Privacy and Cookie Policy

Our privacy policy explains how and why we collect, store, use and share personal information. It also explains your rights in relation to your personal information that we collect, store, use and share.

What is personal information?

“Personal information” is any information relating to an identified or identifiable individual.

“Special category personal information” is personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data, or data concerning health, sex life or sexual orientation.

Who we are

“We”, “us”, “our” refers to Cards Direct Retail Ltd, 3 Horizon Point, Swallowdale Lane, Hemel Hempstead, HP2 7FZ, UK. When we collect, store and use personal information we are subject to the General Data Protection Regulation as the controller of that personal information.

Personal information we collect

We may collect and use the following personal information:

  • Your name and contact information, including email address and telephone number and company details;
  • Information to enable us to check and verify your identity;
  • Your billing information, transaction and payment card information;
  • Information to enable us to undertake credit or other financial checks on you;
  • Your gender information
  • Location data

Personal information is required to provide products and/or services to you. If you do not provide personal information we ask for, it may delay or prevent us from being able to do so.

How we collection personal information

We will collect personal information directly from you in person, by telephone, text or e-mail and/or via our website / apps.

We may also collect information from publicly accessible sources; or directly from a third party; or from a third party with your consent; from cookies on our website; See our cookies policy on our website; via our IT systems, for example from door entry systems and reception logs; automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems;

How we use personal information

Under data protection law, we can only use your personal information if we have a lawful reason for doing so. This can be:

  • To comply with our legal and regulatory obligations;
  • For the performance of our contract with you or to take steps at your request before entering into a contract;
  • For our legitimate interests or those of a third party. A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests; or
  • Where you have given consent.

Our lawful reasons for using personal information

  • To provide you with products and/or services;
  • To prevent and detect fraud against you or us;
  • Conducting checks to identify our customers and verify their identity;
  • Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business;
  • Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies
  • Ensuring business policies are adhered to, for example, policies covering security and internet use;
  • Operational reasons, such as improving efficiency, training and quality control;
  • Ensuring the confidentiality of commercially sensitive information;
  • Statistical analysis to help us manage our business;
  • Preventing unauthorised access and modifications to systems;
  • Updating customer records;
  • Statutory returns;
  • Ensuring safe working practices, staff administration and assessments;
  • Marketing our services and those of third parties to existing and former customers; third parties who have previously expressed an interest in our services; third parties with whom we have had no previous dealings;
  • Credit reference checks via external credit reference agencies.

Use of special category personal information

The reasons listed above do not apply to special category personal information, which we will only process with your explicit consent.

Marketing or promotional communications

We may use your personal information to send you updates (by e-mail, text message, telephone or post) about our products and/or services.

We have a legitimate interest in processing your personal information for marketing or promotional purposes, so we usually do not need your consent. However, where consent is needed, we will ask for consent separately and clearly.

You have the right to opt out of receiving marketing or promotional communications from us at any time.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

How we share personal information

We will share personal information with:

  • Other companies within the Cards Direct Retail Ltd group;
  • Third parties we use to help deliver our products and/or services to you, such as payment service providers, warehouses and delivery companies;
  • Other third parties we use to help us run our business;
  • Third parties approved by you, such as social media sites you choose to link your account to or third party payment providers;
  • Credit reference agencies;
  • Our insurers and brokers;
  • Our banks;

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

Where we store personal information

Information may be kept at our offices, and those of our group companies, third party agencies, service providers, representatives and agents.

Some of these third parties may be based outside the European Economic Area.

How long we retain personal information

We will retain your personal information while we are providing products and/or services to you.

After that, we will keep your personal information for as long as is necessary to respond to any questions, complaints or claims made by you or on your behalf; to show that we treated you fairly, and to keep records required by law.

We will not retain your personal information for longer than necessary for the purposes set out in this policy.

Transfer of personal information out of the EEA

We may share your personal information outside the European Economic Area (EEA). These transfers are subject to special rules under data protection law. We may transfer personal information to countries which do not have the same level of data protection laws as the UK and the EEA. We will, however, ensure the transfer complies with data protection law and that all personal information will be secure by putting in place the appropriate security measures, safeguards, and data protection contract clauses required.

