Skip to content


Privacy Policy

 

General

boxxe Limited, a company incorporated in England and Wales with company number 02109168 and registered office at Artemis House, Eboracum Way, York, YO31 7RE (“boxxe”) together with any group companies (“we” “us” “ours”) is committed to protecting and respecting your privacy and personal data.For the purposes of data protection legislation, we are the data processor and we will process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 and any other applicable national laws which relate to the processing of personal data.When we use the term “services”, we are referring to all the services that we offer on our own behalf, including our product offerings. We are not referring to services that we provide solely on behalf of a third party, such as outsourced IT services we may provide to another company or software licenses from a third party. Please refer to the privacy notice of the third party with which you have a relationship for information on how they engage service providers, like us, to process personal information on their behalf. We take your privacy very seriously, Please read this policy carefully as it contains important information on who we are and  how boxxe collects, stores, uses, shares, retains and destroys personal data that you provide to us or that we collect  when you purchase goods or services from us and/or when you or visit the website. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

 

Types of data we collect

The personal data we collect about you depends on the particular activities carried out through our website. We will collect and use the following personal data about you:

  • name, address (delivery, shipping, registered), contact information, including email address and telephone number and company details;

    information to check and verify your identity;

  • location data;

  • your billing information, transaction and payment card or other payment method information, e.g., bank account and payment details;

  • details of any information, feedback or other matters you give to us by phone, email, post or via social media;

  • your account details, such as username and login details;

  • your activities on, and use of, our website;

  • your professional interests;

  • your professional online presence, e.g., LinkedIn profile;

  • information about the services we provide to you;

  • your contact history, purchase history and saved items;

  • information about how you use our website and technology systems;

    your responses to surveys, competitions and promotions; and

  • IP address

boxxe does not collect or process sensitive personal data (race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sexual orientation of health data).

If you fail to provide personal data

Where we need to collect personal data by law, i.e. in order for you to use our website or under the terms of a contract we have with you and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example to provide you with our goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time. Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on your use of our website.

How your personal data is collected

We collect personal data from you:

  • directly, when you enter or send us information, such as when you for example, register with us, contact us (including via email), send us feedback, purchase products or services via our website, post material to our website and complete customer surveys or participate in competitions via our website; and

  • indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in the section on ‘Cookies and other tracking technologies’ below.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason, for example:

  • where you have given consent;

  • to comply with our legal and regulatory obligations;

  • for the performance of a contract with you or to take steps at your request before entering into a contract; or

  • for our legitimate interests or those of a third party.

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

The table below explains what we use your personal data for and why:

What we use your personal data for Our reasons
Creating and managing your account with us To perform our contract with you or to take steps at your request before entering into a contract
Providing products and/or services to you To perform our contract with you or to take steps at your request before entering into a contract
Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us To comply with our legal and regulatory obligations
Enforcing legal rights or defend or undertake legal proceedings Depending on the circumstances: — to comply with our legal and regulatory obligations
— in other cases, for our legitimate interests, i.e. to protect our business, interests and rights
Customising our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website Depending on the circumstances: — your consent as gathered e.g., by the separate cookies tool on our website—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent, you may withdraw it at any time by changing the setting on the cookies tool (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended Depending on the circumstances: — your consent as gathered by the separate cookies tool on our website]—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent you may withdraw it at any time by clearing your cookie settings and rejecting when you revisit our website (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Communications with you not related to marketing, including about changes to our terms or policies or changes to the products AND/OR services or other important notices Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Protecting the security of systems and data used to provide the services To comply with our legal and regulatory obligations We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, i.e., to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us
Statistical analysis to help us understand our customer base For our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Updating and enhancing customer records Depending on the circumstances: — to perform our contract with you or to take steps at your request before entering into a contract — to comply with our legal and regulatory obligations — where neither of the above apply, for our legitimate interests, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consents where relevant To comply with our legal and regulatory obligations
Marketing our services to existing and former customers For our legitimate interests, i.e., to promote our business to existing and former customers See ‘Marketing’ below for further information
The audit of our ISO certifications (to the extent not covered by ‘activities necessary to comply with legal and regulatory obligations’ above) For our legitimate interests, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to protect, realise or grow the value in our business and assets

Marketing

We will use your personal data to send you updates (by email, telephone or post) about our products and/or services, including exclusive offers, promotions or new products and/or services, events, webinars. We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

 
You have the right to opt out of receiving marketing communications at any time by:

  • contacting us at ecommerce@boxxe.com
  • using the ‘unsubscribe’ link in emails or
  • updating your marketing preferences if you have created an online account at boxxe.com

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business. We will always treat your personal data with the utmost respect and never sell it to other organisations for marketing purposes.For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

We do not sell any of our marketing data to third parties. 

