Who we are

Carphone Warehouse, a trading name under Currys Retail Limited (referred to using “CPW”, “we”, “us”, “our” or the “Company”) is a company registered in England and Wales (Company registration number: 2142673) and is part of the Currys group of companies (“Currys Group”). Currys Group is a leading omnichannel retailer of technology products and services, operating through online and 830 stores in 8 countries. We help everyone enjoy amazing technology, however they choose to shop with us.

 

 

Information We Collect

 

 

We collect personal information about you when you visit one of our stores or use our websites, or if you communicate with us by phone, e-mail and social media. We refer to our websites and Apps collectively as “Online Services”.

 

The types of personal information we collect include:

 

    • Personal details such as your name, address, date of birth, email address, phone number and other contact information
    • Transaction information, such as the product you purchased, its price, your method of payment and your payment details, which are anonymised as per Payment Card Industry Security Standards (PCI DSS).
    • Information about you, like your employment details, financial position and information taken from identification documents, like your passport or driving licence, when we review your application for insurance or loans offered by selected third parties and partners.
    • Your account information, such as dates of payments owed and received, the subscription services you use or any other information related to your account.

When you’re online the information we collect includes:

 

    • Personal information you provide when you buy our products and services online, and details of your shopping preferences, such as your favourite brands and products, as well as which of our stores you prefer to shop in.
    • Details of your visits to the website, in-store W-IFI or App, and the resources that you access. Examples include ads that you click, device information and your location.
    • IP address, type of device you are browsing from and cookie information.

 

More information is available in our Cookie Policy

 

The situations when you provide personal information could include when you:

 

    • Purchase products at our stores or through our contact centre.
    • Register or use our Online Services.
    • Request to receive marketing or other communications.
    • Use our Wi-Fi networks or other in-store tech.
    • Enter one of our competitions or when you complete one of our customer surveys.
    • Submit information when you’re providing feedback or making an enquiry.
    • Use interactive features of our Online Services.

 

How we use your Information

 

Data protection law sets out a number of different reasons for which a company may collect and process your personal information. These are:

 

    • Where we have entered into a contract with you;
    • Where we have your consent;
    • Where we are legally obligated to;
    • Where we have determined a legitimate interest that does not impact your rights and freedoms; and
    • Where it is in your vital interests.

 

The table below provided examples of when we might rely on these lawful reasons:

 

Contract

• We use your personal information to process your orders and payments or to give you a refund, as well as complete Trade In’s and cashback offers
• We also enter into a contract with you when you use one of our services, such as insurance, or to facilitate an agreement between you and mobile network partners, such as iD Mobile or Vodafone, when you enter into a contract with them whilst making a purchase with us.

 

Consent

• We use email and text messages to communicate with you about our products and services, competitions, offers, promotions or special events. For example:
        • To provide a free mobile phone upgrade reminder service
        • To send you a renewal notice
        • To communicate with you about our third-party partners that we believe may interest you
• To personalise your experience on our Online Services. This could include providing you with interesting, relevant content, or making navigation to our websites easier (more information is available in our Cookie Policy).
• To enter you into competitions.
• To record if you have additional needs due to vulnerable circumstances or need extra support when communicating with us.

 

