Privacy Statement

  1. Introduction

Halfords Limited is the UK's leading cycling and motoring retailer, with over 450 stores across the UK and Ireland.

Halfords Autocentres is one of the UK's leading MOT, servicing, brake, repair and tyre specialists, with over 300 locations nationwide.

Together, these two organisations operate as “Halfords”, bringing customers unrivalled value and service from a known and trusted brand.

As an essential part of our business, we collect and manage customer data. In doing so, we observe all relevant data protection legislation, and are committed to protecting and respecting customers’ privacy and rights. Specifically, Halfords acts as “Data Controller” in respect of the information gathered and processed by this website or when customers visit one of our stores or Autocentres.

In order that you are reliably informed about how we collect, process, store and share your information, we have developed this Privacy Statement. This Statement also advises how you can have control over our use of your data.

If you have any comments or queries regarding our use of your data, please contact our Data Protection Officer by email at dataprotectionofficer@halfords.co.uk or by post at Data Protection Officer, Halfords Group plc, Icknield Street Drive, Washford West, Redditch B98 0DE.

In general terms, we collect information about you so that we can:

  • fulfil product orders that you may make via this website, which you can subsequently collect from a Halfords store, or which may be delivered to your home or work;
  • provide services at stores or garages;
  • deliver high-levels of customer care and support; and
  • communicate with you effectively whether this is about your order, or so that you don't miss out on great promotions, offers and helpful reminders.

Collecting information from you

The information that we collect from our customers is known as “personal data”. This includes customers’ names, home addresses and e-mail addresses. We collect this in a number of different ways. For example, customers may provide this data to us directly when filling in forms on this website, or when corresponding with us by telephone, e-mail or letter.

We also take customers’ credit card details: however, we do not save this information on any of our systems. Equally, we do not collect any special category data about our customers (i.e. information about their ethnicity, religion, health etc).

Please also be advised that when you visit this website, cookies will be used to collect information about you such as your Internet Protocol (IP) address which connects your computer or mobile device to the internet. We do this so that we can measure our website’s performance and make improvements in the future. Cookies are also used to enhance this website’s functionality and personalisation, which includes sharing data with third party organisations (as described in our Cookies Policy here). You can control this by adjusting your cookies settings.

Information sourced from third parties

We also use a number of qualified third-party providers in order to gain additional information about our customers so that we can best support them. These providers include:

  • HaynesPro, from whom we collect limited information about customers’ vehicles so that we can identify the make, model and age of their car using Vehicle Registration Numbers, and where appropriate, validate orders for car parts prior to engaging a technician. Additionally, we use this information to provide customers with the most up-to-date and relevant messages regarding their car’s safety, maintenance and upkeep; and
  • a global provider of consumer market data, who enable us to gain improved insight into our customers where appropriate consents and permissions are in place, in order to better understand and anticipate our customers’ needs.

We use the data collected from you for the specific purposes listed in the table below. Please note that this table also explains:

  • the lawful basis for processing your data, linked to each processing purpose;
  • in what circumstances your personal data will be shared with a third-party organisation; and
  • for how long we keep customer data.

Data that is collected by cookies is not included in the table below, but is explained in section 3 of our Cookies Policy here.

Purpose for processing data

Lawful basis for processing data

Third party organisations with whom data is shared

Data retention period

Data processing related to a purchase

To fulfil purchases and orders which you may make via this website

To meet the requirements of contract law

Customer data will be available to the following:

· Salesforce who hosts this website on our behalf;

· Astound who supports development of this website;

· HaynesPro where a Vehicle Registration Number is provided;

· JRNI where a service is scheduled;

· Elcom where a car part is ordered;

· Google Maps/Experian where location data is sought; and

· Planning-Inc who manages our customer database.

Certain pages will link to third-party providers (e.g. where customers wish to sign up to MotorCare, use the Discoveries Hub, or make a booking via Halfords Mobile Expert) but these are clearly indicated on the relevant page.

Orders are saved in our SAP sales system, which is supported by BCX, AppDynamics as well as TCS, our IT partners. Orders for Autocentres are also saved in our PACE system which is managed by Viqtor Davies.

Where deliveries are required, data is shared with DPD, Parcelforce or MetaPack.

