Last updated: 20th June 2021.
Suttons Consumer Products Limited, (trading as Suttons ) is registered as a data controller on the UK Data Protection Register. Our registration number is Z7059913.
• What information we collect
• The legal basis for processing we use in relation to processing your personal data
• How we use your personal information and how long we keep it for
• Who we share your information with and on what basis
• How you can control our use of your personal information
• Your rights
• Who to contact if you want more information
When we collect your personal information
We collect personal information about you as soon as you access our website www.suttons.co.uk using a smartphone or computer and also when you call our customer service team. The specific information we collect depends on whether you are a customer or a website visitor. If you buy a product from our website or catalogue, you become a customer of Suttons. The specific information we collect is detailed below in the What personal information we collect section of this document.
What personal information we collect on our website
The personal information we collect from you when you access our website comes in two parts: the information you give us when you complete our website forms, and the information we automatically gather from the device you use to access our website.
Information you give Suttons: this includes the following data items (although you can visit and use our website without giving us this information, if you do not place a transaction or an enquiry during your web visit to us):
• Your first name or initial, and surname
• Your email address
• Your telephone number
• Your postal address
• Payment details: if you order products from our website, your payment details will be processed by our payment processors Realex, Paypal and GlobalPay. Suttons does not store any of your payment details; we are given a transaction ID by our payment processor.
Information from your device: when you access a website using a smartphone, TV (browser enabled), tablet, laptop or desktop computer, your device will exchange information with www.suttons.co.uk to maximise the speed of the site and provide the optimum navigation for your device. Without this information, Suttons cannot ensure the optimum browsing experience and ease-of-use when buying products. To do this, our website may acquire the following information:
• IP (Internet Protocol) address: your IP address indicates your location, unless you are using a VPN service
• Device: what type of device you are using (TV, smartphone, laptop, desktop)
• OS (Operation system): what operating system your device has (IOS, Android, Windows, Linux, MAC OS X)
• Browser & browser version: which web browser you are using (Internet Explorer/Edge, Opera, Chrome, Safari, Firefox)
• Domain: depending on your device and browser settings, we sometimes identify the web address of the domain you came from before landing on our website
• Clickstream data: this is a list of all the web pages that you visited, and the order you viewed them in, on each visit to www.suttons.co.uk. We also record how much time you spend on each web page, and record any actions you make on each page. We also record what items you place in the web shopping basket, even if you do not purchase them
Preferences on our website: you can change how we stay in touch with you, and what we inform you about by emailing firstname.lastname@example.org or calling 0333 043 0700.
What personal information we collect by post and by phone
Information you give Suttons: if you order via the catalogue order form or phone our call centre we collect the following information about you;
• Your first name or initial, and surname
• Your email address, if you want to access the MyOrders function to track your order online, we will need to store your email address as this is used as part of the sign-in process for this function
• Your telephone number
• Your postal address
• Payment details, if you order products from our website, your payment details will be processed by our payment processors Verifone, Paypal and GlobalPay. Suttons does not store any of your payment details, we are given a transaction ID by our payment processor. If you attach a cheque to your order coupon, this is banked, no details of your bank account are stored by us.
Preferences by catalogue and by phone: you can change how we stay in touch with you, and what we inform you about via the preferences section of our website (see above). If you do not want to do this, you can change your preferences on the order form in the catalogue or by phoning our customer service team 0333 043 0700.
Why we collect your personal information
There are several main purposes for gathering your personal information: for marketing activities, deliveries, profiling, and for transaction processing.
Transaction processing: when you purchase a product from our website or catalogue, you become a customer of Suttons, so we retain personal information on you whilst you remain an active customer of ours and also for a short time when you no longer order from us. When you make an enquiry about a product of ours, we also retain the personal information you give us in your enquiry for a limited period of time. Our Data Retention policy below explains how long we keep your personal information. In all cases for transaction processing, our legal basis for processing your personal data is contract.
Deliveries: We will need to print your name and address on delivery notes and despatch labels, in order to deliver any goods you order from us. Please note that in order to resolve delivery queries once goods are on their way to you, that we may print your phone number on the despatch label to aid the courier in the event of a query about your delivery. You may receive an email from our courier with updates on your delivery including information to enable you to track your order. Our couriers destroy any personal data provided by us once your goods have been delivered.
Marketing activities: we have separated out each marketing activity that your personal data is used for below. Note that any customers or website visitors who don't want to receive marketing communications from us can email email@example.com to update their preferences. Suttons will never send you a marketing communication that doesn't have a method of opting out from our marketing communications contained within it.
