Privacy notice
Protecting your privacy
1. Introduction
This Privacy Notice applies to visitors to our websites, app users, and all other customers of the John Lewis Partnership across our retail, finance and insurance offerings (see section 2 (What is The John Lewis Partnership?) below). For simplicity we refer to all of these categories of individuals collectively as ‘you’ or ‘your’ in this Privacy Notice.
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.
We know that there’s a lot of information here but we want you to be fully informed about your rights, and how the John Lewis Partnership uses your data.
For example, we will explain things such as our credit checking procedure and how we share data among the John Lewis Partnership and combine it with other data we have to build a picture of you.
We hope the information in this Privacy Notice will answer any questions you have but if not, please do get in touch with us (see section 15 (Any questions?) for our contact information).
Our products and services are intended for those aged 16 and over. We do not knowingly collect data from individuals under the age of 16, unless you list/name them as a beneficiary of one of our products and services (for example, an insurance policy provided by John Lewis Money).
It’s likely that we will need to update this Privacy Notice from time to time. We will make updated versions available on our website(s) and will notify you of any significant changes via email (if you have provided your email address to us). You are welcome to come back and check the most up to date version of this Privacy Notice on our website(s) whenever you wish. You can check when it was last updated at the end of this Privacy Notice.
Which John Lewis Partnership entity is the controller of your personal data in specific circumstances will depend on how you interact with us and the products and services you are using. This Privacy Notice covers how all companies in the John Lewis Partnership use your personal data (see section 2 (What is The John Lewis Partnership?) below).
When you are using the John Lewis websites, John Lewis plc is the data controller. If you access our websites from a territory outside of the UK, please note John Lewis plc and the other constituent entities of the John Lewis Partnership are UK based companies and therefore, personal data that we may collect about you through cookies or online forms will be transferred from the territory you are in to the UK. See section 11 (Where your personal data may be processed) for more details.
2. What is The John Lewis Partnership?
The John Lewis Partnership is made up of a number of related entities, each of which uses a variety of trading names:
John Lewis plc – including John Lewis The Gift List, Home Solutions, my John Lewis loyalty, Joint Loyalty, and John Lewis for Business.
John Lewis Finance Limited (trading as John Lewis Money). You can find out more about how John Lewis Money handles your personal data in section 7 (John Lewis Money).
Waitrose Ltd – including myWaitrose loyalty, Waitrose Groceries, Waitrose Garden, Waitrose Florist, Waitrose Cellar, Waitrose Gifts, Cook Well from Waitrose, Waitrose Cookery School, Leckford Estate (The Waitrose Farm).
If you have any questions about the entities which form part of the John Lewis Partnership you can contact us using the details in section 15 (Any questions?).
Our business is employee-owned and for the purposes of this Privacy Notice we refer to our employee-owners as ‘Partners’.
For simplicity throughout this Privacy Notice, we refer to the John Lewis Partnership, including all of its brands, the entities forming part of it, and our Partners, collectively as ‘the Partnership’, ‘we’, ‘us’ and ‘our’.
This Privacy Notice applies to the Partnership and all entities forming part of it unless we tell you otherwise in a particular section. Where a particular section only applies to certain entities or parts of the Partnership, the relevant entities, brands, or parts are referenced specifically.
3. When do we collect your personal data?
We collect personal data in several different ways when you visit our websites, when providing goods or services to you and, in some circumstances, we may also collect your personal data from third parties. This includes:
Direct interactions with you
When you visit any of our websites, and use your account to buy products and services, or redeem vouchers from the Partnership on the phone, in a shop or online.
When you make an online purchase and check out as a guest (in which case we just collect transaction-based data).
When you create an account with us, for example, on our websites or apps, as part of our retail offering, or in connection with finance or insurance products.
When you purchase a product or service in store or by phone but don’t have (or don’t use) an account.
When you engage with us on social media.
When you download or install one of our apps.
When you join a Partnership loyalty programme (e.g. my John Lewis or myWaitrose) or joint loyalty membership.
When you apply for and maintain a credit card with us.
When you apply for a loan.
When you provide us with your information to obtain a quote for, or apply for, one of our insurance products and maintain an insurance policy with one of our chosen insurance underwriters.
When you purchase Foreign Currency from us we'll collect personal information, such as your name, address and proof of identity.
When you sign up to my John Lewis you will be given access to an area called Kitchen Drawer. This will collect and store all of your receipts, guarantees and warranties for you when you make a purchase from John Lewis & Partners shops and johnlewis.com.
When you contact us by any means with queries, complaints etc.
When you enter prize draws or competitions.
When you book any kind of appointment with us or book to attend an event, for example a class at Waitrose Cookery School.
When you choose to complete any surveys we send you.
When you comment on or review our products and services. Note any individual has a right to access personal data related to them, including opinions. So if your comment or review includes information about the Partner who provided that service, it may be passed on to them if requested.
When you are involved in a claim concerning a policyholder or beneficiary under an insurance policy held with John Lewis Money (as a policyholder, witness, beneficiary or otherwise).
When you use our car parks and shops which usually have CCTV systems operated for the security of both customers and Partners. These systems may record your image during your visit and other data including vehicle registration number.
Sometimes we use body worn video and audio recording in our shops and car parks for the security and safety of customers and Partners.