Legitimate Interest

• To provide customer support and to respond to, and communicate with you, about your requests.
• To contact you if we need to obtain or provide additional information in relation to your order or query.
• To check our records are right and to check every now and then that you’re happy and satisfied (e.g. customer surveys).
• For marketing activities (other than where we rely on your consent), such as marketing permissions captured during the course of a sale and personalising marketing messages through social media and other third party platforms;
• To send promotional material (e.g. renewals) to you in the post or inform you of our offers by telephone.
• To comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request).
• To send communications to you about your orders, purchases or accounts and bill you for using our products or services.
• To send you a reminder if you have added products to your online basket, but not completed the order.
• To ensure a smooth experience on our Online Services, including making sure our websites work correctly (more information is available in our Cookies Policy).
• To help us understand more about you as a customer, the products and services you use, the way you use them and how you shop across the company, so we can serve you better.
• Improve the content and appearance of the website(s), and to make sure that content is presented in the most effective manner for you.
• To operate, evaluate and improve our business, including the development of new products and services; to determine the effectiveness of our sales, marketing and advertising; and the analysis and improvement of our products, offers, promotions, and Online Services and other technologies.
• To show you relevant ads by using information collected from your devices, if you have provided your consent for such collection, including your searches, location, ads that you have seen and personal information that you have given us, such as your age range, gender and topics of interest. Dependant on your Ads Settings, this information informs the ads that you see across your devices. So if you visit our website on your computer at work, you might see ads about our products or services on your phone later that night.
• To facilitate an omnichannel journey to ensure that you can shop with us in any way that you choose. For example, when you make a purchase in store, this information will be available to our customer services colleagues in order to assist you with any related queries.
• Where you fail to repay what you owe us or return our property, we may need to trace your whereabouts (sometimes using a tracing Agent) in order to recover payment or reclaim property. This might be carried out by a third Party debt recovery agent on our behalf.
• To protect against, identify and prevent fraud and other criminal activity, claims and other liabilities.
• For network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access.
• To ensure the security and safety of our stores via CCTV.
• To send you claim details as part of fulfilling promotional offers if you have made a qualifying purchase.
• To help reduce the overall fraud and credit risk for our customers and ensure a duty of care for customers who apply for financial products and services.

 

Legal obligation

• To identify you when you contact us.
• To verify the accuracy of information that we hold about you.
• To assist HMRC and/or the Police and/or other regulatory bodies in relation to an investigation by a public authority.
• To complete any requests you make regarding your Data Subject Rights.
• For financial administration.
• Where necessary for health and safety purposes.
• To comply with our Financial Conduct Authority (FCA) obligations.

 

Vital interest

• We may need to contact you if there are any urgent safety or product recall notices or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you.

 

Where we process your information under Legitimate Interest, we will have assessed this processing and balanced it against your rights and freedoms.

 

 

More sensitive information

 

Under data protection law, some personal information is considered more sensitive, including information relating to a person’s racial origins, certain beliefs or health conditions. It can also include information relating to criminal activity.

 

We do not expect to handle any of your more sensitive information unless it becomes relevant in Our dealings with you or you volunteer the information. Examples of this might be where you have a vulnerability or health condition which is relevant to Our dealings with you; where you are involved in a medical emergency or accident; if the information is relevant to a legal dispute or complaint; or while addressing criminality impacting Our business. On the rare occasions we handle more sensitive information, we only do so as allowed by data protection law (for example, where we have your consent, to protect someone’s vital interests or to prevent or detect crime) or as required by law.

 

 

How we use your information to make automated decisions

 

We sometimes use systems to make automated decisions based on your personal information or the information we are allowed to collect from others about you or your business (for example where we perform credit or internal fraud checks). This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the products, services or features we may offer you now or in the future, or the price that we charge you for them.

 

You have rights over automated decisions:

 

• Under certain circumstances, you can ask that we do not make our decision based on the automated score alone; and
• You can object to an automated decision and ask that a person reviews it.

 

If you want to know more about these rights, please contact us.

 

 

How we protect children and customers in vulnerable circumstances?

 

We understand the importance of protecting those that may be in vulnerable circumstances or who are children, especially when signing up for one of our FCA regulated products, such as applying for credit or insurance.

 

Children’s information

 

In line with FCA guidelines we do not allow under 18s to sign up for credit or insurance products. Our Online Services are aimed at adults, and we do not knowingly collect or expect to collect or store children’s information. In the event a child visits our website we ensure the highest privacy by design, including only collecting the minimum information that is necessary.

 

Customers in vulnerable circumstances

 

Occasionally, we may need to handle more sensitive information of customers with vulnerabilities or in vulnerable circumstances. This can include, for example, information about medical conditions or symptoms they have. We do this to assist our customers who have a need for additional support. We only collect the minimal amount of information required to achieve this, and only keep it for as long as reasonably necessary.