Data may also be shared with relevant suppliers and manufacturers: however as we use many different providers, it is not possible to list them all here

6 years following the customer’s last transaction

To fulfil purchases and orders which you may make in a store or Autocentre

To meet the requirements of contract law

Depending upon where you shop, customer data will be available to the following:

· Aptos who supports our till system in retail stores;

· Viqtor Davies who supports our till system in Autocentres;

· HaynesPro where a Vehicle Registration Number is provided;

· JRNI where a service is scheduled;

· Elcom where a car part is ordered;

· the Driver and Vehicle Standards Agency where MOT data is captured; and

· Planning-Inc who manages our customer database.

Orders are saved in our SAP sales system, which is supported by BCX, AppDynamics as well as TCS, our IT partners.

Where deliveries are required, data is shared with DPD, Parcelforce or MetaPack.

Data may also be shared with relevant suppliers and manufacturers: however as we use many different providers, it is not possible to list them all here

6 years following the customer’s last transaction

To process customer requests for finance (please note that this includes processing for the purposes of fraud prevention)

Customers will be asked to provide informed consent before their data is processed for the purposes of applying for finance

Data will be captured by our lending partner, Klarna Bank AB who is authorised and regulated by the Swedish Financial Supervisory Authority, with limited supervision by the Financial Conduct Authority and Prudential Regulation Authority in the UK

In Autocentres, we also use Payment Assist as lending partner who is authorised and regulated by the Financial Conduct Authority

6 years following expiry of the finance agreement

To process credit / debit card payments, and communicate with you if there are any issues

To meet the requirements of contract law

For payment in a store, data will be shared with FIS Global, our payment gateway and Worldpay, our payment acquirers. For payment in an Autocentre, data will only be shared with Worldpay.

For payments online, data will be shared with Mastercard, our payment gateway and Worldpay as acquirer. In processing this data, customer details will also be automatically checked for fraud prevention purposes. If a payment online is not approved, then Experian will be used

Halfords does not record credit / debit card information: however, anonymised token data is retained for 6 years following the transaction

To process a request for an eReceipt

Customer consent will be sought before an eReceipt is issued instore: this is separate to consent for marketing purposes

If customers choose an eReceipt rather than a paper receipt, their data will be automatically shared with OneMarket, who manages the eReceipt service on our behalf

2 years for the purposes of delivering and/or validating an eReceipt

To communicate with you via email, SMS text or telephone in order to update you as necessary about your specific order or purchase, for example to remind you about a pre-booked service, or to notify you that a reserved product is available instore

To meet the requirements of contract law

Sales activities will be recorded on Salesforce, our Customer Relationship Management System, which is supported by Brightgen, a Salesforce Platinum Partner. Additionally, we will use Salesforce to help send these emails, and Telephonica to send SMS texts

Communications from Autocentres regarding MOTs and car servicing will be supported by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

After-sales data processing

To provide customer services support by telephone, email or letter: this includes the recording of telephone conversations for monitoring and quality purposes

This is deemed legitimate as it is in customers’ interest that we can access their data in order to resolve any queries, questions, concerns or complaints

Customer services information will be recorded on Salesforce, our Customer Relationship Management System, which is supported by Brightgen, a Salesforce Platinum Partner. Additionally, the information will be shared with Planning-Inc who manages our customer database

Telephone calls are recorded using the 8x8 telephony system

6 years following the customer’s last transaction. However customer services call recordings will be kept for no more than 90 days

To enable you to LiveChat with customer services teams: this includes the recording of LiveChat conversations for monitoring and quality purposes

This is deemed legitimate as it is in customers’ interest to resolve any queries, questions, concerns or complaints that they may have

LiveChat is a function of Salesforce, our Customer Relationship Management System, which is supported by Brightgen, a Salesforce Platinum Partner

6 years following the customer’s last transaction

To undertake surveys of your experiences of customer services

Customer consent will be sought prior to undertaking the survey

Customer services surveys will be managed through Salesforce, our Customer Relationship Management System, which is supported by Brightgen, a Salesforce Platinum Partner

6 years following the customer’s last transaction

To communicate with you via email, SMS text or telephone in respect of a product recall or other safety information about a purchase which you have made from us

This is deemed legitimate as it is in customers’ interest to be alerted about safety issues which may affect them

Depending upon the nature of the information, this may also help protect people’s vital interests

Retail data will be held in Salesforce, our Customer Relationship Management System, which is supported by Brightgen, a Salesforce Platinum Partner. Autocentres data will be held within PACE which is managed by Viqtor Davis.