We purchase data from third parties in order to send targeted marketing. We ensure that any personal data obtained has been done so in a GDPR compliant way and if you would like further information on this, please reach out to legal@boxxe.com.

Who do we share your personal data with

We routinely share personal data with:

  • third parties we use to help deliver our products and/or services to you, e.g., payment service providers, suppliers, warehouses and delivery companies;
  • other third parties we use to help us run our business, e.g., marketing agencies or website hosts and website analytics providers; and
    our banks. 
We only allow those organisations to handle your personal data if we are satisfied, they take appropriate measures to protect your personal data.

We or the third parties mentioned above occasionally also share personal data with:

  • our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
    law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
  • other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

Who do we share your personal data with - in more detail

More details about who we share your personal data with and why are set out in the table below.

Recipient Processing operation (use) by recipient Relevant categories of personal data transferred to recipient
Google We use Google Analytics (GA4) cookies to collect data about the visitors to the site which includes the number of visitors, session duration, pages visited during the session etc. and whether visitors return. Google Analytics will assign a unique “ID” to a user of the boxxe website at the point they register an account with us for the purpose of tracking their activity on the boxxe website. This information is anonymous and cannot be used to identify you personally unless you end up becoming a boxxe customer. Google Analytics cannot use the ID to work out who you are. Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Google Analytics stores this information on our behalf in a pseudonymized user profile.
Hotjar Ltd We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. Hotjar is contractually forbidden to sell any of the data collected on our behalf. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.
Klevu Klevu offers a machine learning algorithm which takes several parameters into account when establishing what a customer may like and eventually buy on the store. Javascript keeps track of what customers are searching for and visiting. These products visited by these customers and any recent search queries fired by them are used as a context to the search queries fired by them. Klevu perform semantic and statistical analysis of this data to identify the intent and to build multiple, product-noun (e.g. bag, shoe, chair) specific profiles of preferences. Klevu also employs a method called collaborative filtering, which involves analyzing the history of other customers who have or had performed similar searches and visited products similar to the products visited by the current customer. Only those products that are relevant to the current search query are picked up and analyzed to identify common factors within them. Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Klevu stores this information on our behalf in a pseudonymized user profile.
Dotdigital Dotdigital is a SaaS cross-channel marketing automation platform and services provider that helps brands devise successful, personalized marketing campaigns across multiple channels (e.g. email). Paired with its Microsoft Dynamics 365 CRM integration, boxxe is able to deliver tailored marketing to its customers. Contact data (such as email address, contact number, name or other contact details), marketing preferences, IP address and usage information (including online navigation data, location data and browser data).

In addition, depending on the products/services and your interaction with us, we may also need to disclose your personal data to third parties for the performance of a contract with you, to meet a legal obligation or for our legitimate interests, which may include but is not limited to:

  • data from our selected partners who have identified a lead for the sale of a product or service to you;
  • third party vendor, reseller, distributor, sub-contractor or partner for the supply of goods and services that you have requested if it is necessary for the performance of the contract. These external companies are only authorised to use your data for the purpose of providing the contract;
  • staff members in order to facilitate the provision of goods or services to you;
  • our affiliated entities to support internal administration;
  • postal/courier service providers;
  • professional advisers including consultants, lawyers, bankers and insurers who provide us with consultancy, banking, legal, insurance and accounting services;
  • HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances; and
  • third parties with whom we may choose to sell, transfer or merge parts of our business or assets - we may seek to acquire other business or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 
Our website may, from time to time, contain links to and from the websites of third parties and if you purchase products or services from us, those manufacturers, suppliers or partners may also have their own policies. Please note that if you follow a link to any of these websites, such websites will apply different terms to the collection and privacy of your personal data, and we do not accept any responsibility or liability for these policies. When you leave our website, we encourage you to read the privacy notice/policy of every website you visit.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

Overseas transfers and sharing personal data with sub-processors

It is sometimes necessary for us to transfer your personal data to countries other than the UK, and these countries may have data protection laws that differ from the laws of the UK. 

