Skip to content

Privacy Statement

At the Halfords Group we want to make sure you know what data we collect from you, why we collect it, what we do with it and how you can ask us questions about it or exercise your rights

Before we tell you what we do with your data, let us tell you who we are.

When we say “Halfords” we mean the Halfords Group of companies and this Privacy Notice applies to all the companies in our group.

If you are reading this notice on a company website, then it is part of our group.

If you want to know more about the companies that make up the Halfords Group plc then contact us here.

Halfords is a data controller for all our customer and colleague personal data whether we collect it from you when you visit one of our websites, one of our stores or autocentres, or when we visit you with our mobile expert services.

We’d like you to read all of our privacy notice, but we understand that sometimes you know exactly what you want and just want to go straight to it, so we’ve listed below the most common things customers ask us - the “FAQ’s”

FREQUENTLY ASKED QUESTIONS

What’s your address?
Our postal address is:
Halfords Group plc, Icknield Street Drive, Washford West, Redditch B98 0DE.

I want to contact the Data Protection Officer (the “DPO”)
You can find the contact details for the DPO at the bottom of this notice but please have a look at these FAQ’s first as they may be able to assist you with your problem.

“I would like a copy of my personal data”
No problem, this is called a “Subject Access Request” or SAR. But first we need some information from you to ensure we only disclose your personal data to you, or your representative. To make sure we have all the information from you that we need to fulfil your request, we have created a form here. The form is simple to complete, is free and allows you to access your personal data securely.

The Legal - By law we have one month to provide you with a copy of your personal data which starts from the moment you have provided proof of your identity. We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from you.

“I would like you to delete my personal data”
You have a right to erasure, also known as the” right to be forgotten” but this doesn’t always apply. We will always review each request for erasure on a case-by-case basis. However, If you have bought something from us, we will be unable to erase your personal data because, legally, we have to keep records of commercial transactions for Her Majesty’s Revenue and Customs for 6 years. This data will automatically delete 6 years from the date of your last transaction with us. If you still want to ask us to delete your personal data, please follow the link here.

The Legal - we have one month to respond to your request, which starts from the moment you have provided proof of your identity.

“I think you may have the wrong data about me, and I would like you to correct it”
This is your right to rectification. Tell us what you think we have that’s wrong, such as the wrong vehicle registration number, a previously owned vehicle registration number, or a booking error. We will check it and if the data we hold is wrong, we will change it. We have a duty to ensure all personal data we hold is accurate. You can ask us to rectify your data here.

The Legal - we have one month to respond to your request which starts from the moment you have provided proof of your identity.

“I would like to opt out of receiving marketing information”
Marketing emails and text messages have an opt out or unsubscribe button at the bottom of the email/text. This is the quickest and easiest way for you to unsubscribe. If you have already deleted the email or text, then you can send us a request to unsubscribe you here.

If the email/text does not contain an opt out or unsubscribe button it’s because it’s a service message not a marketing message. A service message may be an MOT reminder or an invitation to provide feedback, or a product review request. If you no longer wish to receive any communications from Halfords, then please go here.

“I would like a copy of any CCTV images you may have captured of me during my recent visit to your premises”
Yes, we can do that as CCTV images are personal data, however, please be aware that we only retain CCTV images for 30 days from when they were recorded, after which they are deleted by the system and we are unable to recover them. To request a copy of your CCTV images go here.

The Legal - we have one month to provide you with a copy of your personal data which starts from the moment you have provided proof of your identity. We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from you.

HOW WE COLLECT YOUR DATA

As an essential part of our business, we collect and manage customer data. In doing so, we observe all relevant data protection legislation and are committed to protecting and respecting customers’ privacy and rights. Specifically, Halfords acts as “Data Controller” in respect of the information gathered and processed by this website, when customers visit one of our stores or auto centres or use one of our mobile services.

In order that you are reliably informed about how we collect, process, store and share your information, we have developed this Privacy notice. This notice also advises how you can have control over our use of your data.

WHAT PERSONAL DATA DO WE COLLECT AND WHY?

We collect information about you so that we can:
provide you with our services in our stores, autocentres, mobile services and online sales We use cookies on our websites to collect your data, you can find out more about how we use cookies to collect your data here.
Collecting information from you:
The information that we collect from our customers is known as “personal data” and may include your name, home address, e-mail address, telephone number and vehicle registration number.
We collect this information in various ways.
This could be when you fill in a form on a website, or when you correspond with us by telephone, e-mail, webchat, or letter, when you buy something from one of our stores or websites or visit one of our autocentres.
We don’t store your payment card details as we use a third-party payment processor, so we never see your payment card information.