Information will also be held in our customer database which is managed on our behalf by Planning-Inc

Emails will be sent by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To send you emails reminding you about a service which forms part of your original purchase

This is deemed legitimate as it is in customers’ interest to be reminded about services to which they are entitled under the terms of their original purchase

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To contact you via telephone, email or text in relation to repairs which are essential and/or time-sensitive following an MOT or Service (i.e. an MOT fail or advisory notice)

This is deemed legitimate as it is in customers’ interest to be reminded about repairs that are necessary and/or advised for either legal or safety reasons

Customer data will be held in our marketing database that is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To contact you via email or text in order to reminder you about the need for an annual MOT or Service

This is deemed legitimate as it is in customers’ interest to be reminded about their MOT or Service

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails or texts will be sent by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To send you emails asking you to complete a survey based on your shopping experience

This is deemed legitimate, as it enables customers to provide feedback and resolve queries in as non-intrusive a manner as possible

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital

Please note that customers’ data will only be shared with our market research partner (ABA) if they actively choose to complete the survey

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months. Customer survey responses will be kept by ABA for 5 years

To send you emails asking you to complete a product review

This is deemed legitimate, as it enables customers to complete reviews that inform the wider public about a product’s usefulness and value

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital

Please note that customers’ data will only be shared with our partners (Bazaarvoice / Trustpilot) if they choose to submit a review

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To process a refund for a retail sale, for which we require the customer’s name and address irrespective of circumstance or refund value

To perform a task carried out in the public interest and/or in the exercise of official authority vested in the controller (i.e. to identify criminal / fraudulent activity)

This data is captured within our till system which is supported by Aptos, but made available only to our internal Loss Prevention team

2 years from the refund transaction

Data processing for online services

To enable you to set up an online account

This is deemed legitimate as it is in customers’ interest to set up an online account (if they choose) to manage their transactions

By setting up an online account, customers’ details will be shared with Salesforce who hosts this website on our behalf, and Planning-Inc who manages our customer database

6 years following the customer’s last transaction

To personalise the information delivered to you via our website based on your history / preferences: this requires us to profile you as described more fully in section 5.8 below

This is deemed legitimate as it is in customers’ interest to see the information that is relevant to them and/or that they have told us is of most benefit or value to them

Delivering a personalised online experience requires input from Planning-Inc who manages our customer database, Google Analytics who helps us use data to improve our performance and impact, and Qubit who help us personalise website content to user preferences

6 years following the customer’s last transaction

Data processing for marketing

To send emails about special offers and promotions that are relevant to you, as well as helpful reminders: this includes emails about offers during peak periods (i.e. New Year, Black Friday), abandoned baskets, as well as reminders about products or services you have asked us to tell you about. In some cases, this requires us to profile you as described more fully in section 5.8 below

Customers will be asked for their consent before we send marketing communications

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital, and may include personalised messages facilitated by Moveable Ink

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To send specific email communications to our Trade Card members

This is deemed legitimate as customers will have specifically chosen to join the Trade Card scheme

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Emails will be sent by Cheetah Digital

6 years following the customer’s last transaction. Data used by Cheetah Digital will be retained for 19 months

To use customer data (primarily email addresses) to deliver advertising across various social media and other online platforms (e.g. Google, Facebook)

Even though it is in customers’ interest to receive communications for which they have given their consent, no personal data is shared in these circumstances (i.e. email addresses are fully anonymised)

Anonymised data only will be shared with various advertising partners

6 years following the customer’s last transaction

Other data processing

To process competition entries and inform winners

Customers give consent when they submit competition entries: this is separate to consent for marketing purposes

Details will be held in our customer database which is managed on our behalf by Planning-Inc (NB where a competition is run by a third party, for example a newspaper or radio station, any subsequent data sharing with us will be made clear within the competition terms & conditions)

6 years following the customer’s last transaction

To match data that we hold in order to acquire improved insight about our customers both individually and at aggregate level: this requires us to profile you as described more fully in section 5.8 below

This is deemed legitimate as it is in customers’ interest that we understand their preferences and buying behaviours so that the information we provide, is tailored to them