Specifically, our group companies and our website servers are located in the EU and UK, however, some of our third-party service providers, and partners operate around the world. This means that when we collect your personal data, we may process it in a number of different countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy policy. These include implementing the International Data Transfer Agreement (IDTA) and the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum) for transfers of personal data between us and each of our sub-processors, which requires all sub-processors to protect personal data they process from the UK in accordance with UK data protection laws.  Our IDTA and UK Addendum are available on request. 

In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Transferring your personal data out of the UK - in more detail

More details about the countries outside the UK to which your personal data is transferred are set out in the table below.

Recipient country Recipient Processing operation (use) by recipient Lawful safeguard
Ireland Hotjar Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 https://www.hotjar.com/legal/support/dpa/
USA Stripe Inc In order to facilitate online payments through boxxe’s ecommerce portal, where applicable, Stripe may Process Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports). UK Data Transfer Addendum https://stripe.com/gb/legal/dpa
EEA Vaimo Vaimo has access to certain categories of boxxe customer personal data (names, addresses, DOB, email, number, location, device and diagnostic data, connection data), by virtue of hosting the boxxe website. Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. Vaimo also has a legally valid intra-group agreement in place and no data is transferred to any entity who is not a party to it.
EEA Dotdigital Boxxe will provide certain information about its customers to Dotdigital in order for it to be able to provide automated marketing services that are tailored to its specific customer interests. Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. https://dotdigital.com/terms/data-processing-agreement/

How long your personal data will be kept

We retain your personal data for as long as is necessary to fulfil the purpose that we collected it for, including the satisfaction of any legal, accounting or reporting requirements. This includes data for tax and accounting requirements under applicable law. If you make a purchase from boxxe, we will keep the information for tax and accounting requirements under applicable law.

Data is reviewed regularly and only retained where necessary. To determine the appropriate retention period of your data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from a loss of confidentiality to the data and any legal requirements to retain such personal data. Once any legal requirements have expired for the data, we destroy all personal data associated with you and the product or service that you have purchased.

If you stop using your account we will delete or anonymise your account data after seven years.

Data Security

The confidentiality of your information is extremely important to us. boxxe use reasonable physical, technical and organisational measures to safeguard the personal data you provide to us.

All data collected by boxxe is stored on our own IT system that is administered by boxxe staff. The boxxe IT system has been accredited to ISO 27001, Cyber Essentials and Cyber Essentials Plus.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies and web beacons, action tags, single-pixel gifs on our website. These help us recognise you and your device and store some information about your preferences or past actions.

For further information on cookies, our use of ‘cookies’ and/or to relevant similar technologies, when we will request your consent before placing them and how to disable them, please see our Cookie Policy.

Your Rights

It is important that the personal data we hold about you is accurate and current. Please keep us informed if the personal data we hold about you changes.

Data protection legislation provides you with several rights which you can enforce by contacting us at legal@boxxe.com, including:

Access to a copy of your personal data The right to be provided with a copy of your personal data
Correction (also known as rectification) The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten) The right to require us to delete your personal data—in certain situations
Restriction of use The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object to use The right to object: — at any time to your personal data being used for direct marketing (including profiling) — in certain other situations to our continued use of your personal data, e.g. where we use your personal data for our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to decisions without human involvement The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you We do not make any such decisions based on data collected by our website
The right to withdraw consents If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time You may withdraw consents by emailing ecommerce@boxxe.com Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

You may also find it helpful to refer to the guidance from the UK’s Information Commissioner Link opens in a new window on your rights under the UK GDPR.

If you would like a copy of some or all of your personal data, please send an email to legal@boxxe.com. In certain circumstances we reserve the right to charge a reasonable fee to comply with your request and we will ensure we respond to you within the deadlines set out within the applicable legislation.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Data protection legislation may allow or require us to refuse to provide you with access to some or all the personal data that we hold about you or to comply with any requests made in accordance with your rights referred to above. If we cannot provide you with access to your personal data, or process any other request we receive, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Please send any requests relating to the above to legal@boxxe.com specifying your name and the action you would like us to undertake.

Policy Changes

From time to time, we may need to update or modify this policy to reflect changes in our organisation or business practices, data collection practices or legislation. We reserve the right to amend this policy at any time, for any reason, without notice to you, other than the posting of the amended policy on this website. It is recommended to check the website regularly for the most up to date version.