Profiling: we plan to build profiles from all the information that we have about you, so that we can do two things; firstly we want to surface product advertisements and gardening hints and tips to you via social media. Secondly we want to develop a 1:1 communications programme with you, so that can send you email communications that are specific to you. We believe this will make our dialogue with you more personal and more accurate. You can opt out of having your data used in profiling at any time by emailing firstname.lastname@example.org or calling 0333 043 0700. The legal basis for processing is legitimate interest.
Social media: we want to increase our engagement with you on social media, which we hope we will help us reduce the number of catalogues we produce in the medium term. So, you may see product advertisements & gardening hints and tips from us on some social media platforms, including Facebook. You can opt out of targeted Facebook advertising by following the link here: https://www.facebook.com/help/568137493302217. You can opt out of targeted Instagram advertising by following the link here: https://help.instagram.com/245100253430454. The legal basis for processing is legitimate interest.
• Catalogues: we will provide our customers with at least one full range catalogue each year. The legal basis for processing is legitimate interest
• Product offers: from time to time Suttons will send you discounted product offers via email or post. These offers are based on our knowledge of the products you have ordered or enquired about and your visits to our website, if you have visited it. The legal basis for processing is legitimate interest
• Inserts: Suttons will sometimes include inserts from carefully selected and reputable organisations into your deliveries. Please note that at the time of writing, it is not possible to opt out of these inserts. The legal basis for processing is legitimate interest.
• Newsletters: we will email customers and enquirers newsletters containing horticultural tips and growing/maintenance instructions for our products. The legal basis for processing is legitimate interest.
• Competitions: Suttons sometimes offer competition entry via both email, the website and coupon. Competition entry is sometimes conditional on providing us with additional demographic information about you, which in turn allows us to further customise our communications and product offers to you. The legal basis for processing is legitimate interest.
• Surveys: We occasionally survey portions of our customer and website visitor database to find out more about your experience using Suttons and to find out how we can improve our service delivery to you. The legal basis for processing is legitimate interest.
• Site optimisation: the device-level information we automatically gather about you allows us to optimise the speed and performance of the website for you. The legal basis for processing is legitimate interest.
• Anonymous web analytics: Suttons aggregates and anonymises all your activity on our website for traffic analysis, to help measure and improve the website performance. We also use this anonymised data to monitor the effectiveness of our advertising. Your personal data is anonymised in this process, so there is no requirement under GDPR for a legal basis for processing.
• Business Insight: your personal data and any order history goes into our business insight platform. We use this application to gain detailed insight into how to improve our product and service offering to you, and to also create statistical models to predict your likely purchasing intentions in the future. You can request that your data is removed from this business insight process by emailing email@example.com or calling 0333 043 0700. The legal basis for processing is legitimate interest, you can request that we remove your details from our business insight process.
• Data sharing: we sometimes share customer data with other reputable organisations mainly in the following sectors; charities, clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors categories, for the purposes of postal marketing. You can opt out of this marketing at any time either online, via our order forms, or by contacting our customer service team: firstname.lastname@example.org or on 0333 043 0700.
How we protect and where we store your personal information
The personal information we collect about you is stored within our secure UK IT Data Centre. No identifiable personal information is stored or shipped to non-UK/EU locations. Your personal information is stored in databases which are encrypted at rest, providing the highest level of security. All personal information is moved to and from our website www.suttons.co.uk via an HTTPS connection, which means that the transfer of data is also encrypted. Access to your personal data held on databases managed by Suttons or its' authorised subcontractors, is granted only when there is a need to use the data, no permanent access exists.
Suttons is amending our IT policies to further protect your personal information by adopting 'Privacy by Design', an information management standard that seeks to anonymise personal data held in commercial databases to further protect that information. You can find out more about this anonymization process by following this link.
How long we keep your personal information
Suttons will only use your personal information for as long as you remain a customer, and for a short time after your last order. The maximum amount of time that Suttons will retain your personal information in a data archive is seven years, except in the event of a legal dispute. This seven-year limit is based on the legal requirement to maintain details of transactions as described in the Companies Act 2006. We have listed below how long we store your personal information for, which depends on your relationship with Suttons.
If you made a purchase from us: we will keep the information you gave us and details of what you bought for up to seven years from the date of the last transaction with us. After that time your personal data will be anonymised, but we will keep your purchase and marketing history.
If you enquired about a product, but did not make a purchase: we will keep the information we have on you as an enquirer for up to three years. After that time your personal data will be anonymised, but we will keep your enquiry and marketing history.