Customer details will be held in our customer database which is managed on our behalf by Planning-Inc. Additionally, we will use Google Analytics to improve our performance and impact

6 years following the customer’s last transaction

To re-use a customer's photographs with their permission, for marketing and other purposes

Customer consent is always sought in respect of the re-use of any photographs that we may see on social media that we would like to include within any of our promotional materials

Halfords uses Olapic to help optimise the use of customer-generated content

6 years following the customer’s last transaction

  1. Overseas transfers

Customer data is retained within the European Economic Area (“EEA”) with the exception of where it is processed on our behalf by the following third party organisations for the purposes described in section 3 above:

Organisation name

Purpose for the overseas transfer

Areas where the data is processed

AppDynamics

Monitors performance of Halfords’ internal IT systems

USA

Astound

Supports development of this website

Ukraine

BCX

Providing technical support to our SAP sales system

South Africa

JRNI

Enabling customers to schedule service appointments

USA, Australia

Cheetah Digital

Providing out-of-hours technical support

Costa Rica, Malaysia, India

Moveable Ink

Facilitates personalisation of marketing emails

USA

Olapic

Enabling sharing of customer photographs

USA

TCS

To provide IT support across Halfords

India

Viqtor Davies

Supporting the Autocentres till system

USA

In these instances, we ensure that the relevant third parties observe appropriate technical and organisational security measures in order to protect the data against unauthorised access, disclosure, alteration or destruction. In doing so, we are assured that these third parties operate equivalent data protection and security practices as organisations based within the EEA.

Under the terms of data protection legislation, you have the following rights as a result of using this website:

  • Right to be informed

This Privacy Statement, together with our Cookies Policy, fulfils our obligation to tell you about the ways in which we use your information as a result of you using this website.

  • Right to access

You have the right to ask us, in writing, for a copy of any personal data that we hold about you. This is known as a “Subject Access Request”. Except in exceptional circumstances (which we would discuss and agree with you in advance), you can obtain this information at no cost. We will send you a copy of the information within 30 days of your request.

To make a Subject Access Request, please write to our Data Protection Officer at Halfords Group plc, Icknield Street Drive, Washford West, Redditch B98 0DE.

  • Right to rectification

If any of the information that we hold about you is inaccurate, you can either:

  • visit the “My Account” section of the website where you can make changes to some of the information that we hold about you; or
  • contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk. Any corrections that you request will be made as soon as possible, and certainly no later than 30 days following your notification.
  • Right to be forgotten

You can ask that we erase all personal information that we hold about you. Where it is appropriate that we comply, your request will be fully actioned within 30 days. For further information, please contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk.

  • Right to object

You have the right to object to:

  • the continued use of your data for any purpose listed in section 3 of this Privacy Statement for which consent is identified as the lawful basis of processing (i.e. you have the right to withdraw your consent at any time); or
  • the continued use of your data for any purpose listed in section 3 of this Privacy Statement for which the lawful basis of processing is that it has been deemed legitimate.

In some circumstances (i.e. consent to marketing communications), you can exercise your objection by updating your preferences within the “My Account” section of this website. For all other circumstances, you can contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk.

Please note that you can also exercise your right to object to our use of cookies by following the guidance in section 4 of our Cookies Policy here.

  • Right to restrict processing

If you wish us to restrict the use of your data because (i) you think it is inaccurate but this will take time to validate, (ii) you believe our data processing is unlawful but you do not want your data erased, (iii) you want us to retain your data in order to establish, exercise or defend a legal claim, or (iv) you wish to object to the processing of your data, but we have yet to determine whether this is appropriate, please contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk.

  • Right to data portability

If you would like us to move, copy or transfer the data that we hold about you to another organisation, please contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk.

Please be advised that this only applies to certain data which has been submitted by you electronically for specific purposes only. Our Data Protection Officer can provide further advice.

  • Rights related to automated decision-making

In order that we can understand your interests and preferences - and deliver communications that will be most of interest to you, where you have consented to receive these - we employ profiling techniques (which include automated decision-making) based upon the information that you have provided to us, as well as your purchasing history and engagement with us. We do not believe that these processes have any potential to significantly or negatively affect you i.e. they will not lead to any form of discrimination against you or impact your legal rights.