Any other time you provide your personal data to us. For example, if you fill in any forms online or in-store, sign up to a product user testing trial, or provide contact details to one of our Partners in connection with any products or services.
Third parties and publicly available sources
We may obtain your data from other members of the Partnership to help provide a combined user experience across the products and services we provide to you.
When you’ve given a third party permission to share with us the information they hold about you.
We may obtain your personal data from our service providers and other third parties that enable us to provide products and services to you, for example your bank or payment service provider.
We may collect your information from social media platforms and digital advertising partners when you interact with our content, promotions, or advertisements, or when our partners share insights about how customers engage with our campaigns.
We collect data from third parties to help us better understand which of our products and services you may be interested in to carry out marketing of those products and services to you (see section 13 (How can you stop the use of your personal data for direct marketing?)).
We collect data from publicly available sources when you have given your consent to share information, where you have chosen to make it public, or where the information is made public as a matter of law. This may include HM Land Registry data (© Crown copyright and database right 2021, licensed under the Open Government Licence v3.0).
When our John Lewis Money suppliers and partners – for example, NewDay, Mastercard or First Rate – share information with us about the product or service you have purchased or applied for.
If you use John Lewis Money personal finance or insurance products or services, we, our finance partners or insurance underwriters will collect your personal data – and, for insurance, the personal data of any other individuals named or co-insured on your policy (for example additional drivers or joint policyholders) – from third parties who carry out credit reference, identity verification or fraud prevention checks, such as credit reference agencies, fraud prevention bodies, the DVLA or the Insurance Fraud Bureau.
When John Lewis Money partners and suppliers provide us with your information (including information about customer behaviour and trends) to help us provide an accurate quote for, or consider your application for, one of our insurance products and maintain an insurance policy with one of our chosen insurance underwriters.
When we receive alerts or reports from law enforcement or regulatory bodies about suspected fraud in relation to financial products or services including loans, credit cards and insurance.
4. What sort of personal data do we collect?
We collect, use, store and process different types of personal data depending on how you interact with us and the products and services we are providing to you, as set out in more detail below. The categories listed below are illustrative and not exhaustive. They may overlap so the same information might be relevant to more than one category, and in specific instances we may need to collect additional data for the purposes set out in this Privacy Notice. More detail about how we use specific categories of data in the different parts of our business is set out in the table at Section 6 (How and why do we use your personal data?) below.
The personal data we collect, use, store and process may include:
Identity data
Your name, gender and age/date of birth (for example, if you have a web account with us or are required to provide your date of birth for particular goods or services). We will also collect this information about your listed beneficiaries of one of our products and services.
Copies of documents you provide to prove your age, identity or address where the law requires this (including your passport and driver's license). This will include details of your full name, address, date of birth and facial image. If you provide a passport, the data will also include your place of birth, gender and nationality.
Contact data
Billing/delivery address, email address and telephone number.
Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
Financial and transaction data
Details of purchases and orders you make with us, voucher redemptions, payment methods and payment card information.
Billing/delivery address.
Orders and receipts.
Details of your payment or credit history, if this is relevant to our products or services.
Claims data
Details of your previous insurance claims history with either us, our partners or any other insurance provider.
Details of any claim you make under an insurance policy/contract you have taken with us or our partners (or where you are a beneficiary under a policy with us).
Profile data
Details of our web or app accounts. For your security, we’ll also keep an encrypted record of your login password (if you have a web or app account with us).
When you are part of a user trial, to ensure you are sent relevant & appropriate products we may ask for vital statistics & details on your household.
Technical data
Information gathered by the use of cookies in your web browser. Learn more about how we use cookies and similar technologies in our Cookies Notice.
Open rates, click through rates on email marketing campaigns through the use of Pixels.
To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered.
Usage data
Details of your visits to our websites or apps, and which site you came from to ours.
Details of your interactions with us through contact centres, in store, online or by using one of our apps.
For example, we collect notes from our conversations with you, details of any complaints or comments you make, details of purchases you made, items viewed or added to your basket, gift list and wish list choices, voucher redemptions, brands you show interest in, web pages you visit and how and when you contact us.
Marketing and communications data
Details of your shopping preferences.
For example, which of our shops you prefer to visit and where you redeem your vouchers.Any items you may have added to your Wish List (if you have a web or app account with us).
Personal details which help us to recommend items of interest.
For example, you might tell us your clothing size, which we’ll use to guide our suggested items. Or you might share information on your skin type which allows us to recommend appropriate beauty brands when you use our beauty tool.
Note: We’ll only ask for and use your personal data collected for recommending items of interest and to tailor your shopping experience with us. Of course, it’s always your choice whether you share such details with us.When you shop online, we capture information about how you interact with our website through cookies and similar technologies for the purposes of understanding better which of our products and services you may be interested in, carrying out marketing of those products and services to you, and tailoring your experience of our websites, products and services based on our interactions with you.
Your comments and product reviews, correspondence and communications with us.
Publicly available information, including any which you have shared via publicly accessible social media or other public platforms.
Image data
Your image may be recorded on CCTV when you visit a shop or car park. We may also record audio or image data when body worn video is in use.
Your car number plate may be recorded at some of our car parks to manage parking restrictions.
We do not collect, store or share the data that ARKit, TrueDepth API, or other augmented reality (AR) software, uses in our apps. We use your device’s TrueDepth camera system to track facial movement, and apply imagery to your face. To use these features, we need access to your device’s camera. You can turn camera access on or off at any time in your device’s settings.