If you wrote to us: we will keep any correspondence with you for six years, although we do keep this information longer if your correspondence is a complaint.
Sharing your personal information with other organisations
Subcontractors: Suttons use carefully selected subcontractors to assist in the management and structure of business information for its' own marketing purposes. The information these subcontractors process includes the personal information we gather about you and your transaction and web history with us. By 'marketing' we mean the specific purposes outlined in the Marketing Activities section of this document. Details on these subcontractors are as follows:
Epsilon Abacus, whose registered office is 67 Broad Street, Teddington, TW11 8QZ, for the purposes of business insight and data aggregation. Epsilon is registered as a data controller, Z6627112.
We work with Epsilon Abacus (registered as Epsilon International UK Ltd), a company that manages the Abacus Alliance on behalf of UK retailers. The participating retailers are active in the clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors categories. They share information on what their customers buy. Epsilon Abacus analyses this pooled information to help the retailers understand consumers' wider buying patterns. From this information, retailers can tailor their communications, sending people suitable offers that should be of interest to them, based on what they like to buy.
Epsilon Abacus host their data centre in Dublin, Ireland, so within the EEA. However, some employees of their USA and India affiliates (which are listed here http://resources.epsilonabacus.com/epsilon_abacus_vendors) have got access to the servers held in Dublin because they provide technical support to Epsilon Abacus. This type of "screen access" qualifies as a transfer of data under the GDPR, even if no files are "moved" outside the data centre.
GDPR allows data to be transferred outside the EEA in the absence of an adequacy decision by the Commission when "appropriate or suitable safeguards" are present (see Article 46). Data transfers to Epsilon affiliates based outside the EEA take place in accordance with Epsilon's Interaffiliate Data Processing and Transfer Agreement, which incorporates the Standard Contractual Clauses (aka "EU Model Clauses"). We believe that these measures satisfy the requirements in regards to "appropriate safeguards".
Qbase Data Services, whose registered office is 31-33 Bold Street, Warrington, Cheshire, WA1 1HL, for the purposes of building a single customer view database, business insight platform and list rental marketing. Qbase is registered as a data controller, Z842993.
UK List & Press Services Ltd, whose registered office is c/o Reynolds Accountancy, Ground Floor Windmill House, 127-130 Windmill Street, Gravesend, Kent, DA12 1BL, for the purposes of list rental marketing. UKLPS is registered as a Data Processor, Z9354490.
Red Eye International, whose registered office is Oak House, Crewe Hall Farm, Crewe, CW1 5UE, for the purposes of email marketing. Red Eye is registered as a data controller Z9006942.
Feefo, whose registered office is Feefo Barn Heath Farm, Heath Road East, Petersfield, Hampshire, England, GU31 4HT, for the purposes of conducting customer satisfaction surveys on our products and overall service delivery. Feefo is registered as a data controller Z2323576.
Garden Compass Limited (trading as Smartplant), whose registered office is Aissela, 46 High Street, Esher, Surrey, United Kingdom, KT10 9QY, for the purposes of providing horticultural updates and advice to customers. Garden Compass Limited is registered as a data controller, ZA477697.
Adestra Limited, whose registered office is Raving Towers, Millburn Hill Road, University of Warwick Science Park, Coventry, West Midlands, CV4 7HS, for the purposes of email marketing. Adestra is registered as a data controller Z1130590.
Trustpilot Limited, whose registered office is Minster Building, 3 Minster Court, 5th Floor, London EC3R 7DD, for the purposes of conducting customer satisfaction surveys on our products and overall service delivery. Trustpilot is registered as a data controller ZA385757.
Awin Ltd, whose registered office is 5th Floor, 2 Thomas More Square, London, E1W 1YN, for the purposes of affiliate marketing is registered as a data controller, Z7616503. To find more about Affiliate Windows Fair Processing Notice in the Advertiser Fair Processing Notice please click here.
BVG Group companies: periodically Suttons will share its' customer information with other BVG Group companies who have products and services that are relevant to the clothing and home & garden markets. Those companies will then send you marketing information by your preferred method (post or email), on products that are directly related to your purchases with Suttons. You can opt out of these communications at any time, by emailing email@example.com or calling 0333 043 0700. The group companies most likely to contact you are: Van Meuwen, Sutton Seeds, Dobies, The Organic Catalogue, Garden Gear, Waltons, Samuel Windsor and Happy Beaks.