Examples of how we use profiling are as follows:

  • if you only browse cycling products on our website, and have only ever purchased bikes and cycling equipment from us, we are less likely to send you information about car products;
  • if you purchase a child’s car seat from us, we are more likely to send you information about kids’ bikes;
  • if you have provided us with your vehicle registration number, we are more likely to send you reminders about MOTs and other related products and services; and
  • if you do not engage or interact with special offer emails that we send you (even though you will have consented to receive these), we are likely to send you fewer emails than customers who are more actively involved with us.

Where we hold a customer’s details, we will also seek to ensure that, as far as possible, we maintain a single composite record of their interactions with us, which may require us to match their different activities. Where customers have indicated that they do not want us to us their data for receiving communications (other than those deemed legitimate), we will use this information purely for anonymised internal analytics and reporting, for example, looking at sales trends which does not identify individual customers.

If you do not want us to undertake profiling or matching, you may either:

  • object to the processing of your data (see section 5.5 of this Privacy Statement above); or
  • request that Halfords erases all personal data about you (see section 5.4 of this Privacy Statement above).

At Halfords, we maintain a comprehensive data management work programme, which includes processes for ensuring that data protection is a key consideration of all new and existing IT systems that hold customers’ personal data. Where any concerns, risks or issues are identified, we conduct relevant impact assessments in order to determine any actions that are necessary to ensure optimum privacy.

We also maintain an active information security work programme which seeks to protect the availability, confidentiality and integrity of all physical and information assets. Specifically, this helps us to:

  • protect against potential breaches of confidentiality;
  • ensure all IT facilities are protected against damage, loss or misuse;
  • increase awareness and understanding of the requirements of information security, and the responsibility of our colleagues to protect the confidentiality and integrity of the information that they handle; and
  • ensure the optimum security of this website.

We recognise that the security of data and transactions on this website is of primary importance. We therefore ensure that all connections to secure parts of the website (such as when you login) are encrypted and authenticated using strong protocols, key exchanges and ciphers.

We are proud to have been awarded the Payment Card Industry Data Security Standard (PCI-DSS), which recognises the robust processes that we apply when handling card transactions from the major card schemes. This independent certification gives our customers assurance that our transactional systems protect your data with appropriate levels of security.

This website only uses geo-location tracking, which shows us where you are in the UK, for specific situations. These include:

· click and collect: on the product pages, you can check the availability of any selected item in your local store;

· store locator: you can search for your local store using your current location;

· store changes: we can inform you of local store changes based on your IP address.

In all situations, your permission will be sought before geo-tracking is used, and then, it is only used to personalise your experience.

This service is supported by Google Maps. Users are bound by the Google Maps / Google Earth Additional Terms of Service (https://maps.google.com/help/terms_maps.html) which includes the Google Privacy Policy (https://www.google.com/intl/ALL/policies/privacy/index.html).

Every effort is made to ensure that the information provided on this website, and in this Privacy Statement, is accurate and up-to-date, but no legal responsibility is accepted for any errors or omissions contained herein.

We cannot accept liability for the use made by you of the information on this website or in this Privacy Statement, nor do we warrant that the supply of the information will be uninterrupted. All material accessed or downloaded from this website is obtained at your own risk. It is your responsibility to use appropriate anti-virus software.

This Privacy Statement applies solely to the data collected by us, and therefore does not also apply to data collected by third party websites and services that are not under our control. Furthermore, we cannot be held responsible for the Privacy Statements on third party websites, and we advise users to read these carefully before registering any personal data.

We are committed to providing a website in which content is accessible to everyone. We therefore update our website regularly in order to make it as adaptable as possible.

For example, users can control the text size of each page within their browser. On a PC, holding the “Ctrl” key while pressing the “+” (plus) key will increase text size, and holding the “Ctrl” key while pressing the “-“ (minus) key will decrease the text size.

Questions and comments regarding this Privacy Statement are welcomed, and should be sent to our Data Protection Officer at dataprotectionofficer@halfords.co.uk.

You can also contact our Data Protection Officer if you have any concerns or complaints about the ways in which your personal data has been handled as a result of you using this website.

Alternatively, you have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”) who may be contacted at Wycliffe House, Water Lane, Wilmslow SK9 5AF or https://ico.org.uk (for details on how your data will be managed by the ICO, please refer to https://ico.org.uk/global/privacy-notice/