We only use the camera images and depth data we get from Apple’s APIs to apply imagery to your face. We never store this data locally or remotely, or share it with third parties. This data will never leave your device.
Combining your data with data obtained from other sources
We want to bring you offers and promotions that are most relevant to your interests at particular times. To help us form a better, overall understanding of you as a customer, we combine your personal data gathered across the Partnership as described in this Privacy Notice. This may include sharing data within similar parts of our business (for example, your shopping history at both John Lewis and Waitrose) or across different parts of the business (for example, details of the products and services sold to you by John Lewis Money and your purchase history at our stores).
For market research purposes, and to help us bring you offers, products and promotions most relevant to you, we also combine the data that we collect directly from you with data that we obtain from third parties to whom you have given your consent to pass that data onto us or where it is otherwise lawful for us to use it – such as the Land Registry mentioned above.
Aggregated and anonymous information
We, or our service providers, may use, store and process aggregated and anonymous information which has been derived from your personal data. When personal data has been aggregated, it will not relate to an identified or identifiable person and personal data has been rendered anonymous; a person will no longer be identifiable (‘anonymous information’).
In certain circumstances, either we or our service providers may use this anonymous information for our own purposes, in addition to the purposes for which the personal data was originally obtained.
We may also use anonymous information for the following purposes: we or our service providers may analyse overall purchasing trends, common product combinations, shopping history or general customer behavioural patterns and characteristics in respect of our retail, financial and insurance products and services to identify trends, insights and build customer profiles and lookalike audiences, and ensure we can keep up with demand, develop new products/services, or offer certain products/services to targeted audiences. We may use these insights ourselves – for instance, to improve our products and services, to target specific customer engagement, or to augment pricing models for insurance provided by John Lewis Money – or share them in anonymised form with trusted partners for purposes such as marketing analysis, trend forecasting, service development, price modelling or fraud prevention.
Special category and sensitive personal data
Depending on the products and services you use, we may collect, use, store and process personal data that is particularly sensitive and therefore requires additional protection under data protection laws (‘special category personal data’). In particular, we may process special category personal data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, or health.
For example when you make a claim under an insurance policy provided through John Lewis Money or our chosen partners, we may share your special category personal data (such as health data, depending on the type of policy and claim) with our partners (and our partners may share such data with us) to administer the claim.In some cases, we may collect information relating to criminal convictions and offences (including motoring offences and convictions).
For example when you apply for certain financial or insurance products provided through John Lewis Money or our chosen partners, you may be asked to provide details of relevant convictions (including motoring offences and convictions).
5. Explaining the legal bases we rely on
The law requires us to have a ‘lawful basis’ for collecting and processing your personal data. We may ask for your consent for certain activities, but there are several other lawful bases we may rely on as well as or instead of your consent. The lawful bases we rely on to process your personal data include:
Consent
In specific situations, we may collect and process your data with your consent.
For example when you tick a box to receive email newsletters.
When collecting your personal data on the basis of consent, we’ll always make clear to you which data is necessary in connection with the particular service to which the processing relates.
Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations under a contract with you or because you have asked us to take specific steps before entering into a contract with you.
For example, if you order an item from us for home delivery, we’ll collect your address details to deliver your purchase, and pass them to our courier. If you apply for a loan, credit card, or insurance with John Lewis Money or our partners, we might need to conduct appropriate background checks and screening prior to entering into a contract with you.
Legal compliance
If the law requires us to, we may need to collect and process your data.
For example, we can pass on details of people involved in fraud or other criminal activity affecting the Partnership to law enforcement, and may be required to carry out customer due diligence checks and screening when you apply for certain John Lewis Money products and services to comply with our anti-money laundering obligations.
Legitimate interest
In specific situations, we require your data to pursue our legitimate interests or the legitimate interests of a third party. Generally this will be in ways which are reasonably to be expected as part of running our business. We will not rely on this lawful basis to process your personal data where our legitimate interests or the legitimate interests of the relevant third party are overridden by your interests or fundamental rights and freedoms.
For example, we will use your purchase history to send you or make available personalised offers, unless you tell us not to (see section 13 (How can you stop the use of your personal data for direct marketing?)).
Public interest
In specific circumstances, we may use your personal data where it is necessary to perform a specific task in the public interest that is set out in law.
For example, we may use your identity data to carry out fraud and anti-money laundering screening to prevent financial crime.
You can find more details of how and why we process your personal data, and the lawful bases we rely on for different processing activities, in section 6 (How and why do we use your personal data?).
6. How and why do we use your personal data?
We have set out below a description of how and why we plan to use your personal data and the lawful bases we rely on. We have described this across the John Lewis Partnership generally, in the General Partnership Purposes table, as well as some more specific information for Shopping and Retail and for John Lewis Money.
