This privacy policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following information carefully to understand our views and practices regarding your personal data and how we will use it.
Company Shop Limited and Community Shop C.I.C. (together “we” or “us”) stop surplus products from going to waste by rethinking, redefining, and redistributing surplus, delivering value for our members, clients, and colleagues. We are committed to protecting and respecting your privacy and act as the primary controller of your personal data.
We form part of the Biffa group of companies (“Biffa”). In delivering our services, some personal data may be processed by Biffa, which includes Biffa Ltd and its subsidiaries such as Biffa Waste Services Ltd, Cressex Insurance Services Ltd. are also part of Biffa Waste Services Ltd. Each Biffa company may act as a controller of your personal data when providing services on our behalf.
For Company Shop members, we collect your name, title, address, contact details, date of birth, employer, job title, and information used to verify your eligibility for membership, such as proof of employment, ID details, or membership number. We may also collect records of your purchases, store visits, purchase receipts or invoices, and use of your membership account.
Community Shop members provide similar information to Company Shop members, along with details such as ethnic background, gender, and information about any benefits received. We may also record any information you voluntarily disclose to us which may include personal data and special categories of personal data.
When you make purchases or payments, we may collect payment details such as card or bank information, transaction references, and transaction history, which may be processed securely by our payment providers.
We may collect your communication preferences and information about how you wish to receive marketing or service updates from us.
CCTV cameras operate in and around our sites, and we may process images of you for the purposes of safety, security, and the prevention and detection of crime.
We may collect your personal data when you take part in promotions, competitions, surveys, or events that we organise.
Personal data may also be collected when you contact us with an enquiry, feedback, complaint, or online chat, including messages or correspondence through our website or social media channels.
When you visit our websites, we may collect your IP address, browser type, operating system, traffic data, location data, weblogs, usage data, and other communication data, including your name, address, and contact details when you make an enquiry through the Website.
We also collect personal data from you if you inform us about a problem with our Website.
Please note that this list is not exhaustive. Depending on your relationship with us and the nature of your interaction, we may collect additional personal data where necessary to provide our services, meet our legal obligations, or support specific operational, employment, or membership needs.
We may receive personal data about you from various third-party sources, including:
Social Media and Online Platforms
Google, Meta, TikTok and LinkedIn, which may provide data related to your device, interactions, or preferences.
Publicly Available Sources
This includes data from public records such as the UK Companies House, the electoral register, and other publicly accessible address or postcode databases.
We may use your personal data for the following purposes ("Permitted Purposes"):
to carry out our obligations on the basis that the processing is necessary for the performance of a contract entered into between you and us, including your membership contracts;
to notify you about changes to our services on the basis that this is necessary in order for us to perform our obligations under a contract with you;
to provide you with information about products or services that you request from us on the basis that you have requested such information before entering into a contract with us;
CCTV is used to ensure the safety and security of our stores and those who work or shop in it, as well as to assist in the prevention of crime;
for community shop members, we collect ethnic background information on the basis that you have given your explicit consent to this processing;
where you voluntarily disclose information to us about your personal circumstances which includes special categories of personal data (for example information concerning your beliefs, your health, or your sex life/ sexual orientation), we process this on the basis that you have given your explicit consent to this processing by providing us with the information. Where you provide us with special categories of personal data and we consider that we need to pass on to a third party such as a local authority or the police for the safety of yourself or of others, we may rely on another lawful basis for this processing;
We may use your image, likeness, or other visual representations for marketing and promotional purposes. This includes the use of photographs, videos, and other media in our marketing materials, both online and offline. We ensure that all such use is in accordance with the permissions and agreements you have agreed to and complies with applicable data protection laws.
We may use your information to deliver personalised marketing communications about services within the Group, based on your interactions with our website, services, or previous purchases. This may include updates, offers, or recommendations related to services you’ve shown interest in, unless you have opted out of receiving such marketing.
You can opt out of receiving marketing communications from us at any time by following the unsubscribe link in any marketing email or replying “STOP” to texts.
For certain marketing communications, we will seek your explicit consent where required by law, and we will only send such communications once we have obtained your consent.
When you visit our website, we may show you tailored advertisements for our services and products on other websites, including social media platforms. These adverts are based on your interactions with our site and the pages you have visited, which help us understand what may be of interest to you. We work with trusted partners who use cookies and similar technologies to display these ads on your devices. You can manage your cookie preferences through our cookie banner and choose to reject non-essential cookies at any time (please refer to our Cookie Policy for more information).Aggregated Data
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature.
