Data Privacy Notice
Data Privacy Notice
At Returnal, your privacy matters to us. We are committed to handling your personal data with care, transparency, and respect, and to processing it in full accordance with applicable data protection law.
We apply the principles and standards of ISO 27001 to the way we manage information security across our business, and we publish our Trust Centre, where you can find details of our current security posture and our ongoing commitment to continuous improvement.
This notice explains what personal data we collect, why we collect it, how we use it, and the rights available to you.
Contents
1. Contact Details
Email: contact@returnal.co.uk
2. What Information We Collect, Use, and Why
Providing Services
We collect or use the following information to provide Trade-In, Buy-Back, Take-Back, Repair & other post-purchase services including collection of consumer goods:
- Names and contact details
- Addresses
- Account information
- Information relating to loyalty programmes
- Website user information (including user journeys and cookie tracking)
Operation of Customer Accounts
We collect or use the following information for the operation of customer accounts:
- Names and contact details
- Addresses
- Account information, including registration details
- Information used for security purposes
- Marketing preferences
Service Updates or Marketing Purposes
We collect or use the following information for service updates or marketing purposes:
- Names and contact details
- Addresses
- Website and app user journey information
- Records of consent, where appropriate
Dealing with Queries, Complaints or Claims
We collect or use the following personal information for dealing with queries, complaints or claims:
- Names and contact details
- Address
- Account information
- Purchase or service history
- Customer or client accounts and records
3. Lawful Bases and Data Protection Rights
Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.
Which lawful basis we rely on may affect your data protection rights, which are set out in brief below.
Your Data Protection Rights
| Your Right | What it means |
|---|---|
| Right of access | You have the right to ask us for copies of your personal information. There are some exemptions which means you may not receive all the information you ask for. Read more |
| Right to rectification | You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more |
| Right to erasure | You have the right to ask us to delete your personal information. Read more |
| Right to restriction of processing | You have the right to ask us to limit how we can use your personal information. Read more |
| Right to object to processing | You have the right to object to the processing of your personal data. Read more |
| Right to data portability | You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more |
| Right to withdraw consent | When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more |
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our Lawful Bases for the Collection and Use of Your Data
Providing Services
| Lawful Basis | Detail |
|---|---|
| Consent | We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. You have the right to withdraw your consent at any time. |
| Contract | We have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object. |
| Legitimate interests | We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. For more information on our legitimate interests please contact us using the details provided above. |
Operation of Customer Accounts
| Lawful Basis | Detail |
|---|---|
| Consent | We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. You have the right to withdraw your consent at any time. |
| Contract | We have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object. |
| Legitimate interests | We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. For more information on our legitimate interests please contact us using the details provided above. |
Service Updates or Marketing Purposes
| Lawful Basis | Detail |
|---|---|
| Consent | We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. You have the right to withdraw your consent at any time. |
| Legitimate interests | We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. For more information on our legitimate interests please contact us using the details provided above. |
Dealing with Queries, Complaints or Claims
| Lawful Basis | Detail |
|---|---|
| Consent | We have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. You have the right to withdraw your consent at any time. |
| Legitimate interests | We're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. For more information on our legitimate interests please contact us using the details provided above. |
4. Where We Get Personal Information From
- Directly from you when you volunteer it in order to engage our circular economy services.
5. How Long We Keep Information
We do not keep your personal data for longer than is necessary for the purpose for which it was collected. The table below sets out how long we retain different categories of personal data, why we retain it, and how it is securely disposed of when the retention period ends.
Retention Principles
- Data will not be kept for longer than is necessary for its original purpose.
- Where a legal or regulatory obligation requires a minimum retention period, data will be held for at least that period.
- Where data is subject to legal proceedings or a regulatory investigation, retention will be extended until those proceedings are concluded.
- At the end of the retention period, data will be securely deleted, anonymised, or physically destroyed.
- Retention periods run from the triggering event specified in the schedule (e.g. end of contract, last interaction), not from the date of collection.