Your rights under data protection law

You have the following rights under data protection law:

  • The right to be provided with a copy of your personal information (the right of access);
  • The right to require us to correct any mistakes in your personal information;
  • The right to require us to delete your personal information in certain circumstances;
  • The right to require us to restrict processing of your personal information in certain circumstances;
  • The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party in certain circumstances;
  • The right to object at any time to your personal information being processed for direct marketing (including profiling); and in certain other situations to our continued processing of your personal information;
  • The right not to be subject to automated individual decision-making.

If you would like to exercise any of your rights, please contact us.

How we keep personal information secure

We have appropriate security measures to prevent personal information from being lost or used or accessed unlawfully. Only those who have a genuine business need to access personal information can see it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures to deal with a suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to contact us

If you have any questions or concerns about use of personal information, please contact us on 01442 205658 or by email at admin@cardsdirect.co.uk

How to make a complaint

We hope that we will be able to resolve any questions or concerns you may have about use of your information.

The supervisory authority for data protection complaints in the UK is the Information Commissioner who may be contacted at their website: https://ico.org/concerns, or by telephone on 0303 123 1113.

Data Processing Agreement

1. Processing of personal data

Definitions

“Controller”, “Data Subject”, “Personal Data”, “Processor” and “processing” shall have the respective meanings given to them in applicable Data Protection Laws from time to time (and related expressions, including “process”, “processing”, “processed”, and “processes” shall be construed accordingly) and “international organisation” and “Personal Data Breach” shall have the respective meanings given to them in the GDPR;

“Data Protection Laws” means any applicable law relating to the processing, privacy and use of Personal Data, including the General Data Protection Regulation (EU) 2016/679 (GDPR);

“Protected Data” means Personal Data received from or on behalf of the Customer, or otherwise obtained in connection with the performance of the Supplier’s obligations under this Agreement;

“Sub-Processor” means any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data;

“Supervisory authority” means any regulator, authority or body responsible for administering Data Protection Laws.

Compliance with Data Protection Laws

The parties agree that the Customer is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data under this Agreement. The Supplier will, and will ensure its Sub-Processors and each of the Supplier Personnel will, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services. Nothing in this Agreement relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.

The Supplier will indemnify and keep indemnified the Customer against: all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Supplier of its obligations under this agreement; and all amounts paid or payable by the Customer to a third party which would not have been paid or payable if the Supplier’s breach of this agreement had not occurred.

Instructions

The Supplier will only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with the Schedule, this Agreement and the Customer’s written instructions from time to time except where otherwise required by applicable law (and in such a case shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The Supplier will immediately inform the Customer if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.

Security

The Supplier will at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in The Schedule and shall reflect the nature of the Protected Data.

Sub-processing and personnel

The Supplier will:

not permit any processing of Protected Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that Sub-Processor by the Customer and only then subject to such conditions as the Customer may require;

ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services;

prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a binding written contract containing the same obligations as under this agreement in respect of Protected Data that is enforceable by the Supplier and ensure each such Sub-Processor complies with all such obligations;

remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own; and

ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are reliable; adequately trained on compliance as applicable to the processing; informed of the confidential nature of the Protected Data and that they must not disclose Protected Data; subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and provide relevant details and a copy of each agreement with a Sub-Processor to the Customer on request.

Assistance

The Supplier will (at its own cost and expense):

promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as the Customer may require in relation to the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws); and

provide such information, co-operation and other assistance to the Customer as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with the Customer’s obligations under Data Protection Laws, including with respect to: security of processing; data protection impact assessments; prior consultation with a supervisory authority regarding high risk processing; and any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including (subject in each case to the Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to supervisory authorities and/or communication to any affected Data Subjects.

The Supplier will (at no cost to the Customer) record and refer all requests and communications received from Data Subjects or any supervisory authority to the Customer which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and shall not respond to any without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by law.