General Partnership Purposes
Purpose | Categories of data | Lawful basis |
|---|---|---|
To process payments and prevent fraudulent transactions | - Identity data - Financial and transaction data - Aggregated and anonymous data | - Legitimate interest, to operate our business and protect us and customers from fraud |
Processing your transactions safely and securely | - Financial and transaction data - Profile data | - Legitimate interest - Contractual obligations - Legal compliance |
To communicate with you, including to: provide you with tracking information so you can follow your order; respond to your queries, refund requests and complaints; and recording our communications to inform any future communication | - Identity data - Contact data - Transaction data - Profile data - Usage data - Marketing and communications data | - Contractual obligation, to enhance your customer experience and give you more information about where your delivery is and when your order will arrive - Legal compliance - Legitimate interest in providing you with the best service and understanding how we can improve our service based on your experience |
To provide you with a quote for a product or service across our Partnership, including to provide you with insurance or financial products or services, and to administer the same | - Identity data - Contact data - Financial and transaction data - Profile data -Conviction and criminal record data (if relevant) | - Legitimate interest, to protect our business interests and ensure appropriate pricing practices - Contractual obligation, to provide information to you prior to entering a contract - Legal compliance, for example where we are required to carry out anti-money laundering screening and other identity verification procedures |
To authenticate your identity when you are using our apps | - Identity data (which may include your date of birth) - Profile data (such as passwords) - Contact data (such as email address or phone number) | - Consent (when use of your data is optional) - Contractual obligations - Legitimate interest - Public interest |
To administer any of our prize draws or competitions which you enter | - Identity data - Contact data - Financial and transaction data - Profile data - Usage data | - Consent (given at the time of entering) - Contractual obligation, to fulfil our obligations to you if you win |
Postal marketing, including sending you relevant, personalised communications by post in relation to updates, offers, services and products | - Identity data - Contact data - Financial and transaction data - Profile data - Usage data - Marketing and communications data | - Legitimate interest |
Electronic direct marketing, and tailoring direct marketing communications to your specific interests | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Consent - Legitimate interest (unless consent is legally required or you have opted out) |
To tailor electronic direct marketing (email, web, text, telephone, and through our contact centres), special offers, discounts, promotions, events, competitions and other similar communications to you (if you are in the UK) | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Consent - Legitimate interest (unless consent is legally required or you have opted out) Of course, you are free to opt out of hearing from us by any of these channels at any time. |
Combining data from across the Partnership, third parties and publicly accessible lists to get the richest picture we can of who you are and give you the best possible customer experience. In the case of loyalty card scheme members, we’ll also offer you relevant rewards. | - Personal info - Contact details - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Legitimate interest (unless consent is legally required or you have opted out) - Consent |
Recording your interactions with us across the Partnership (e.g., looking at how often you might shop with us or how much you spend) to create a profile on how you interact with us. In turn, this can affect how we engage with you; for example, if you shop with us regularly, then this can affect what offers and rewards you might receive from us. | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Legitimate interest, to ensure we have a clear view of what you like and to ensure that you are rewarded appropriately, so that direct marketing or browsing on our websites is tailored to your preferences - Contractual obligation, to perform our services (for example to allow your receipts to stored in your kitchen drawer on your online account, if you have one) |
To carry out market research | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Legitimate interest, to improve our products and services We may also use aggregated or anonymous information for this and related purposes. |
To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Notice, product recall notices, and legally required information relating to your orders. These services will not include any promotional content and do not require prior consent when sent by email or text message. | - Identity data - Contact data - Financial and transaction data - Profile data - Usage data | - Legal compliance, to comply with applicable legal and regulatory requirements relevant to our products or services |
To protect our business and your account from fraud and other illegal activities, including to maintain, update and safeguard your account, and monitoring your IP address and browsing activity with us to | - Financial and transaction data - Profile data - Technical data - Usage data | - Legitimate interest, to quickly identify and resolve any problems and protect the integrity of our websites - Legal compliance - Contractual obligation, to comply with the terms and conditions of our apps, accounts, or other relevant services we provide to you |
To prevent and detect crime, including CCTV systems in our stores and car parks, audio (where body worn video is in use), and screens at self-checkout areas Our CCTV systems do not use facial recognition nor do they collect biometrics; they are also not connected to other systems containing personal data | - Image data | - Legitimate interest, to prevent and detect crime and to protect our customers and Partners |
If we discover any criminal activity or alleged criminal activity through our use of CCTV, fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts | - Financial and transaction data - Technical data - Usage data - Image data - Conviction and criminal record data | - Legitimate interest, to protect our business, customers and Partners |
Managing our car parks in conjunction with Britannia Parking (their privacy notice can be found here) | - Image data | - Legitimate interest - Legal compliance (to ensure safety on our premises) |
Data analytics, including to develop, test and improve the systems, services and products we provide to you | - Identity data - Financial and transaction data - Technical data - Usage data - Marketing and communications data | - Legitimate interest, to improve our products and services |
To analyse the effectiveness of our advertising through third parties (including Meta, Reddit and Google) | - Usage data - Technical data | - Consent to advertising cookies You can opt out of Meta, Reddit or Google’s use of data through their respective platforms. For information on how you can change which cookies you have consented to, please see our Cookies Notice. |
To inform business decisions, for example which third party websites we partner with to ensure our advertising reaches our customers | - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | Legitimate interest |