 

 

How we use information for analysis

 

We analyse customer and transactional information to understand customer attitudes and propensity to act in a certain way in the future. We use algorithms to group customers into segments based on their socio-demographics, frequency of their interaction with CPW, size and type of their purchases, and feedback they provide via surveys.

 

We analyse customer information to:

 

• Build new products and services or modify our services or store environment to better meet customers’ expectations.
• Design and deliver marketing campaigns, product and services recommendations that are relevant to you. This would be based on your past purchases, your online browsing behaviour or on what you have told us in surveys.
• Develop product assortments based on types of customers, their preferences and shopping behaviour.
• Develop commercial forecasts.
• If you have provided consent, personalise your experience on our website.

 

We may also carry out analytics activities on information which has been fully anonymised.

 

 

Digital advertising and personalisation

 

We advertise across all digital platforms with both targeted and non-targeted advertising. For targeted advertising, we may use information obtained through the use of cookies or similar technologies in your web browser to display ads to you, which you may see on other websites or digital platforms. We will seek your consent to deploy these kinds of cookies and similar technologies through our website cookies consent mechanism. More information is available in our Cookie Policy.

 

In order to ensure that appropriate ads are displayed, we work with partners and agencies to analyse and prepare the information, and measure the effectiveness of our advertising. See below the section on ‘Who we share your personal information with’. Where applicable, we or our advertising partners will combine this information with your transaction information and other information, such as your cookie consent instruction, and information from external or publicly available sources. By building a richer picture of your preferences in this way, we can make sure you see ads most relevant to you. We also use this information to ensure you do not receive unnecessary ads.

 

Our digital advertising includes advertising across social media platforms. The media owners we most commonly work with are Meta (which owns Facebook and Instagram) and Google (which owns YouTube). The individual privacy policies are linked for your information.

 

We will also use the information we have on existing customers for modelling purposes, to help identify potential new customers who may be interested in our products.

 

 

Who we share your personal information with

 

We share personal information within the Currys group of companies, which includes Currys, iD Mobile, e2save, and mobiles.co.uk. Members of the Currys Group that receive this information are not authorised to use or disclose the information except as provided in this Privacy Policy.

 

 

Our service providers

 

We work with partners, suppliers, insurers mobile networks and agencies so they can process your personal information on our behalf and only where they meet our standards on the processing of data and security. We only share information that helps them provide their services to us or to help them provide their services to you. For example, some of our service providers place advertising for us online, about our products and services and those of our retail partners, suppliers and third parties. As a result, where you have indicated you are happy to receive online marketing from us in our cookie preference centre, you might see online advertising that we or our partners have placed on the websites you visit, or the interactive services you use.

 

Our third-party service providers include:

 

• Mobile networks: When you apply for a new mobile contract we will complete a credit check before completing the transaction. Mobile networks also undertake their own credit checks, and we may not always reach the same conclusion. You can query any credit outcome as a result of a mobile contract purchase at any time, contact us. Please note we are not acting as a lender in respect of our credit checks. See ‘Credit Reference Agencies and insurance’ section below for more information.
• If you are upgrading with your existing network we will do an upgrade eligibility check with your network.
• Insurance Partners When you purchase an insurance product, and we will pass on your information to trusted third party partners responsible for those insurance products. We will continue to exchange your information with them while you have an active insurance product.
• We share you information with financial institutions to improve levels of service, reduce risk and provide due duty of care to you and other customers.
• Providers that we work with to deliver our marketing campaigns, and facilitate our competitions.
• Manufacturers of products sold to our customers for whom we carry out repairs.
• Companies which run our contact centres because they need your personal information to identify and contact you.
• Third party vendors who help us to manage and maintain the Currys Group IT infrastructure.
• Companies that provide insights and analytics services for us so we can stock the right products, send the right marketing campaigns and understand our business and customers better.
• Specialist providers of digital advertising and personalising content to provide customers with adverts tailored to them.
• Partners that support our services, such as where we need to arrange a specialist engineer visit.
• Companies that work on our behalf processing and sorting information, monitoring how customers use our website, issuing our emails for us and collecting product/customer feedback from you via surveys.