Contact Us

We welcome any comment regarding this policy. You can contact our Data Protection Officer by email at legal@boxxe.com or by mail to boxxe Limited, Artemis House, Eboracum Way, York, YO31 7RE. This is in addition to your right to contact the Information Commissioners Office if you are unsatisfied with our response to any issues you raise at https://ico.org.uk/global/contact-us/ Libk opens in a new window.

This Privacy Policy was last updated: August 2023

General

boxxe Limited, a company incorporated in England and Wales with company number 02109168 and registered office at Artemis House, Eboracum Way, York, YO31 7RE (“boxxe”) together with any group companies (“we” “us” “ours”) is committed to protecting and respecting your privacy and personal data.

For the purposes of data protection legislation, we are the data processor and we will process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 and any other applicable national laws which relate to the processing of personal data.

When we use the term “services”, we are referring to all the services that we offer on our own behalf, including our product offerings. We are not referring to services that we provide solely on behalf of a third party, such as outsourced IT services we may provide to another company or software licenses from a third party. Please refer to the privacy notice of the third party with which you have a relationship for information on how they engage service providers, like us, to process personal information on their behalf. 

We take your privacy very seriously, Please read this policy carefully as it contains important information on who we are and  how boxxe collects, stores, uses, shares, retains and destroys personal data that you provide to us or that we collect  when you purchase goods or services from us and/or when you or visit the website. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

Types of data we collect


The personal data we collect about you depends on the particular activities carried out through our website. We will collect and use the following personal data about you:

  • name, address (delivery, shipping, registered), contact information, including email address and telephone number and company details;
  • information to check and verify your identity;

  • location data;

  • your billing information, transaction and payment card or other payment method information, e.g., bank account and payment details;

  • details of any information, feedback or other matters you give to us by phone, email, post or via social media;

  • your account details, such as username and login details;

  • your activities on, and use of, our website;

  • your professional interests;

  • your professional online presence, e.g., LinkedIn profile;

  • information about the services we provide to you;

  • your contact history, purchase history and saved items;

  • information about how you use our website and technology systems;

  • your responses to surveys, competitions and promotions; and

  • IP address 

boxxe does not collect or process sensitive personal data (race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sexual orientation of health data).

If you fail to provide personal data

Where we need to collect personal data by law, i.e. in order for you to use our website or under the terms of a contract we have with you and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example to provide you with our goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on your use of our website.

How your personal data is collected

We collect personal data from you:

  • directly, when you enter or send us information, such as when you for example, register with us, contact us (including via email), send us feedback, purchase products or services via our website, post material to our website and complete customer surveys or participate in competitions via our website; and
  • indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in the section on ‘Cookies and other tracking technologies’ below.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason, for example:

  • where you have given consent;
  • to comply with our legal and regulatory obligations;

  • for the performance of a contract with you or to take steps at your request before entering into a contract; or

  • for our legitimate interests or those of a third party.

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

The table below explains what we use your personal data for and why:

What we use your personal data for Our reasons
Creating and managing your account with us To perform our contract with you or to take steps at your request before entering into a contract
Providing products and/or services to you To perform our contract with you or to take steps at your request before entering into a contract
Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us To comply with our legal and regulatory obligations
Enforcing legal rights or defend or undertake legal proceedings Depending on the circumstances:

— to comply with our legal and regulatory obligations
— in other cases, for our legitimate interests, i.e. to protect our business, interests and rights
Customising our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website Depending on the circumstances:

— your consent as gathered e.g., by the separate cookies tool on our website—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price

If you have provided such a consent, you may withdraw it at any time by changing the setting on the cookies tool (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended Depending on the circumstances:

— your consent as gathered by the separate cookies tool on our website]—see ‘Cookies and other tracking technologies’ below
— where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price

If you have provided such a consent you may withdraw it at any time by clearing your cookie settings and rejecting when you revisit our website (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Communications with you not related to marketing, including about changes to our terms or policies or changes to the products AND/OR services or other important notices Depending on the circumstances:

— to comply with our legal and regulatory obligations
— in other cases, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Protecting the security of systems and data used to provide the services To comply with our legal and regulatory obligations

We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, i.e., to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us
Statistical analysis to help us understand our customer base For our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Updating and enhancing customer records Depending on the circumstances:

— to perform our contract with you or to take steps at your request before entering into a contract
— to comply with our legal and regulatory obligations
— where neither of the above apply, for our legitimate interests, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consents where relevant To comply with our legal and regulatory obligations
Marketing our services to existing and former customers For our legitimate interests, i.e., to promote our business to existing and former customers

See ‘Marketing’ below for further information
The audit of our ISO certifications (to the extent not covered by ‘activities necessary to comply with legal and regulatory obligations’ above) For our legitimate interests, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency.