However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Notice.
We share your personal information within the Biffa Group of companies and with trusted third-party service providers to manage and deliver our products, applications, and services. We do this to ensure the smooth operation of our business and improve the customer experience. Below are the categories of recipients with whom we may share your data:
Retail suppliers and logistics providers
IT software, and communications service providers
Marketing researchers, and customer engagement agencies
Payment processing services, banks, and credit checking organisations
Professional advisors and contractors engaged to support our business operations
These service providers are contractually obligated to handle your data securely and use it only for the specific purposes we define. We assess their compliance with data protection regulations and ensure they implement appropriate safeguards.
Additionally, your data may be disclosed in certain situations such as :
in the event that we sell our business or assets, in which case we may disclose your personal data to the prospective buyer of such business or assets;
if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of either or both of the Companies, our customers, or others
For marketing purposes, we may share personal data with platforms like Google, Meta, TikTok and other social media channels. This data is used to serve relevant advertisements to you based on your previous interactions with our website. You have the option to opt-out of targeted advertising through these platforms.
These partners may use this information in accordance with their own privacy policies to provide services such as ad targeting, performance measurement, and audience insights.
Where appropriate, we implement measures to protect your personal data before sharing it, such as hashing identifiers (e.g., email addresses) to ensure the information is not directly identifiable.
In some instances, these marketing partners will act as a data controller using data solely for their own purposes. In some situations, Company Shop Group and these partners will be acting as Joint Controllers.
In accordance with data protection legislation, Company Shop Group has entered arrangements with Meta and Google to define each party’s respective responsibilities for complying with the requirements of the General Data Protection Regulation (GDPR) and the UK GDPR in relation to joint processing activities. These arrangements are documented in the Controller Addendum (for Meta) and relevant joint controller terms (for Google).
Under these agreements, Company Shop Group is responsible for providing data subjects with the required privacy information. Meta, TikTok and/or Google, as applicable, are responsible for executing data subject rights under Articles 15 to 20 of the GDPR and UK GDPR, with respect to the personal data they hold following joint processing.
You have the option to opt out of targeted advertising through the settings provided by these platforms.
To find out more about how these companies handle your personal data please visit their privacy policies below:
How Google uses information from sites or apps that use our services – Privacy & Terms – Google
Meta | Privacy Centre | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy
In the event of a merger, acquisition, or other significant corporate transaction, your personal data may be shared with the parties involved in the transaction. We will ensure that appropriate data protection measures are in place, and any third party receiving your data will continue to comply with our privacy obligations.
We may share your personal data with government bodies, regulatory agencies, or law enforcement when required by law or in response to legal processes (such as court orders or subpoenas). We also share data to protect our rights, prevent fraud, or address any potential threats to personal safety or property.
In some cases, your personal data may be transferred outside the UK, such as for processing or storage by our service providers or cloud storage providers. When this happens, we ensure that the transfer is in line with data protection laws. Appropriate safeguards, such as contractual obligations, are in place to protect your data when transferred to countries outside the UK.
All personal data you provide to us is stored on secure servers which are based in the UK.
Your personal data may be transferred to and stored at a destination outside of the European Economic Area (EEA). It may also be processed by our suppliers for the purposes set out above. In order to ensure that any third party processes your personal data in a way which is consistent with the UK and European Union (EU) laws on data protection, we have put in place agreements with those third parties, which contain provisions approved by the EU for protecting personal data. Please ask us if you would like to see a copy of these agreements.
Company Shop Group will collect and use your personal data because it is necessary for
The pursuit of our legitimate interests,
The purpose of complying with our duties and exercising our right under a contract between ourselves and the customer
Complying with Legal obligations.
In general, we do not rely on consent as a legal basis for processing beyond direct marketing communication through E-Mail or text messages. If consent is withdrawn, then we will cease to process data from the date consent was withdrawn.
Managing and supporting your membership application, creation, renewal, and account administration, ensuring only eligible individuals access our stores and services.
Enabling you to shop in-store, process transactions, issue receipts, and manage customer service queries relating to your purchases.
Providing and improving the membership experience, such as ensuring our stores are accessible and reflective of members’ needs.
Communicating essential service updates, store changes, or membership information that help you get the most out of your membership.
Analysing purchasing patterns and member activity to help us improve product availability, store operations, and pricing fairness.
Monitoring and improving the safety and security of our sites through CCTV and access control systems.
