Total £0.00
Saving £0.00

Privacy Policy V5.0

Updated May 2022

1 Introduction

MandM Direct Limited is one of the UK's largest online off-price retailers. We've been trading for over 30 years, selling the world's biggest brands direct to our customers at savings of up to 75% off RRP.

At MandM Direct, we're committed to protecting and respecting people's privacy. Therefore, all Personal Data about our customers that we, as Data Controller, collect in the course of providing our services, is treated in the strictest confidence, and managed solely in line with this Privacy Policy.

If you have any comments or concerns regarding our use of your Personal Data, please contact our Data Protection Officer:

  • by email at privacy@mandmdirect.com
  • by post at Data Protection Officer, MandM Direct, Clinton Road, Leominster, Herefordshire HR6 0SP, United Kingdom.

Customers outside the UK may prefer to contact our EU Representative at privacy.heartland@heartland.co. Based in Denmark, our EU Representative also acts as a point of contact for supervisory authorities across Europe.

2 What information do we collect about you, and when?

We'll collect information about you when you:

  • browse this website (for more information about cookies operating on this website, and to choose which you are happy to accept, please see our Cookie List page)
  • place a product order on this website
  • create an MandM Direct customer account ("MyAccount") using this website (NB you must be aged 16 or over to create a MyAccount)
  • contact us by phone, email or social media
  • enter a competition, promotion or survey organised by us
  • subscribe to our marketing communications

The information that we'll collect from you in these circumstances will contain your "Personal Data". This is data by which you can be identified and which therefore includes your name, home address and email

Via this website, we'll also take your credit card details if you make a purchase: however, we don't save these details on any of our systems. Indeed, we undergo a rigorous annual assessment to validate that our processes for managing credit card data are safe and secure, and to this extent, we are fully accredited.

Equally, we'll never ask for any Special Category Data about you (i.e. sensitive information about your ethnicity, religion, health etc).

3 How will we use that information?

We'll use your Personal Data only for the purposes listed in the table below. This table also explains:

  • the lawful basis for processing your Personal Data, linked to each purpose
  • in what circumstances your Personal Data will be shared with a trusted third-party organisation
  • for how long we'll keep your Personal Data.

Please note that data collected by cookies is not described below, but is explained in our Cookie List page.

Note on third-party organisations

In circumstances where we do share your Personal Data with a trusted third-party organisation, we always apply the following rules:

  • we only ever provide the minimum amount of data that is absolutely necessary to them performing their specific services
  • we will always have a comprehensive contract and data processing agreement in place, so that the third-party organisation understands what they can, and cannot, do with your Personal Data, and to give us assurance that they understand their legal obligations to keep the data safe and secure
  • we never allow any third-party organisation, however trusted, to use your Personal Data for their own purposes
  • throughout the time we work with each third-party organisation, we will continue to monitor their performance in order to ensure that all contractual requirements are met, and that our customers' privacy is respected and protected at all times
  • if we stop using their services, all Personal Data held by them is securely destroyed or returned to us.

When you make a purchase

Purpose for processing Personal Data Lawful basis for processing Personal Data Third-party organisations with whom Personal Data is shared Personal Data retention period
To fulfil purchases which you may make via this website To meet the requirements of contract law

Customers' Personal Data may be processed by the following:

  • Google, who provides hosting services, and who supports our internal IT infrastructure including our customer databases
  • Qubit and Personify, who enable us to display personalised information to customers on our website
  • Partnerize who supports tracking on our website
  • GBG, who provides postcode look-up services.
6 years after a customer's last transaction
To despatch goods that you have ordered from us To meet the requirements of contract law

Customers' Personal Data will be stored in Manhattan, which is our Warehouse Management System.

We then use Evri (formerly Hermes) and DPD to deliver parcels to our customers (NB Evri and DPD will also use your Personal Data to keep you up-to-date with information regarding your delivery)

6 years after a customer's last transaction
To process customer requests for finance (please note that this includes data processing for the purposes of fraud prevention) Customers will provide informed consent before their data is processed for the purposes of a finance application

Data will be captured by one of our lending partners, dependent upon customer choice and selection. The relevant partner will then act as an independent Data Controller.

Currently, our lending partners are:

  • PayPal (Europe) S.à r.l. et Cie
  • Klarna Bank AB
  • Clearpay
6 years following expiry of the finance agreement
To process credit / debit card payments, and inform you if there are any issues To meet the requirements of contract law For payments online, data will be shared with Adyen, our payment gateway provider. In processing this data, customer details will also be automatically checked for fraud prevention purposes We do not keep credit / debit card data: however, anonymised token data is kept for 6 years
To keep you informed about the progress of your order, or advise you about relevant order or account information (i.e. despatch updates, confirmation of password change, items left in your basket etc) To meet the requirements of contract law

Customers' Personal Data may be processed by the following:

  • Google, who provides hosting services, and who supports our internal IT infrastructure including our customer databases;
  • Bloomreach and RedEye who help us send emails
6 years after a customer's last transaction
To fulfil customer requests for returns To meet the requirements of contract law

We use ZigZag Global to enable customers to return parcels to us.