To display the most interesting content to you on our websites or apps. For example, we might display a list of items you’ve recently looked at, or offer you recommendations based on your purchase history and any other data you’ve shared with us | - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Consent (to receive app notifications and / or for our websites to place cookies or similar technologies on your device) - Legitimate interest |
Sharing data with law enforcement or a court of law, for example when a court order is submitted to share data with law enforcement agencies or a court of law | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Conviction and criminal record data | - Legal compliance, for example to comply with law enforcement agencies or court orders |
To process any orders that you make using our websites, apps or in-store, including retaining your information for a reasonable period in order to contractual such as fulfil any obligations refunds, guarantees and so on | - Identity data - Contact data - Financial transaction data - Profile data - Usage data - Communications data | - Contractual obligation - Legitimate interest - Legal compliance |
To ensure your purchases are correctly assigned to you | - Identity data - Contact data - Financial and transaction data (including payment card token ID (an ID given to your debit or credit card by the banking industry) - Profile data - Usage data | - Legitimate interest, including to improve the service that we provide to you - Contractual obligation, for example to ensure your purchases show on your account or your points are recorded correctly for your partnership card |
To deliver a product that is delivered by the manufacturer or supplier of said product, or to provide warranties provided by the manufacturer or supplier of the product. For example, if you buy a washing machine from us we will pass your details to the supplier of the washing machine to ensure the delivery of the goods and to fulfil any supplier product guarantees. | - Identity data - Contact data - Transaction data | - Contractual obligation, to provide the products and services we agree to provide you |
To provide you with a retail product you have requested | - Identity data - Contact data - Profile data - Marketing and communications data | - Legitimate interest, to fulfil a request made by you - Contractual obligation, to provide a product requested by you - Legal compliance, for example where applicable law requires us to process your personal data |
To process your booking/appointment requests (such as with a personal stylist). Sometimes we’ll need to share your details with a third party who is providing a service (such as a delivery courier or a fitter visiting your home). | - Identity data - Contact data - Financial and transaction data - Profile data - Usage data | Contractual obligation, to maintain our appointment with you |
To provide you with an insurance service you have requested (which may be through one of our partners) | - Identity data - Contact data - Financial and transaction data - Profile data - Usage data - Conviction and criminal record data - Claims data | - Contractual obligation, to enter into or perform a contract with you - Legal compliance, to comply with financial crime and other applicable laws - Legitimate interest, to facilitate the sustainable operation of our business |
For my John Lewis or joint loyalty members, to decide which information or products to show you, with the help of computer algorithms | - Identity data - Contact details - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Consent (obtained when you become a my John Lewis or joint loyalty member) If you don’t want to continue receiving my John Lewis offers, you’ll be unable to continue your my John Lewis or joint loyalty membership. |
For myWaitrose or joint loyalty cardholders, to provide you with tailored offers, printed with your till receipts at the end of a shopping trip | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Consent (obtained when you become a myWaitrose or joint loyalty member) If you don’t want to continue receiving myWaitrose offers, you’ll be unable to continue your myWaitrose or joint loyalty membership. |
To send you email notifications when you place a product in your basket and you abandon your browsing before completing your checkout | - Identity data - Contact data - Financial and transaction data - Profile data - Technical data - Usage data - Marketing and communications data | - Legitimate interest, on the basis of soft opt-in (unless you have opted out) |
To provide you a Partnership credit card and related services, including points and payments | - Identity data - Contact data - Financial and transaction data - Profile data | - Contractual obligation, to provide relevant products and services to you - Legitimate interest, to enable us to provide the best possible service - Legal compliance, to comply with applicable financial and other laws and regulations |
To provide you with an insurance service you have requested (which may be through one of our partners) | - Identity data - Contact data - Financial transaction data - Profile data - Usage data - Conviction and and criminal record data - Claims data | - Contractual obligation, to enter into or perform a contract with you - Legal compliance, to comply with financial crime and other applicable laws - Legitimate interest, to facilitate the sustainable operation of our business |
To sell you foreign currencies, provide other travel money services and facilitate payments (including domestic and international payments) | - Identity data - Contact data - Financial transaction data - Profile data | - Legitimate interest - Contractual obligation - Legal compliance |
To assess your eligibility for and provide you with a loan or other financial product or instrument | - Identity data - Contact data - Financial transaction data - Profile data - Conviction and criminal record data (if relevant) | - Legitimate interest - Contractual obligation - Legal compliance |
To carry out screening and checks to keep your money and data secure, to detect and prevent fraud, money laundering and other criminal or i legal activities, and to verify your identity before we provide services to you | - Identity data - Financial transaction data - Conviction and criminal record data | - Legitimate interest, to protect our business interests and ensure appropriate pricing practices - Legal compliance, for example where we are required to carry out screening and other identity verification procedures - Consent - Public interest |
To recover debt and exercise any other rights we have under an agreement with you. We may also share your data with third party debt collection agencies for this purpose. | - Identity data - Contact data - Financial transaction data - Conviction and and criminal record data | - Legitimate interest to make sure our business is sustainable and debts are recovered, or making sure our rights and assets are protected - Contractual obligation - Legal compliance - Public interest |
To apply for or obtain quotations for insurance on your behalf, to assess insurance risk and prevent fraud, and to help the underwriter or provider to manage your insurance | - Identity data - Contact data - Financial transaction data - Conviction and and criminal record data (if relevant) - Claims data | - Contractual obligation - Legitimate interest - Legal compliance - Consent (if we use special category personal data) |
Further information on how and why John Lewis Money uses your personal data (in addition to the above) is set out in section 7 (John Lewis Money) below.
If you wish to change how the Partnership uses your data, you’l find details in section 12 (What are your rights over your personal data?).
Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
For example, if you’ve asked us to let you know when an item comes back into stock, we can’t do that if you’ve withdrawn your general consent to hear from us.