 

Where you have asked us to deliver your purchases either to the store (‘Click & Collect) or any other place, we will also share your address and contact details with our delivery partners likeDPD or Royal Mail, to ensure a successful delivery. These partners may contact you to provide periodic updates on your delivery.

 

 

Other organisations and individuals

 

We may transfer your personal information to other organisations in certain scenarios. For example:

 

• If required to by law, under any code of practice by which we are bound or we’re asked to do so by a public or regulatory authority such as the Police or the Department for Work and Pensions.
• To prevent and detect criminality impacting our business, we may voluntarily or on request share information with the Police or other crime organisations, such as the National Business Crime Solution (NBCS). NBCS is a non=profit initiative that works with the Police and business community to help tackle nosiness crime in the UK by gathering and sharing information.
• Information may also be shared with fraud prevention agencies to prevent fraudulent claims.
• If we need to do so in order to exercise or protect our legal rights, users, systems and services.
• With banks and insurance companies if you are a financial services (insurance or credit) customer.
• With mobile phone operators if you buy a phone contract through us.
• In response to requests from individuals (or their representatives) seeking to protect their legal rights or the rights of others.

 

 

Credit Reference Agencies and insurance

 

In order to process your mobile contract we’ll supply your personal information to credit reference agencies (“CRAs”) who will perform a credit check. Throughout your contract we will also share your payment history with them, and they will give us information about you. This will include information from your order and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information, and fraud prevention information. We will use this information to:

 

    • Assess your creditworthiness and whether you can afford the contract.
    • Verify the accuracy of the data you have provided to us.
    • Prevent criminal activity, fraud and money laundering.
    • Trace and recover debts.

 

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.equifax.co.uk/crain

 

 

Sharing your information with mobile network providers

 

When you purchase a new mobile contract, and we complete our checks and complete the purchase for you, we will share your personal information with the relevant network provider, either iD Mobile or Vodafone. We will continue to share information with the mobile networks throughout the life of the contract.

 

 

International transfers of your personal information

 

We are a UK-based business and so your personal information will be handled by us in the UK. From time-to-time we may transfer your personal information (for example, to our suppliers, service providers or other companies within Currys Group) out of the UK for the purposes described in this Privacy Policy. Unless otherwise allowed by data protection law, where we transfer information to a country not recognised as having equivalent protections for information as the UK, we will put in place appropriate safeguards to ensure your information is protected in the same way as if it was being used in the UK. This can include putting in place contractual protections (known as standard contractual clauses) and other organisational or technical measures designed to safeguard information.

 

 

How long we keep your personal information

 

We will keep your personal information for as long as you’re a customer. If you haven’t made a purchase or engaged with us for 3 years or more, then we will remove you from our marketing mailing lists. After you stop being a customer, in most cases, we will keep your information for up to 7 years after the last time you interacted with us or if you have purchased insurance products up to 7 years from the end of the cover.

 

We may keep your information for longer than 7 years if we cannot delete it for legal, regulatory or technical reasons. We may also need keep it in order to help support product recalls or safety notices. If we do, we will make sure that your privacy is protected and only use it for those purposes.

 

We do not retain personal information in an identifiable format for longer than is necessary.