We use third-party providers to help us provide our services to you such as:
Haynes Pro, who give us information about your vehicle like the make, model and age of your car using the Vehicle Registration Number. We do this when we need to order the correct car parts or to provide you with the most up-to-date and relevant messages regarding your car’s safety, maintenance, and upkeep.

COOKIES

Third parties such as Google Analytics, may drop cookies on your computer or mobile devices. These cookies may use information about your visits to our websites to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology used to measure the effectiveness of our advertising using cookies to collect information about your visits to our sites in order to provide relevant advertisements about goods and services you may be interested in. The information collected through this process doesn’t let us, or them, collect your name, contact details or other personally identifying details unless you choose to provide them. We have cookie controls in place on all of our websites that allow you to choose how much if any, personal data you provide. For more information about cookies go to our Cookie Notice.

ENHANCING OUR DATA

Because we are a group of companies, we combine data. We sometimes call this a “Single Customer View” it helps us to better understand your requirements, and how we can make our service better. We may also combine the data with data from selected third parties. This is a legitimate business interest necessary for providing you with the best products and services. It also helps us ensure our data is always up to date and accurate.

Like the majority of businesses, we analyse customer data and the business information generated by those customer data. Where we can, we anonymise or pseudonymise the customer data to carry out the analysis or research. This is a necessary legitimate business interest used to,

 

  • Learn more about our customers and their preferences.
  • To identify patterns and trends amongst our customers.
  • Enhance user experience on our Websites and Apps;
  • Provide information, content and offerings tailored to our customer’s needs.
  • For general research and statistical purposes.
  • For aggregated reporting purposes within the Halfords Group.
  • To help us develop new products and services.
  • To monitor the performance of our products and services.
  • To be able to send you personalised marketing messages; and
  • To display online advertisements to you.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
We may disclose your personal information to, (categories of recipients)

  • other members of the Halfords Group, our third-party service providers and business partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information. Such as,
  • Our outsourced IT support, Apps and other business systems,
  • Operational support such as customer service
  • Direct marketing, loyalty reward companies or other third parties who help us manage electronic communications with you,
  • Data insight and data analysis companies (to provide us with tools to analyse the data which we hold);
  • Promotional partners;
  • Customer review partners (so you can leave feedback and we can improve our service to you); and/or
  • Competition or prize-draw partners.
  • to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights or apply our terms and conditions, or (iii) to protect your vital interests or those of any other person;
  • to any other person with your consent.

When we share your personal information with third party service providers and partners we carry out robust due diligence and ensure there is a contract in place that ensures your personal information is safe and your privacy protected. The contract is a legally binding document that ensures,

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your personal information held by them will either be deleted or rendered anonymous (subject to applicable law).
If you have any questions about the third parties, we share your personal information with, please contact us using the contact details provided below.
LAWFUL BASIS FOR USING YOUR DATA
We will only collect personal information from you;
  1. where we need the personal information to perform a contract with you (for example when you buy something from us),
  2. where the processing is in our legitimate interests (for example when we share your information with one of our suppliers or software providers)
  3. or where we have your consent.


If you need further information about the legality of our processing of your personal data contact us.

INTERNATIONAL DATA TRANSFERS

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of the UK.

Halfords Website servers are located in the UK, but some of our third-party service providers and partners with whom we share your personal data are located outside of the UK, such as in the EU, the United States and India.

To ensure your personal information receives the same protection it would if it were being processed inside the UK, we always ensure that ICO guidance on International Data transfers is complied with and, our contracts with third parties contain the standards that must be followed at all times, including where applicable the use of EU Standard Contractual Clauses and UK International Data Transfer Agreements. If you wish for more information about these contracts, please contact us using the contact details provided under the “How to contact us” heading.

Any transfer of your personal data will be compliant with UK data protection law and all personal data will be secure.

YOUR RIGHTS
  1. Right to be informed
    You have the right to be informed about how we collect and use your personal data. This is known as a key transparency requirement under the UK GDPR. This Privacy notice provides that information. We regularly review, and where necessary, update your privacy information, if we do, we will highlight those amendments with the date and time they were made. If you require more information about how we process your personal data, go here.

  2. Right to access
    You have the right to ask us for a copy of your personal data that we hold about you. This is known as a “Subject Access Request” or SAR. We will send you a copy of the information within one month of your request once we have confirmed your identity. We can extend the time limit by a further two months if your request is complex or if we receive a number of requests from you.