7. John Lewis Money
This section sets out more details of how John Lewis Money uses your personal data, including its use of special category and sensitive personal data, and its sharing of your personal data with other members of the Partnership and third parties. This section is in addition to, and should be read alongside, the other sections of this Privacy Notice, including section 6 (How and why do we use your personal data?) and section 10 (Who do we share your personal data with?).
7.1 Special category and sensitive personal data
John Lewis Money’s processing of special category personal data and other sensitive personal data is on the following lawful bases: (i) public interest; (ii) to establish, take or defend a legal action; (iii) consent; or (iv) legal compliance. Further details of specific purposes for which John Lewis Money may use your special category or sensitive person data are as follows:
Purpose | Categories of special category or sensitive data | Lawful basis |
|---|---|---|
Carrying out due diligence and other checks or screening, for example credit, background or sanctions checks, which may reveal political opinions or information about criminal convictions or offences | - Financial and transactions data - Racial or ethnic origin - Political opinions - Religious or philosophical belief | - Public interest - Legal compliance - Legitimate interest |
To detect and prevent fraud, money laundering and other illegal activities, or to verify your identity (see section 7.3 for more detail) | - Technical data (for example location, IP address and how you interact with our websites or apps) - Biometric data (such as facial images and keystroke analysis) | - Consent (where the use of biometrics is optional, depending on the nature of the products and services we are providing) - Public interest - Legitimate interest - Legal compliance - Performance of a contract with you |
To assess whether you are in vulnerable circumstances (such as bereavement, homelessness, or another circumstance that might make you more susceptible to harm), and to help provide, manage and personalise our services and products | - Health data and other information about your personal circumstances or private life | - Legitimate interest, to make sure we are providing products and services that meet your needs - Consent (particularly where we are processing special category or sensitive personal data such as medical information) - Public interest |
To enable us to consider an application by you to temporarily postpone your debt repayments and to help us consider other suitable repayment options for you | - Health data and other information about your personal circumstances or private life - Criminal conviction and offences data | - Public interest - Consent |
To make our apps and other services which utilise special category or sensitive personal data available to you | - Biometric data (such as facial images and keystroke analysis) | - Consent |
To manage a claim made under an insurance policy provided by us or our partners | - Health data (if relevant) - Identity data - Contact data - Claims data | - Contractual obligation - Legitimate interest - Legal compliance - Consent |
7.2 Sharing your personal data with the Partnership
When you purchase a product or service from John Lewis Money, other parts of the Partnership might receive a copy of the information you supplied. If you agree to receive marketing communications from John Lewis Money, we will use your data to personalise what we send you. We may also use your purchase history, or details of your interactions with us, to send you or make available personalised offers. You are free to opt out of receiving marketing communications from us at any time.
Find out more about the use of your data for marketing under the heading ‘Combining your data with data obtained from other sources’ in section 3 (When do we collect your personal data?). For details of how to opt out of marketing communications from us, see section 13 (How can you stop the use of your personal data for direct marketing?).
7.3 Sharing your personal data with fraud prevention agencies
John Lewis Money may share your personal data with fraud prevention agencies and other members of the National SIRA Syndicate (managed by Synectics Solutions Limited) who will use it to prevent fraud and money-laundering, to verify your identity and for related risk management. We, fraud prevention agencies and members of the National SIRA Syndicate do so as joint controllers of your personal data, on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with applicable laws. Such processing may also be required for us to perform our contractual obligations owed to you, or as part of entering into a contract with you, in connection with John Lewis Money products and services.
We and fraud prevention agencies may also:
use personal data to train artificial intelligence and machine learning models; and
enable law enforcement agencies to access and use your personal data, to detect, investigate and prevent crime.
Automated decisions
Decisions may be made by automated means as part of the processing of your personal data by us and fraud prevention agencies. This means we may automatically decide that you pose a fraud or money laundering risk if:
our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions; or
you appear to have deliberately hidden your true identity.
Consequences of processing
If we or a fraud prevention agency determine that you pose a fraud or money laundering risk, we may refuse to provide the products or services you have requested, or we may stop providing existing services to you. A record of any suspected fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
Further information
Further information about the National SIRA Syndicate can be found here. The privacy notice of Synectics Solutions Limited, which sets out how it uses your personal data to manage the National SIRA Syndicate, can be found here.
If you have any questions about how your personal data will be used by us, fraud prevention agencies, or other members of the National SIRA Syndicate, or your data subject rights in relation to the same, please email us at DPO@johnlewis.co.uk.
7.4 How our providers use your personal data
When you apply for a product or service from one of John Lewis Money’s chosen providers, your data will be collected and used by them under the terms of their own separate privacy policies.
Here are the privacy policies of our current third party providers: (all links open in a new window; please note we can't be responsible for the content of external websites)
Partnership and Thrive Credit Cards provided by NewDay (from June 2022)
Foreign Exchange provided by First RateInternational payment provided by HiFX
Fraud Prevention, No-claims Modelling and Pricing Augmentation provided by LexisNexis
Price comparison services provided by MoneySuperMarket, Confused.com, CompareTheMarket and GoCompare
The privacy policies listed above apply to the products and services currently offered by John Lewis Money and the providers of those products and services as at the date this Privacy Notice was last updated.