 

 

Your rights

 

The table below outlines the Data Protection Rights available to you:

 

Access to information held about you	You have the right to request what personal information we hold about you. This is sometimes called a 'Data Subject Access Request'. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you free of charge. Before providing personal information to you or another person on your behalf, we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request. You can request a copy of your information via this form, or using the contact details below.
Rectify information held about you	If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it.
Data Portability	In certain circumstances you have the right to request a copy of your personal information from us or to have that information passed to an organisation of your choice in a format that can be easily re-used.
To stop or limit our processing of your information	You have the right to object to us processing your personal information if we are not entitled to use it anymore, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances. Where we rely on our legitimate interests, as set out under 'How we use your information', you may object to us using it for these purposes. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your information for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your information.   You can ask us to restrict the use of your personal information if: • It isn't accurate. • It has been used unlawfully but you don't want us to delete it. • It is not relevant anymore, but you want us to keep it for use in legal claims. • You have already asked us to stop using your information but you are waiting for us to tell you if we are allowed to keep on using it.   Please note that we may be required by law to retain certain information. Before we are able to provide you with any information or correct any inaccuracies, we may ask you provide other details to help us respond to your request.
Erasure	You have the right to request erasure of your personally identifiable information (also known as the right to be forgotten). In some circumstances we may not be able to fully delete your information, for example where we have an overriding legal obligation to retain it, and where we can delete it, we will need to keep an appropriate record of the request.

 

If you would like to exercise these rights, please contact us.

 

 

How can you stop the use of your personal data for direct marketing

 

We won't send you marketing messages if you tell us not to. You can tell us in a number of ways:

 

    • You can click on the "unsubscribe" link in any communication that we send to you by email, or send a free SMS short code to opt out of SMS marketing, both of which will automatically unsubscribe you from those channels of communication. Please also note that you may continue to receive any Service communications we need to send in relation to the product and services we have sold to you
    • Alternatively, you can unsubscribe by submitting your request here. Please note that it may take up to 28 days to process your request.
    • To stop online marketing through cookies please see our Cookie Policy.
    • If you are seeing marketing from us through your social media channels you can stop these directly within the social media site.

 

You can also find further information within our Direct Marketing Customer Charter at the end of this Privacy Policy.

 

 

Security Measures

 

We take our responsibility to protect your information very seriously. All companies within Currys Group use physical, technical and organisational security measures to protect the personal information supplied by you against loss, destruction, and any unauthorised access by third parties. We do this in several ways which include, but is not limited to:

 

    • Following the Payment Card Industry Data Security Standard (PCI DSS) when handling debit and credit card information.
    • Adhering to General Data Protection Regulation (GDPR) guidelines when collecting, processing and storing information.
    • Using encryption protocols and software to protect your personal information during transmission.     • Carrying out regular back-ups of our critical information.
    • Regular testing and evaluation of our security measures.

 

 

Links to other websites

 

Our websites (which includes this Privacy Policy) contain links to other websites run by other organisations which we do not control. This Policy does not apply to those other websites and apps‚ so we encourage you to read their privacy statements.

 

 

Contact us

 

If you would like to access any of your rights as listed above, or have any questions with regards to this Policy, please use the contact us section of our website.

 

Alternatively, you can contact our Data Protection Office at:

 

• Email: [email protected] • Post: Data Protection Office, London Campus at Waterloo, 8th Floor, 10 York Road, London, SE1 7ND

 

You can also contact the Information Commissioner’s Office (ICO) if you have any concerns or complaints with how Currys Group has handled your personal information: https://ico.org.uk/global/contact-us/

 

This Privacy Policy was last updated XXX 2023 and replaces all previous versions. This Policy is regularly reviewed and if updates and changes are made we may notify you either by email or with an announcement on social channels.

 

 

Direct Marketing Customer Charter

 

When you purchase a product or service online or in store we collect personal information about you to let you know about our latest products, services or offers. We may do this by post, email, text message, online, or by using social media.

We will only use your personal information to send you marketing messages if we have a legal right to do so. That could be either with your explicit consent or where there is ‘legitimate interest’, like when we have a business or commercial reason to use your information. We will always provide you with the opportunity to opt out of marketing when we first collect your contact details and in every subsequent message.

We may ask you to confirm or update your marketing choices, if you purchase any new products or services with us in future. We’ll also ask you to do this if there are changes in the law, regulation, or the structure of our business.