This is supported by our courier partners, Evri and DPD

Data is kept for 90 days unless a return is made, in which case data is kept for 7 years

After-sales data processing

Purpose for processing Personal Data Lawful basis for processing Personal Data Third-party organisations with whom Personal Data is shared Personal Data retention period
To provide customer services support by telephone or email: this includes the recording of telephone calls for quality and monitoring purposes This is deemed legitimate, as it is in customers' interest that we can access their data in order to resolve any queries, questions, concerns or complaints

Customer data is held within our Google infrastructure

Our telephony service is supported by IP Integration

6 years after a customer's last transaction

However, telephone call recordings will be kept for no more than 60 days

To send emails asking you to submit a product review This is deemed legitimate, as it enables you to provide feedback and information on the best products and services for the benefit of other customers

Emails are sent on our behalf by Bloomreach and RedEye

However please note that customer data will only be shared with our partners at TrustPilot if a customer chooses to submit a review, and thus consents to the data exchange

6 years after a customer's last transaction

Data held by Trustpilot will be kept for 3 years

To collate social media communications This is deemed legitimate, as it allows us to be able to acknowledge and respond effectively to customer enquiries Social media messages are held in a platform managed by Falcon Data is retained for 15 months

Data processing for online services

Purpose for processing Personal Data Lawful basis for processing Personal Data Third-party organisations with whom Personal Data is shared Personal Data retention period
To enable you to set up an online account This is deemed legitimate, as it is customers' choice to set up an account Data will be processed by Google, who supports our internal IT infrastructure including customer databases 6 years after a customer's last transaction
To deliver Push Notifications to users of our website Users consent to Push Notifications via a bespoke pop-up message when they first access the site Data is processed by Bloomreach, who facilitates the delivery of Push Notifications 6 years after a customer's last transaction

Data processing for marketing

Purpose for processing Personal Data Lawful basis for processing Personal Data Third-party organisations with whom Personal Data is shared Personal Data retention period
To send you emails with information about special offers and promotions. In some cases, the content of the email will be based on your previous interactions with us: this is described more fully in section 6.8 below This is deemed legitimate, as: (i) you provided the data directly to us, (ii) we are only sending you information about similar products, (iii) you can opt-out on our website, (iv) you can opt-out using any marketing email

Emails are sent on our behalf by Bloomreach and RedEye.

Additionally, we use Validity to validate that email addresses are correct and up-to-date

6 years after a customer's last transaction
To send you emails where you have specifically requested these via our website or a third party sign-up Consent Emails are sent on our behalf by Bloomreach and RedEye. Additionally, we use Validity to validate that email addresses are correct and up-to-date 6 years after a customer's last transaction
To deliver advertising across social media and other online platforms (e.g. Google, Facebook) Customers consent to these communications through the specific platforms. Additionally, only anonymised data is shared Anonymised data only will be shared with various advertising partners 6 years after a customer's last transaction

Other data processing

Purpose for processing Personal Data Lawful basis for processing Personal Data Third-party organisations with whom Personal Data is shared Personal Data retention period
To process competition entries and inform winners Customers give consent when they submit competition entries Data will be processed by Google, who supports our internal IT infrastructure including customer databases (NB where a competition is run by a third-party, any data sharing with us will be made clear in the corresponding terms & conditions) 6 years after a customer's last transaction
To match data that we hold in order to gain better insight about our customers both individually and at aggregate level Customers consent to this processing by way of the cookies preference centre Data will be processed by Google, who supports our internal IT infrastructure including customer databases 6 years after a customer's last transaction

4 Overseas transfers

Your Personal Data is processed in the UK and/or European Economic Area ("EEA") only, except where it is processed by the following third-party organisations for the purposes described in section 3 above:

Organisation name Purpose for the overseas transfer Areas where the data is processed
Falcon To enable us to manage social media enquiries USA
IP Integration Supporting our telephony services India
Partnerize To support website tracking Australia, Japan, USA, Singapore
Qubit To enable website personalisation Ghana, USA

Should it be necessary to transfer your Personal Data outside the UK or EEA, we will ensure a similar degree of protection by applying appropriate safeguards in order to safeguard the data against unauthorised access, disclosure, alteration or destruction.

5 Data privacy and security

All Personal Data that you provide to us will be stored on our secure servers which are located within either the United Kingdom or the EEA.

Information security is extremely important to us, and therefore we observe the following safeguards as a minimum:

  • network security: we deploy security and monitoring tools that restrict access and alert us to any unauthorised behaviour on our network and systems;
  • data transfers: all data transfers are carried out using multi-layered security measures to ensure data integrity and privacy;
  • firewalls and encryption: we apply industry-standard firewall protection and use up-to-date, not compromised, encryption technology
  • auditing and testing: we carry out regular penetration testing and employ ethical hackers to ensure our infrastructure is secure and that any intrusion would be quickly detected
  • building entry controls: our premises and those of our partners are fully access controlled and monitored, with on-site security and CCTV traceability
  • access and control: we maintain strictly controlled access to systems and data based on the authorised roles of staff
  • training: we ensure our employees are trained in the importance of data security
  • breach notification: in the highly unlikely event we suffer a data security breach, we will notify the relevant regulator and you where we are required to do so

6 Your rights

This Privacy Statement, together with our Cookies Policy, fulfils our obligation to tell you about the ways in which we use your Personal Data as a result of you using this website.