If you applied for or took out a product or service that is no longer offered by John Lewis Money, or with a different provider (for example, a provider we no longer use) the privacy policy of the provider responsible for that product or service from time to time will apply. This may include the original provider or a different provider if responsibility for the product or service is subsequently transferred.
Details of the relevant provider and the applicable privacy policy should have been provided to you when you applied for or took out the relevant product or service, and you may also have been notified if responsibility for that product or service has later been transferred to a different provider. If you are unsure which privacy policy applies to you, you can contact us using the details set out in section 15 (Any questions?).
We are not responsible for the content of any third party’s privacy policy or our providers’ compliance with their respective privacy policies.
7.5 Joint use of your personal data
John Lewis Money will share data with our providers to bring you relevant offers, updates, products and services, and discounts that reward your loyalty to our brands.
We may check your details with appropriate third parties (for example credit reference agencies, such as Experian) before we send you promotions for our financial services products, to ensure your information is accurate and fulfils our legal and regulatory obligations, and to tailor those offers to you.
Rest assured that all applications for financial services products will be assessed on a case-by-case basis.
This section 7 is specific to John Lewis Money. It should be read alongside the other sections of this Privacy Notice, as noted above. For information on the third parties with whom the Partnership generally (including John Lewis Money) may share your personal data, please refer to section 10 (Who do we share your personal data with?).
8. How we protect your personal data
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We secure access to all transactional areas of our websites and apps using ‘https’ technology.
Access to your personal data is password-protected, and sensitive data (such as payment card information) is secured and encrypted to ensure it is protected.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
9. How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Some examples of customer data retention periods:
Orders
When you place an order, we’ll keep the personal data you give us for five years so we can comply with our legal and contractual obligations. In the case of certain products, such as electrical and nursery items, we’ll keep the data for 10.5 years.
When you purchase Foreign Currency from us we'll retain any personal information you provide us, for up to seven years in line with Regulations.
Warranties
If your order included a warranty, the associated personal data will be kept until the end of the warranty period.
10. Who do we share your personal data with?
Third party service providers and suppliers
We sometimes share your personal data with our trusted third party service providers and suppliers to enable us to make certain products and services available to you. These include:
IT companies who support our websites, products, services and other business systems.
Operational companies that administer particular products or services on our behalf, such as delivery couriers to contact you about your order delivery & occasionally service review messages, technicians visiting your home, third party providers of our John Lewis Money personal finance services, third party insurance underwriters if you are a John Lewis Money insurance customer.
Customer relationship management partners to help us handle complaints or personalise our offers to you.
Direct marketing companies who help us manage our electronic communications with you.
Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites. See our Cookies Notice for details.
Data insight companies to ensure your details are up to date and accurate.
Data analytics companies who analyse aggregated information derived from your personal data.
Fraud prevention, identification and management partners.
Other third parties where you have asked us or given us your consent to do so.
Here’s the policy we apply to our third party service providers and suppliers to keep your data safe and protect your privacy:
We provide only the information they need to perform their specific services.
We impose contractual obligations on them to ensure your data is only used in accordance with our specific instructions for the purpose of providing services to us, and not for any other purposes.
We ensure that third parties apply appropriate technical and organisational measures to ensure your privacy is respected and protected at all times.
We impose contractual obligations on them to ensure that, if we stop using their services, any of your personal data held by them must either be deleted or rendered anonymous.
Sharing your data with third parties for their own purposes:
We will only disclose your personal data to a third party other than those listed above in very specific circumstances, for example:
With your consent, given at the time you supply your personal data, we may pass that data to a third party for their direct marketing purposes.
For example, if you enter a holiday competition and tick a box agreeing that the travel company can send you promotional information directly. Or if we run a joint event with a restaurant, and you agree to receive direct communications from them.For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises, systems, or concerning finance and insurance products provided by John Lewis Money. This may include sharing data about individuals with law enforcement bodies or screening organisations such as the Insurance Fraud Bureau.
In some cases we may share your contact details with our suppliers to manage the sending out of any replacement parts or items in the event of a product recall.
We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
We may, from time to time, expand, reduce or sell the Partnership and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.
If you have purchased an Added Care product from John Lewis prior to 31st March 2020, we will have shared your personal data and details of the item you purchased with TWG Services Limited (trading as The Warranty Group) who manage all aspects of our Added Care products. They may contact you for issues related to the fulfilment of a guarantee or warranty.
When you purchase a Protect Plus policy from John Lewis from 18th May 2020 we will share your personal data and the details of the item that you have purchased with Domestic & General Insurance PLC who are the providers of the policy and manage all aspects of the Protect Plus scheme. They will use the information shared with them to contact you regarding the fulfilment of the policy and in order to administer the policy and/or offer you an extension or notification when your policy term is due to end. When you apply for a Protect Plus policy, your data will be used by Domestic & General Insurance PLC under the terms of their own separate privacy policy which is available here. For all queries regarding Protect Plus and how this is managed, please refer to the page here.
When you use our trade in services from 17th July 2023 we will share your personal data and the details and details of the trade in device and new device purchased with Likewize Services UK Limited who are the providers of the Trade-in service and manage all aspects of the scheme. They will use the information shared with them to contact you and in order to administer the scheme and make payments to you. Your data will be used by Likewize Services UK Limited under the terms of their own separate privacy policy which is available here. For all queries regarding Trade-in and how this is managed, please refer to the page here.