In such cases information will be anonymised where possible and only shared where necessary
Depending on the circumstances:

— to comply with our legal and regulatory obligations
— in other cases, for our legitimate interests, i.e., to protect, realise or grow the value in our business and assets

Marketing

We will use your personal data to send you updates (by email, telephone or post) about our products and/or services, including exclusive offers, promotions or new products and/or services, events, webinars. We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

 

You have the right to opt out of receiving marketing communications at any time by:

  • contacting us at ecommerce@boxxe.com
  • using the ‘unsubscribe’ link in emails or

  • updating your marketing preferences if you have created an online account at boxxe.com

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business. We will always treat your personal data with the utmost respect and never sell it to other organisations for marketing purposes.

For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

We do not sell any of our marketing data to third parties. 

Who do we share your personal data with

We routinely share personal data with:

  • third parties we use to help deliver our products and/or services to you, e.g., payment service providers, suppliers, warehouses and delivery companies;
  • other third parties we use to help us run our business, e.g., marketing agencies or website hosts and website analytics providers; and

  • our banks. 

We only allow those organisations to handle your personal data if we are satisfied, they take appropriate measures to protect your personal data.

We or the third parties mentioned above occasionally also share personal data with:

  • our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;

  • law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;

  • other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

Who do we share your personal data with - in more detail

More details about who we share your personal data with and why are set out in the table below.

Recipient Processing operation (use) by recipient Relevant categories of personal data transferred to recipient
Google We use Google Analytics (GA4) cookies to collect data about the visitors to the site which includes the number of visitors, session duration, pages visited during the session etc. and whether visitors return. Google Analytics will assign a unique “ID” to a user of the boxxe website at the point they register an account with us for the purpose of tracking their activity on the boxxe website. This information is anonymous and cannot be used to identify you personally unless you end up becoming a boxxe customer. Google Analytics cannot use the ID to work out who you are. Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Google Analytics stores this information on our behalf in a pseudonymized user profile.
Hotjar Ltd We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. Hotjar is contractually forbidden to sell any of the data collected on our behalf. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.
Klevu Klevu offers a machine learning algorithm which takes several parameters into account when establishing what a customer may like and eventually buy on the store. Javascript keeps track of what customers are searching for and visiting. These products visited by these customers and any recent search queries fired by them are used as a context to the search queries fired by them. Klevu perform semantic and statistical analysis of this data to identify the intent and to build multiple, product-noun (e.g. bag, shoe, chair) specific profiles of preferences. Klevu also employs a method called collaborative filtering, which involves analyzing the history of other customers who have or had performed similar searches and visited products similar to the products visited by the current customer.

Only those products that are relevant to the current search query are picked up and analyzed to identify common factors within them.
Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Klevu stores this information on our behalf in a pseudonymized user profile.

In addition, depending on the products/services and your interaction with us, we may also need to disclose your personal data to third parties for the performance of a contract with you, to meet a legal obligation or for our legitimate interests, which may include but is not limited to:

  • data from our selected partners who have identified a lead for the sale of a product or service to you;
  • third party vendor, reseller, distributor, sub-contractor or partner for the supply of goods and services that you have requested if it is necessary for the performance of the contract. These external companies are only authorised to use your data for the purpose of providing the contract;
  • staff members in order to facilitate the provision of goods or services to you;
  • our affiliated entities to support internal administration;
  • postal/courier service providers;
  • professional advisers including consultants, lawyers, bankers and insurers who provide us with consultancy, banking, legal, insurance and accounting services;
  • HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances; and
  • third parties with whom we may choose to sell, transfer or merge parts of our business or assets - we may seek to acquire other business or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 

Our website may, from time to time, contain links to and from the websites of third parties and if you purchase products or services from us, those manufacturers, suppliers or partners may also have their own policies. Please note that if you follow a link to any of these websites, such websites will apply different terms to the collection and privacy of your personal data, and we do not accept any responsibility or liability for these policies. When you leave our website, we encourage you to read the privacy notice/policy of every website you visit.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

Overseas transfers and sharing personal data with sub-processors

It is sometimes necessary for us to transfer your personal data to countries other than the UK, and these countries may have data protection laws that differ from the laws of the UK. 