6.1 Right to be informed

This Privacy Statement, together with our Cookies Policy, fulfils our obligation to tell you about the ways in which we use your Personal Data as a result of you using this website.

6.2 Right to access

You have the right to ask us, in writing, for a copy of any Personal Data that we hold about you. This is known as a "Subject Access Request". Except in exceptional circumstances (which we would discuss and agree with you in advance), you can obtain this information at no cost. We will send you a copy of the information within 30 days of your request.

To make a Subject Access Request, please contact our Data Protection Officer by email at privacy@mandmdirect.com or by post at Data Protection Officer, MandM Direct, Clinton Road, Leominster, Herefordshire HR6 0SP, United Kingdom.

6.3 Right to rectification

If any of the Personal Data we hold about you is inaccurate, you can either:

  • visit the "MyAccount" section of the website where you can make changes to some of the information that we hold about you; or
  • contact our Data Protection Officer at privacy@mandmdirect.com. Any corrections that you request will be made as soon as possible, and certainly no later than 30 days following your notification.
6.4 Right to be forgotten

You can ask that we erase all Personal Data that we hold about you. Where it is appropriate that we comply, your request will be fully actioned within 30 days. For further information, please contact our Data Protection Officer at privacy@mandmdirect.com.

6.5 Right to object

You have the right to object to:

  • the continued use of your Personal Data for any purpose listed in section 3 of this Privacy Statement for which consent is identified as the lawful basis of processing (i.e. you have the right to withdraw your consent at any time); or
  • the continued use of your Personal Data for any purpose listed in section 3 of this Privacy Statement for which the lawful basis of processing is that it has been deemed legitimate.

For further information, please contact our Data Protection Officer at privacy@mandmdirect.com.

Please note that you can also exercise your right to object to our use of cookies by following the guidance in our Cookie List page.

6.6 Right to restrict processing

If you wish us to restrict the use of your Personal Data because (i) you think it is inaccurate but this will take time to validate, (ii) you believe our data processing is unlawful but you do not want your data erased, (iii) you want us to retain your Personal Data in order to establish, exercise or defend a legal claim, or (iv) you wish to object to the processing of your Personal Data, but we have yet to determine whether this is appropriate, please contact our Data Protection Officer at privacy@mandmdirect.com.

6.7 Right to data portability

If you would like us to move, copy or transfer the Personal Data that we hold about you to another organisation, please contact our Data Protection Officer at privacy@mandmdirect.com.

Please be advised that this only applies to certain data which has been submitted by you electronically for specific purposes only. Our Data Protection Officer can provide further advice.

6.8 Rights related to automated decision-making

In order that we can understand your preferences - and therefore send you emails that'll show products that we hope will be of particular relevance and interest to you - we use automation to review the information that you've provided to us, and your purchasing history and engagement with us. This is permitted under data protection laws as these processes cannot significantly harm you i.e. they won't lead to discrimination or affect your legal rights. However, if you don't want us to use automated processing, you can either object to the processing of your Personal Data (see section 6.5 above), or ask us to delete all your Personal Data (see section 6.4 above).

7 Disclaimers

Unfortunately, the transmission of information via the internet is not completely secure. Therefore, although we'll make every effort to protect your Personal Data at all times, we cannot absolutely guarantee the security of any data sent to our website: as such, any transmission is at your own risk. However, once we've received your Personal Data, we'll employ stringent security procedures aimed at preventing unauthorised access (see section 5 above).

Every effort is made to ensure that the information on this website, and in this Privacy Statement, is accurate and up-to-date, but no legal responsibility is accepted for any errors or omissions contained herein.

We cannot accept liability for the use made by you of the information on this website or in this Privacy Statement, nor do we warrant that the supply of the information will be uninterrupted. All material accessed or downloaded from this website is obtained at your own risk. It is your responsibility to use appropriate anti-virus software.

This Privacy Statement applies solely to the data collected by us, and therefore does not also apply to data collected by third-party websites and services that are not under our control. Furthermore, we cannot be held responsible for the Privacy Statements on third-party websites, and we advise users to read these carefully before registering any Personal Data.

8 General

Questions and comments regarding this Privacy Statement are welcomed, and should be sent to our Data Protection Officer at privacy@mandmdirect.com.

You can also contact our Data Protection Officer if you have any concerns or complaints about the ways in which your Personal Data has been handled as a result of you using this website.

Alternatively, you have the right to lodge a complaint with the Information Commissioner's Office ("ICO") who may be contacted at Wycliffe House, Water Lane, Wilmslow SK9 5AF or ico.org.uk (for details on how your data will be managed by the ICO, please refer to ico.org.uk/global/privacy-notice.

Be the first to hear about our best deals, biggest savings and newest arrivals by signing up to our emails today!