  • If you have a web account or with us: your name, billing/delivery address, orders and receipts, email and telephone number.
  • Information gathered by the use of cookies in your web browser. Please see our cookies policy for more information.
  • Online payment using card payment which is processed by a third-party WorldPay in conjunction with HSBC bank.
  • Your comments and product reviews.
  • To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code of where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered. This information can be found in our cookies policy.
  • Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.

Here’s how we’ll use your personal data and why:

  • To process any orders that you make by using our website or in store. If we don’t collect your personal data during checkout, we won’t be able to process your order and comply with our legal obligations. We may need to pass your details to a third party to supply or deliver a product that you ordered. We keep your details for a reasonable period afterwards in order to be able to process your queries, refunds or guarantees.
  • To protect our customers, premises, assets and Staff from crime, we operate CCTV systems in our store which record images for security. We do this on the basis of our legitimate business interests.
  • To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate business interests. This also helps to protect our customers from fraud.
  • If we discover any criminal activity or alleged criminal activity through fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim is to protect the individuals we interact with from criminal activities.
  • With your consent, we will use your personal data, preferences and details of your transactions to keep you informed by email, web, text and telephone about relevant products and services including special offers, discounts, promotions, events, competitions and so on.

You are free to opt out of hearing from us by any of these channels at any time.

  • To send you relevant, personalised communications by post in relation to updates, offers, services and products. We’ll do this on the basis of our legitimate business interest.

You are free to opt out of hearing from us by post at any time.

  • To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to our Terms & Conditions, product recall notices, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
  • On the basis of your consent to receive notifications, from our website we place cookies or similar technology on your device.

For example, we might display a list of items you’ve recently looked at or offer you recommendations based on your purchase history and any other data you’ve shared with us.

  • To administer any of our prize draws or competitions which you enter, based on your consent given at the time of entering.
  • To comply with our contractual or legal obligations to share data with law enforcement.

How we protect your personal data
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all transactional areas of our websites using ‘https’ technology.
Access to your personal data is password-protected, and sensitive data (such as payment card information) is secured by SSL encryption.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.

How long will we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Some examples of customer data retention periods:
Orders
When you place an order, we’ll keep the personal data you give us for five years so we can comply with our legal and contractual obligations.

Who do we share your personal data with?

We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We sometimes share your personal data with trusted third parties. For example, Delivery Couriers or one of our suppliers to fulfil an order.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

  • IT companies who support our website and other business systems.
  • Operational companies such as delivery couriers.
  • Direct marketing companies who help us manage our electronic communications with you.
  • Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites. See our Cookies notice for details.

Sharing your data with third parties for their own purposes:

  • For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
  • We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  • If Penelopetom Direct Ltd is acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

What are your rights over your personal data?
An overview of your different rights
You have the right to request:

  • Access to the personal data we hold about you, free of charge in most cases.
  • The correction of your personal data when incorrect, out of date or incomplete.
  • That we stop using your personal data for direct marketing (either through specific channels, or all channels).
  • That we stop any consent-based processing of your personal data after you withdraw that consent.

You have the right to request a copy of any information about you that Penelopetom holds at any time, and also to have that information corrected if it is inaccurate. To ask for your information, please contact Data Protection Officer, Penelopetom Direct, Unit 5G, South Hams Business Park, Kingsbridge or email shop@penelopetom.com for the attention of Data Protection Officer. To ask for your information to be amended, please update your online account, or contact our Customer Services team.

If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
How can you stop the use of your personal data for direct marketing?
You can stop direct marketing communications from us:

  • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular division.
  • Write to Data Protection Officer, Penelopetom Direct, Unit 5G, South Hams Business Park, Kingsbridge, Devon, TQ7 3QH

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.

Our site may, from time to time, contain links to and from the websites of our partner advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.