Supporting Community Shop operations and associated social impact initiatives to ensure fair and effective service delivery.
Ensuring you receive relevant updates or notifications related to the services you’ve viewed or shown interest in.
Tailoring your website experience by presenting the most relevant options and services based on your browsing history.
Improving the content and functionality of our website, ensuring it remains user-friendly, effective, and meets your needs.
Sending you personalised marketing communications, such as offers and recommendations, based on your interests and past interactions with us.
Showing targeted ads that are relevant to your preferences, ensuring you see content that aligns with your interests.
Analysing website traffic and usage patterns to enhance performance and improve the overall customer experience.
Detecting and preventing fraudulent activity, safeguarding both your information and the integrity of our services.
Complying with legal obligations, including responding to lawful requests from authorities and regulatory bodies.
Verifying your identity when needed, ensuring secure transactions and protecting your data from unauthorised access.
Managing our business efficiently, including network security, fraud prevention, and operational improvements.
Conducting research and development activities, allowing us to innovate and offer new products or services based on customer feedback.
Maintaining the security of our platform and protecting it from cyber threats, ensuring a safe online environment.
We may process your data to comply with legal requirements, including:
Processing your Personal Data when required to comply with legal and regulatory obligations, such as law enforcement requests or statutory requirements.
We process your Personal Data to verify your identity and fulfil data subject rights (DSR) requests, such as access, correction, or deletion of your data.
We may also process data to meet compliance obligations related to security, tax, and accounting laws.
For certain activities, such as marketing communications and push notifications, we rely on your consent. This includes:
Marketing emails and messages
Keeping you informed about offers, updates, and relevant services.
Push notifications
Sending real-time updates or alerts to your device when you have opted in.
You have the right to withdraw your consent at any time by updating your consent status through unsubscribe processes in our marketing communication or through the notification settings on your device.
Right of Access
You have the right to request a copy of personal data we hold about you.
Right to Rectification
You can ask us to update or correct any incorrect personal data we have about you.
Right to Erasure or to be Forgotten
You can request us to delete your personal data in certain situations so long as we have no justifiable reason for retaining it.
Right to Restrict Processing
In some situations, you can ask us to “restrict processing” your data which means he keep it stored and secured but no longer use it beyond that.
Right to Object to Processing
You have to right to opt-out of any marketing communication we send you and object to the use or storage of your data if we have no legitimate reason to do so.
Right to Data Portability
In some circumstances, you have the right to supply or provide information in a machine readable format to another organisation.
Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to the Website; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access to it. We will retain your personal data for no longer than is necessary for the purposes for which they are processed. For job applicants, we will retain application forms, CVs and interview notes for one year. CCTV images are stored for a maximum of 90 days before being destroyed. For members, we will retain personal data for a maximum of seven (7) years from the date on which your membership comes to an end, after which time it will be deleted.
We use cookies and similar technologies such as pixels, tags, and other identifiers to enhance your experience on our Website and Apps. These tools help us remember your preferences, analyse how our platforms are used, and tailor our marketing efforts to better serve you.
You can find more information on how we use cookies by visiting our cookie policy.
We use Microsoft Clarity, a web analytics tool provided by Microsoft. It provides insights such as heatmaps, session recordings, and interaction metrics. This enables us to better understand how users interact with our website and improve overall website user experience.
Microsoft Clarity only collects data such as mouse movements, clicks, and scroll behaviour. This data is anonymised, meaning individuals are not directly identified.
Microsoft Clarity may also use the data collected to improve its products and services, as detailed in its own privacy policy. For more information about how Microsoft Clarity handles data and protects your privacy, please visit Microsoft’s official privacy statement at privacy.microsoft.com.
By using our website, you consent to the processing of data by Microsoft Clarity and its partners as outlined above.
If you wish to exercise any of your rights detailed above, would like to make a complaint or have any questions regarding this privacy policy, please email us at membership@companyshop.co.uk or write to us at Member Services Team, Company Shop Limited, Wentworth Way, Wentworth Industrial Estate, Tankersley, Barnsley, S75 3DH.
If we are unable to resolve your complaint, You can lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data protection rights have been violated. The ICO is the UK’s independent authority set up to uphold information rights.
For more information or to make a complaint, you can contact the ICO directly at:
ICO Contact Details
Website: https://www.ico.org.uk
Helpline: 0303 123 1113
Email: casework@ico.org.uk
The Website may contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
This policy may be reviewed and amended from time to time. Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.