The personal information we have about you is made up of what you tell us, and the information we collect when you use our services, or from third parties we work with, like Experian. For more information on the third parties we work with and how we use your personal information, please see our Privacy Policy.

We also gather statistics about email opening and clicks, using industry standard technologies to help us monitor and improve our e-mail communications.

We won’t send unsolicited one-to-one (direct) marketing email and/or SMS communications unless they comply with the rules of General Data Protection Regulations (GDPR), Data Protection Act 2018 (DPA18) and Privacy Electronic Communication Regulations (PECR) and related guidance.

Specifically, our promise to you is that:

 

    I. We will always ask you to actively opt-in to receiving electronic direct marketing messages. That is, unless we’re contacting you about receiving marketing for our own similar products during the course of a sale or when you are setting up a Currys account, and we offered you the opportunity to opt-out when you gave us your details.
    II. Our store and contact centre colleagues will always inform you about any further use of your contact details for direct marketing when you make a purchase.
    III. We will offer you a choice of how you would like to receive marketing from us, including email or text.
    IV. We will make sure that the products or services we are marketing are the same or similar to the ones you originally consented to receive marketing for.
    V. We will ask for your consent to pass details to third parties for their own marketing purposes. We will name those individual companies when we request your consent.
    VI. We will record when and how we obtained your marketing consent, and exactly what it covers.     VII. We will make sure the language we use when you consent is clear and easy to understand, and that it’s clearly distinguishable from any other matters, including other Terms & Conditions.
    VIII. We won’t use confusing language in our marketing statements, including the use of double negatives, technical or legal jargon and confusing terminology or inconsistent language.
    IX. For telephone and postal marketing communications, we’ll screen your name and contact details against the Telephone & Mail Preference Service.
    X. We will always offer you the option to opt out of direct marketing at the point when we capture your contact details and in every subsequent communication by clicking the unsubscribe link.
    XI. We will make sure we promptly (and always within 28 days) opt you out of our marketing activities on your request. We will make sure there is always a simple, easy-to-access and free of charge way for you to withdraw your consent.
    XII. We will operate and maintain an in-house suppression file listing the names and contact details of customers who have told Us they don’t want to receive marketing communications through all or particular means of communication.     XIII. We will rely on the legitimate interests of the business (as an alternative to explicit consent) when we undertake postal marketing, when we conduct live outbound phone sales or when we are contacting our business customers. We will include information in our telephone scripts and in all postal marketing on how to opt out of receiving such marketing.
    XIV. We will screen information to remove files of deceased people so that they are not used for marketing.
    XV. We will not send you any direct marketing if you haven’t been in touch with us or purchased from us in the past three years.
    XVI. We have procedures for dealing with inaccuracies and complaints.
    XVII. We will cooperate fully with any investigation by the Information Commissioners Office (ICO) in relation to our direct marketing activities.
    XVIII. We may remove you from direct marketing if we believe that doing so could cause you financial harm or distress.

 

 

Bought in lists

 

We will only use bought-in lists for texts, emails or recorded calls where we have proof of opt-in consent which specifically names us.

 

    I. We will only use the information on the lists for marketing purposes.
    II. We will delete any irrelevant or excessive personal information.
    III. We will screen the names on bought-in lists against our own list of customers who say they do not want our calls, texts or emails.
    IV. We will carry out small sampling exercises to assess the reliability of the information on the lists.
    V. When marketing by post or email, we will include our company name, address and telephone number in the content.
    VI. We will always tell customers where we obtained their details.
    VII. We will provide you with a link to our Privacy Policy.
    VIII. We will undertake adequate due diligence when we first select information suppliers and in our ongoing work with them in order to make sure it has received and used personal information fairly.
    IX. We will make sure that adequate contractual terms are in place requiring information suppliers to make sure personal information was obtained and provided fairly and in accordance with the requirements of GDPR.
    X. We will take all necessary steps to satisfy ourselves that the information has been properly sourced, permissioned and cleaned. We will make sure that sufficient due diligence is undertaken and contractual arrangements are in place with suppliers of personal information.