When you sign up to the myWaitrose and Vitality reward scheme we will share your information with Vitality along with transactions relevant to the scheme, this is to ensure you are rewarded correctly.
To help personalise your journey through Partnership websites we currently use the following companies who will process your personal data as part of their contracts with us:
CACI
Monetate
BazaarVoice
BlueKai
Adobe Dynamic Tag Management
RichRelevance
Adobe Scene
New Relic
Ensighten
Tapad
TagMan
Infectious Media
SessionCam
Visual IQ
AppNexus
IRI
BidSwitch
Quadrangle
Maru/edr
ABA
Verve
Rubicon
Doubleclick
Adobe Analytics
Google
Twitter
Instagram
YouTube
Cablato
AWIN (Affiliate Window)
Yahoo
Pinterest
Dressipi
Facebook
Meta
Salesforce
Wincanton
Yodel
Deliveroo
Stuart Delivery
Kount
Tokenex
Basis Research
Vitality
Sopost
Trustpilot
Branch
Auth0
Swogo
Creation
Clearpay
Klarna
Also see section 7 (John Lewis Money), which compliments this section 10 and describes the other third parties John Lewis Money shares your personal data with in addition to those noted in this section 10.
For further information please contact our Data Protection Officer.
11. Where your personal data may be processed
The Partnership is a UK based company and your personal data will generally be processed in the UK and the European Economic Area (EEA). If you are based outside the UK, your personal data will be transferred to the UK for processing. We may also need to share your personal data with third parties and suppliers outside the UK and the EEA, including in some cases to jurisdictions which are not deemed to provide adequate protection for personal data under EU and/or UK data protection laws.
Protecting your data outside the UK
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may transfer personal data that we collect from you to third-party data processors or controllers in countries that are outside the UK or the EEA.
For example, this might be required in order to fulfil your order, process your payment details or provide support services.
If we do this, we have procedures in place to ensure your data receives the same level of protection as if it were being processed in the UK. For example, our contracts with third parties stipulate the standards they must follow at all times and impose protections as required by applicable data protection laws. If you wish for more information about these contracts please contact our Data Protection Officer.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
12. What are your rights over your personal data?
An overview of your different rights
You have the right to request:
Access to the personal data we hold about you, free of charge in most cases.
The correction of your personal data when incorrect, out of date or incomplete.
The deletion of the data we hold about you, in specific circumstances. For example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end (e.g. the end of a warranty).
A computer file in a common format (e.g. CSV or similar) containing the personal data that you have previously provided to us and the right to have your information transferred to another entity where this is technically possible.
Restriction of the use of your personal data, in specific circumstances, generally whilst we are deciding on an objection you have made.
That we stop processing your personal data, in specific circumstances. For example, when you have withdrawn consent, or object for reasons related to your individual circumstances.
That we stop using your personal data for direct marketing (either through specific channels, or all channels).
That we stop any consent-based processing of your personal data after you withdraw that consent.
Review by a Partner of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).
You can contact us to request to exercise these rights at any time by completing an online form.
If we choose not to action your request we will explain to you the reasons for our refusal.
You also have the right to complain if you feel that your personal data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data. See section 14 (Complaints procedure) below.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data, such as administration of an extended warranty.
Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
13. How can you stop the use of your personal data for direct marketing?
There are several ways you can stop direct marketing communications from us:
Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular division.
If you have an account, log in into your John Lewis or Waitrose account, visit the ‘My Account’ area and change your preferences.
In our apps, you can manage your preferences and opt out from one or all of the different push notifications by selecting or deselecting the relevant options in the ‘Settings’ section.
Write to Data Rights Team - DPO, 1 Drummond Gate, Pimlico, London SW1V 2QQ.
Email our Data Protection Officer at DPO@johnlewis.co.uk.
Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
14. Complaints procedure
Contact us in the first instance
You have the right to complain if you feel that your personal data has not been handled correctly by us, you have been impacted by a data breach, or you are unhappy with our response to any data subject rights requests you have made to us.
In the first instance, you should contact us using an online form or the contact details set out in section 15 (Any questions?) below. We will acknowledge any complaints within 30 days of receipt, take appropriate steps to investigate, and respond without undue delay with details of the outcome of your complaint.
Contacting the Regulator
After receiving our response, if you wish to escalate the matter you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or the Office of the Data Protection Authority (ODPA) for Guernsey and the Jersey Office of the Information Commissioner (JOIC) for Jersey.
You can contact the ICO by calling 0303 123 1113
Or go online to ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites).
You can also contact the ICO at the following address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
You can contact the ODPA by calling 01481 742 074
Or go online to odpa.gg/contact (opens in a new window; please note we can't be responsible for the content of external websites).
You can also contact the ODPA at the following address:
Block A
Lefebvre Court
Lefebvre Street
St Peter Port
GY1 2JP
You can contact the JOIC by calling 01534 716 530
Or go online to jerseyoic.org (opens in a new window; please note we can't be responsible for the content of external websites).
You can also contact the JOIC at the following address:
2nd Floor
5 Castle Street
St. Helier
Jersey
JE2 3BT
15. Any questions?
We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.
If you have any questions that haven’t been covered, please contact our Data Protection Officer who will be pleased to help you:
Email us on DPO@johnlewis.co.uk
Our representative in the EU is MCF Legal Technology Solutions Limited, based in the Republic of Ireland, which you can contact at johnlewis@mcf.ie