International transfers

The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the United Kingdom or to any international organisation without the prior written consent of the Customer (which may be refused or granted subject to such conditions as the Customer deems necessary).

Records and audit

The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer. Such records shall include all information necessary to demonstrate its and the Customer’s compliance with this agreement, the information referred to in Articles 30(1) and 30(2) of the GDPR and such other information as the Customer may reasonably require from time to time. The Supplier shall make copies of such records available to the Customer promptly on request from time to time.

The Supplier will (and will ensure all Sub-Processors will) promptly make available to the Customer (at the Supplier’s cost) such information as is reasonably required to demonstrate the Supplier’s and the Customer’s compliance with their respective obligations under this agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer ) for this purpose at the Customer’s request from time to time. The Supplier shall provide access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.

Breach

The Supplier will promptly (and in any event within 24 hours):

notify the Customer if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data; and

provide all information as the Customer requires to report the circumstances of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data to a supervisory authority and to notify affected Data Subjects under Data Protection Laws.

Data deletion/return

The Supplier will (and will ensure that each of the Sub-Processors and Supplier Personnel will) immediately, at the Customer’s written request, either securely delete or securely return all the Protected Data to the Customer in such form as the Customer reasonably requests after the earlier of: the end of the provision of the relevant Services related to processing of such Protected Data; or

once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement, and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform the Customer of any such requirement).

This agreement shall survive termination or expiry of this Agreement.

Cost

The Supplier shall perform all its obligations under this agreement at no cost to the Customer.

The Schedule

Data Protection

Part A

Data Processing Details

Processing of the Protected Data by the Supplier under this Agreement will be as set out in this Schedule Part A.

Subject-matter of processing:

Customer or supplier information

Duration of the processing:

We will retain your personal information while we are providing products and/or services to you.

After that, we will keep your personal information for as long as is necessary to respond to any questions, complaints or claims made by you or on your behalf; to show that we treated you fairly, and to keep records required by law.

We will not retain your personal information for longer than necessary for the purposes set out in this policy.

Nature and purpose of the processing:

In order to carry out business or provide / receive products and/or services to / from you

Type of Personal Data:

Personal data exchanged between the parties will be limited to contact details of personnel employed by the parties. This will typically consist of name, work address, email address, telephone number, mobile number.

Part B

Minimum technical and organisational security measures

The Supplier will implement and maintain at least the following technical and organisational security measures to protect the Protected Data:

In accordance with the Data Protection Laws, taking into account the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with this Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, the Supplier shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.

Cookies Policy

We use cookies to help us to provide you with a good experience when you visit our website and for analytics to monitor traffic to our website.

What are cookies

A cookie is a small text file which is stored on your device – computer, tablet or phone – when you visit a website.

How we use cookies

We use cookies for:

Analytics to help us to improve our website and find out about the traffic it receives. We use Google Analytics to do this. You can find out more about how this works and see Google’s privacy policy here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

For e-commerce – cookies are required to allow our shopping cart and payment system to operate. If you do not accept cookies or block them you will not be able to make purchases from our website.

When you visit our website for the first time a message will appear seeking your consent to the use of cookies. By clicking the “Accept” button you will signal your consent to the placing of cookies on your device.

Controlling Cookies

If you wish to restrict, block or delete the cookies which are set by any websites, you can generally do this through your browser settings.

If you set your internet browser preferences to block all cookies, you may not be able to access all or parts of our site or make purchases from our store.

If you delete cookies relating to this website we will not remember things about you, including your cookie preferences, and you will be treated as a first-time visitor the next time you visit the site.

Who to contact

If you have any questions or comments regarding this policy, please contact us

We would like to send you information about offers, promotions, new products or/and services by email, text message and by telephone.

We are committed to protecting your privacy and fully aware of our obligations under data protection law. We will not sell or share your personal details with other businesses or organisations outside Cards Direct Retail Ltd for marketing purposes. For more information, see our Privacy Policy.

You can ask us to stop contacting you at any time by contacting us or using the unsubscribe link in emails.