Facebook UK Ltd: whose registered office is 10 Brock Street, London, NW1 3FG, for the purposes of providing custom audiences on the Facebook social media platform. Facebook is registered as a data controller, ZA265194.
Twitter International Company: whose registered office is 1 Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Eire, for the purpose of providing custom audiences on the Twitter social media platform.
Dynamic Data Services, whose registered office is Wetherby House, 7 Market Place, Wetherby LS22 6LG, for the purposes of list rental marketing. Dynamic Data Services is registered as a data controller, ZA263043.
Address Intelligence Technologies Limited, whose registered office is 7-10 Chandos Street, London, W1G 9DQ, for the purposes of developing marketing profiles to help us better direct our postal communications. Address Intelligence Technologies Limited is registered as a data controller, ZA183618.
Mention Me Limited, whose registered office is 20-22 Wenlock Road, London N1 7GU, for the purposes of referral email marketing. Mention Me host their data centre in Ireland, so within the EEA. Mention Me also use Mailjet (based in France) for the purposes of sending referral-related emails to end users participating in the refer-a-friend programme. Mention Me is registered as a data processor, ZA004639.
Fresh Relevance Ltd, whose registered office is 5 Benham Road, Southampton Science Park, Southampton, SO16 7QJ, for the purposes of website personalisation. Fresh Relevance is registered as a data processor, ZA115977.
Esendex Ltd (trading as Text Marketer), whose registered office is 20 Wollaton Street, Nottingham, NG1 5FW, United Kingdom, for the purposes of SMS marketing. Esendex Ltd is registered as a data controller Z5483210.
Requesting a copy of your personal information
You can contact Suttons using the information below, to request a copy of the personal information we hold on you. If you request this information, you will need to provide proof of your identity. We will return the information to you electronically in a text file. You are legally entitled to request this information under the General Data Protection Regulation, there is no charge for this service.
To request copy of your personal information, please email us at firstname.lastname@example.org with your request. Please be sure to include your full name, email address and postal address.
We will supply you the following information:
• Your contact details: which may include your email address, phone and mobile numbers, your previous address, your previous or second email address, your communications preferences and the date your contact details were last updated
• Your transaction history: if you have ordered from us, you will receive details of your order, including products purchased, date of purchase and the cost of the products
• Your marketing history: if we have marketed to you, we will send you details of the catalogues and emails we have sent you
• Email correspondence: we will search our email server to see if your email address is in any email message headers, if we find it, we will send you the email(s)
To request a copy of your personal information via post, please write to: Data Protection Officer, Suttons, Woodview Road, Paignton, Devon, TQ4 7BG.
How to control your personal information on the Suttons website
If you do not want to receive communications from Suttons, you can change your preferences by emailing email@example.com. You can also opt-out directly from emails and SMS messages that we may send you and you can use the opt-out section of the order form in our catalogues. Lastly, you can phone our customer service team on 0333 043 0700.
This privacy statement reflects the rights that you have under the General Data Protection Regulation, which specifically charges Suttons with providing you access to your personal information, and to ensure that your data is used appropriately & securely with specific reference to the rights of you, the data subject. Those rights regarding your personal data are as follows:
The right to access a copy of your personal information that we hold
The right to object to our processing of your personal data, if doing so causes you distress
The right to prevent Suttons processing your data for direct marketing purposes
The right to object to decisions being taken using automated means that includes your personal data
The right to have inaccurate personal data rectified, or destroyed
The right to have your data erased from our IT infrastructure
The right to data portability
The right to be informed about the collection and use of your data
You can find out more about your rights regarding your personal data in the UK from the Office of the Information Commissioner www.ico.org.uk.
Data Controller: under the General Data Protection Regulation (GDPR), organisations that collect, process and store your personal information are defined as Data Controllers, which makes Suttons the Data Controller for your personal data collected from our website.
Data Subject: GDPR classifies individuals as data subjects. So you, the customer or enquirer of Suttons are a data subject under GDPR if you purchase or enquire about our products.
Data Processor: a data processor is an organisation other than the data controller, who processes your personal data on behalf of the data controller. A good example of this is PayPal, who are one of the payment processing options for any products that you buy online. The data processors who handle your personal information gathered by our website have the same duty of care in handling your personal information.
Our Contact details:
Suttons is part of Suttons Consumer Products
Woodview Road, Paignton, Devon, TQ4 7NG
Registered in England and Wales: 284448
Customer Services: 0333 043 0700*
* Monday- Friday 8.30am to 5pm. Charges to 03 numbers are the same as UK standard landlines numbers starting in 01 or 02. Mobile providers may vary.