Retention Schedule
| Data Category | Examples | Retention Period | Legal Basis / Reason | Disposal Method |
|---|---|---|---|---|
| Customer identity & contact data | Name, email address, postal address, phone number | 3 years after last interaction | UK GDPR Art. 6(1)(b) Contract; Art. 6(1)(f) Legitimate interests | Secure deletion / anonymisation |
| Customer account data | Account login details, account history, preferences | 3 years after account closure | UK GDPR Art. 6(1)(b) Contract | Secure deletion |
| Customer service & complaints records | Support tickets, complaint correspondence, query logs | 3 years from resolution | UK GDPR Art. 6(1)(f) Legitimate interests; potential legal claims | Secure deletion |
| Trade-in transaction records | Device make/model, IMEI, condition assessment, valuation, transaction ID | 6 years from transaction date | UK GDPR Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (HMRC) | Secure deletion |
| Device ownership & provenance data | Proof of ownership documents, serial numbers, supplier records | 6 years from transaction date | UK GDPR Art. 6(1)(c) Legal obligation; fraud prevention | Secure destruction of physical docs; secure deletion of digital records |
| White-label partner transaction data | Partner customer identifiers, transaction metadata passed via API | 3 years from transaction date | UK GDPR Art. 6(1)(b) Contract with partner; Art. 6(1)(f) Legitimate interests | Secure deletion / anonymisation |
| Marketing consent records | Record of opt-in/opt-out, date, channel, consent wording version | Duration of relationship + 1 year after withdrawal | UK GDPR Art. 6(1)(a) Consent; ICO accountability requirements | Secure deletion |
| Marketing communication records | Emails sent, campaign responses, click/open data | 2 years from last interaction | UK GDPR Art. 6(1)(f) Legitimate interests | Secure deletion / anonymisation |
| Website & cookie data | User journey logs, cookie identifiers, session data | 13 months (analytics cookies); session data deleted on session end | UK GDPR Art. 6(1)(a) Consent; ICO Cookie Guidance | Automatic expiry / secure deletion |
| Employee personal & contract data | Name, address, NI number, bank details, employment contract, payroll records | 6 years after employment ends | UK GDPR Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (HMRC) | Secure deletion / shredding |
| Recruitment records (unsuccessful candidates) | CVs, interview notes, assessment results | 6 months after recruitment process ends | UK GDPR Art. 6(1)(f) Legitimate interests; potential discrimination claims | Secure deletion |
| Employee performance & disciplinary records | Appraisals, disciplinary notes, grievance records | 6 years after employment ends | UK GDPR Art. 6(1)(b) Contract; Art. 6(1)(f) Legitimate interests | Secure deletion / shredding |
| Security awareness training records | Training completion records, quiz results, ISMS compliance records | Duration of employment + 3 years | ISO 27001 A.6.3; UK GDPR Art. 6(1)(c) Legal obligation | Secure deletion |
| Incident & breach records | Security incident logs, data breach notifications, ICO correspondence | 5 years from incident date | UK GDPR Art. 33 accountability; ISO 27001 requirements | Secure deletion |
| Audit & review records | Internal/external audit reports, management review minutes, risk assessments | 3 years from creation | ISO 27001 A.9.2; UK GDPR accountability principle | Secure deletion |
Further Information
For more information on how long we store your personal information or the criteria we use to determine this, please contact us at contact@returnal.co.uk.
This retention schedule is reviewed annually by the Information Security Management Leader as part of the ISMS management review cycle. The Chief Product Officer (Data Protection Officer) is accountable for ensuring this schedule is implemented and that disposal processes are carried out correctly.
6. Who We Share Information With
Other Data Controllers & Processors
Retailers and Manufacturers of Consumer Goods
Retailers and Manufacturers of Consumer Goods offering Returnal's White Label Trade-in and other circular economy solutions to its customers.
Principally, your personal data is forwarded to other controllers only if required for the fulfilment of a contractual obligation, or if we ourselves, or a third party, have a legitimate interest in the data transfer, or if you have given your consent.
Others We Share Personal Information With
Third-Party Service Providers
We involve external service providers with certain functions including programming, data hosting, and physical product handling including carriage and logistics, inspection, grading, PAT testing, refurbishment, responsible recycling, resale and donation. We have selected these service providers with particular attention to their diligent handling of the data that they store, and we have processes in place to allow us to audit their handling of such data at regular intervals and ad-hoc as required to ensure compliance with our standards. All service providers are obliged to maintain confidentiality and to comply with the statutory provisions.
Additionally, data may be transferred to other controllers when we are obliged to do so due to statutory regulations or enforceable administrative or judicial orders.
External Auditors or Inspectors
As part of our commitment to continuous improvement we invite external auditors and inspectors to review our data security procedures to highlight any areas for improvement.
7. How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.
The ICO's Address
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Join the cohort of leading brands future proofing their market share with Returnal
Enterprise level data security
Hosted on a custom subdomain
Bypass your stacked IT roadmap