    A third party can also make a SAR on your behalf but we need to know we have your permission to give them the information so we may need further information from you such as a written authorisation.

    We can accept SAR requests either verbally, via email or post or via social media, however, the quickest and most secure way for you to obtain your personal data is via our SAR portal here. The SAR portal has been set up make the SAR process as quick and easy as possible and we can keep you updated as to the progress of your request. You can communicate with us about your SAR via the portal as well as securely view your personal data.

    We can refuse to provide your information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. However, we will always do our best to provide you with your personal data and help you to change your request, for example if we believe the request to be excessive, by asking you to clarify your request to help us locate the information you are asking us for.

  3. Right to rectification
    If you think any of the information, we hold about you is incorrect, you can either:
    visit the “My Account” section of the website where you can make changes to some of the information that we hold about you; or
    go here and submit a request asking us to check your information and if it’s incorrect, change it for you.

  4. Right to be forgotten
    You can ask us to erase your personal information. We can only do this in certain circumstances (see Frequently Asked Questions above). We will consider every request for erasure on an individual basis. You can ask us to delete your data here.

  5. Right to object
    You can object to us using your data in certain circumstances.

    If your request relates to direct marketing, we will stop using your data for marketing purposes immediately on request. This is also known as “opting out” of marketing (see Frequently Asked Questions).

    If you believe we should stop using your data for any other purpose, you can ask us to stop using your data here

  6. Right to restrict processing
    You can ask us to restrict the use of your data if you think it is inaccurate, but this will take time to validate if you believe our data processing is unlawful but you do not want your data erased, if you want us to retain your data to establish, exercise or defend a legal claim, or if you wish to object to the processing of your data. Then you can ask us here but please be aware, you will need to explain to us why you need us to restrict using your data.

  7. Right to data portability
    If you would like us to move, copy or transfer the data that we hold about you to another organisation, please contact our Data Protection Officer at dataprotectionofficer@halfords.co.uk

    Please be advised that this only applies to certain data which has been submitted by you electronically for specific purposes only. Our Data Protection Officer can provide further advice.

    Where we hold a customer’s details, we will also seek to ensure that, as far as possible, we maintain a single composite record of their interactions with us, which may require us to match their different activities. Where customers have indicated that they do not want us to us their data for receiving communications (other than those deemed legitimate), we will use this information purely for anonymised internal analytics and reporting, for example, looking at sales trends which does not identify individual customers.

    If you do not want us to undertake profiling or matching, you may either:

    - object to the processing of your data (see number 5 of this Privacy Notice above) or
    - request that Halfords erases all personal data about you (see number 4 of this Privacy Notice above)
DATA PRIVACY AND SECURITY
At Halfords, we maintain a comprehensive data management work programme, which includes processes for ensuring that data protection is a key consideration of all new and existing IT systems that hold customers’ personal data. Where any concerns, risks or issues are identified, we conduct relevant impact assessments in order to determine any actions that are necessary to ensure optimum privacy.

We also maintain an active information security work programme which seeks to protect the availability, confidentiality, and integrity of all physical and information assets. Specifically, this helps us to:

  • protect against potential breaches of confidentiality
  • ensure all IT facilities are protected against damage, loss, or misuse
  • increase awareness and understanding of the requirements of information security and the responsibility of our colleagues to protect the confidentiality and integrity of the information that they handle and
  • ensure the optimum security of this website

We recognise that the security of data and transactions on this website is of primary importance. We therefore ensure that all connections to secure parts of the website (such as when you login) are encrypted and authenticated using strong protocols, key exchanges and ciphers.

CARD PAYMENT SECURITY

We use a secure third-party payment processor for all digital payments. This means we do not store your financial data and cannot we see the card information we may ask you to enter when purchasing goods over the phone or on- line. The services we provide are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant with PCI DSS means that we are doing our very best to keep our customers’ valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way.

CONTACT THE DATA PROTECTION OFFICER

Questions and comments regarding this Privacy Notice are welcomed and should be sent to our Data Protection Officer at dataprotectionofficer@halfords.co.uk

You can also contact our Data Protection Officer if you have any concerns or complaints about the way in which your personal data has been handled or if you think we’ve done something wrong. But first check the FAQ’s as you may find the answer to your question.

Alternatively, if you still feel we have not handled your personal data correctly, you have the right to ask the Information Commissioner’s Office ("ICO") to look at how we handled your personal data.

The ICO can be found at Wycliffe House, Water Lane, Wilmslow SK9 5AF or https://ico.org.uk if you’re in the U.K or the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland if you’re in the Republic of Ireland How to contact us | Data Protection Commissioner