Specifically, our group companies and our website servers are located in the EU and UK, however, some of our third-party service providers, and partners operate around the world. This means that when we collect your personal data, we may process it in a number of different countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy policy. These include implementing the International Data Transfer Agreement (IDTA) and the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum) for transfers of personal data between us and each of our sub-processors, which requires all sub-processors to protect personal data they process from the UK in accordance with UK data protection laws.  Our IDTA and UK Addendum are available on request. 

In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Transferring your personal data out of the UK - in more detail

More details about the countries outside the UK to which your personal data is transferred are set out in the table below.

Recipient country Recipient Processing operation (use) by recipient Lawful safeguard
Ireland Hotjar Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018

https://www.hotjar.com/legal/support/dpa/
USA Stripe Inc In order to facilitate online payments through boxxe’s ecommerce portal, where applicable, Stripe may Process Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports). UK Data Transfer Addendum

https://stripe.com/gb/legal/dpa
EEA Vaimo Vaimo has access to certain categories of boxxe customer personal data (names, addresses, DOB, email, number, location, device and diagnostic data, connection data), by virtue of hosting the boxxe website. Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. Vaimo also has a legally valid intra-group agreement in place and no data is transferred to any entity who is not a party to it.

How long your personal data will be kept

We retain your personal data for as long as is necessary to fulfil the purpose that we collected it for, including the satisfaction of any legal, accounting or reporting requirements. This includes data for tax and accounting requirements under applicable law. If you make a purchase from boxxe, we will keep the information for tax and accounting requirements under applicable law.

Data is reviewed regularly and only retained where necessary. To determine the appropriate retention period of your data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from a loss of confidentiality to the data and any legal requirements to retain such personal data. Once any legal requirements have expired for the data, we destroy all personal data associated with you and the product or service that you have purchased.

If you stop using your account we will delete or anonymise your account data after seven years.

Data Security

The confidentiality of your information is extremely important to us. boxxe use reasonable physical, technical and organisational measures to safeguard the personal data you provide to us.

All data collected by boxxe is stored on our own IT system that is administered by boxxe staff. The boxxe IT system has been accredited to ISO 27001, Cyber Essentials and Cyber Essentials Plus.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies and web beacons, action tags, single-pixel gifs on our website. These help us recognise you and your device and store some information about your preferences or past actions.

For further information on cookies, our use of ‘cookies’ and/or to relevant similar technologies, when we will request your consent before placing them and how to disable them, please see our Cookie Policy.

 

Your Rights

It is important that the personal data we hold about you is accurate and current. Please keep us informed if the personal data we hold about you changes.

Data protection legislation provides you with several rights which you can enforce by contacting us at legal@boxxe.com, including:

Access to a copy of your personal data The right to be provided with a copy of your personal data
Correction (also known as rectification) The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten) The right to require us to delete your personal data—in certain situations
Restriction of use The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object to use The right to object:

— at any time to your personal data being used for direct marketing (including profiling)
— in certain other situations to our continued use of your personal data, e.g. where we use your personal data for our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to decisions without human involvement The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

We do not make any such decisions based on data collected by our website
The right to withdraw consents If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time

You may withdraw consents by emailing ecommerce@boxxe.com

Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

You may also find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR.

If you would like a copy of some or all of your personal data, please send an email to legal@boxxe.com. In certain circumstances we reserve the right to charge a reasonable fee to comply with your request and we will ensure we respond to you within the deadlines set out within the applicable legislation.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Data protection legislation may allow or require us to refuse to provide you with access to some or all the personal data that we hold about you or to comply with any requests made in accordance with your rights referred to above. If we cannot provide you with access to your personal data, or process any other request we receive, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Please send any requests relating to the above to legal@boxxe.com specifying your name and the action you would like us to undertake.

Policy Changes

From time to time, we may need to update or modify this policy to reflect changes in our organisation or business practices, data collection practices or legislation. We reserve the right to amend this policy at any time, for any reason, without notice to you, other than the posting of the amended policy on this website. It is recommended to check the website regularly for the most up to date version.

Contact Us


We welcome any comment regarding this policy. You can contact our Data Protection Officer by email at legal@boxxe.com or by mail to boxxe Limited, Artemis House, Eboracum Way, York, YO31 7RE. This is in addition to your right to contact the Information Commissioners Office if you are unsatisfied with our response to any issues you raise at https://ico.org.uk/global/contact-us/.

This Privacy Policy was last updated:   August 2023