TJ MORRIS LIMITED TRADING AS HOME BARGAINS
CUSTOMER PRIVACY NOTICE
1 TJ Morris Limited has strict obligations under the UK General Data Protection Regulation 2016/679 (“the UK GDPR”) and the Data Protection Act 2018 (“the DPA”), to safeguard your privacy and personal freedoms. It takes these obligations very seriously. This Notice sets out how we collect your personal data and from where, how we use it, who we share it with, how we store it and how long we keep it. It also sets out your rights and entitlements under the law.
2 This Notice applies in relation to the personal data we collect and use when you visit our stores, websites, and social media accounts, and when you communicate with us by phone, email, post, and online.
Who We Are
3 When we say “us”, “we”, and “our” in this Notice, we mean both Home Bargains and TJ Morris Limited. Home Bargains is the trading name of TJ Morris Limited.
4 We are a “controller” of your personal data. This means that we decide, and are responsible for, how and why we use it. We are registered with the UK’s data protection regulator, the Information Commissioner’s Office (“the ICO”), under registration number Z9174406.
Contacting Us
5 You can contact us by emailing our Data Protection Officer at DataProtectionEnquiry@tjmorris.co.uk.
6 You can also write to our Data Protection Officer at TJ Morris Limited, Portal Way, Axis Business Park, Gillmoss, Liverpool, L11 0JA.
7 You can contact us by phone on +44 (0) 151 530 2284.
Personal Data We Collect from You
8 Personal data is any information relating to a living person, from which they can be identified, or are identifiable. We may collect the following categories of personal data from you, or derive it from your use of our websites and social media accounts,
8.1 “Identity Data”, EG, your name, date of birth, marital status, title, gender, username, social media accounts, and IP address;
8.2 “Contact Data”, EG, billing and delivery addresses, telephone number, email address, and other electronic communications we may send you, and how you interact with them (if you have opened the communication, clicked on any links within that communication, etc);
8.3 “Financial Data”, EG, bank account, bank name, card payment details including CVV, card number, start and expiry dates;
8.4 “Transaction Data”, EG, purchase history, feedback, complaints, and reviews by phone, email, post, or social media;
8.5 “Profile Data”, EG, account login details including username and password;
8.6 “Communication and Marketing Data”, EG, if you opt in, consent to receive newsletters or SMS alerts, preferred communication channels (email, SMS, telephone etc), profile data from social-login (Facebook, Instagram, Google etc), cookie preferences re - marketing communications;
8.7 “Technical and Tracking Data”, EG, website cookie identifiers, session and persistent cookie data, IP address (from which your location is inferred), device type including make and model, browser version, plug ins, operating systems, platforms, IP address, how you use any services we offer, when and how you use our websites including pages viewed, search terms used, products added to a cart or wish lists, purchase history, average order value, saved preferences (size, style, language);
8.8 “Location Data”, EG, geolocation data (via IP address, GPS on mobile), address lookup/API data to validate delivery zones, CCTV, automatic number plate recognition (ANPR).
8.9 “Special Category and Criminal Offence Data”, EG, your racial/ethnic origin, religious/philosophical beliefs, health, sex life, or sexual orientation, alleged or actual criminal offences.
Personal Data We Collect from Third Parties
9 We may also collect personal data about you from third party data controllers including banks, payment processors, address verification companies, the police and fraud detection agencies, facial recognition technology (“FRT”) suppliers, insurers and legal representatives, Courts and Tribunals, regulators, DVLA, parking companies.
10 We may collect some personal data that is publicly available.
The Lawful Basis for Using Your Personal Data
11 We may use your personal data for the following purposes, and on the following lawful bases set out in the UK GDPR.
| PURPOSE | DATA CATEGORY | LAWFUL BASIS FOR PROCESSING | DATA SOURCE | |
| 11.1 | To register you as a new customer |
Identity Contact Profile Technical and Tracking Location |
To perform our contract with you | You |
| 11.2 | To process your online order including collecting payments, providing refunds, arranging and making deliveries and returns, investigating and resolving complaints. |
Identity Contact Financial Transaction Profile Communication and Marketing Technical and Tracking Location |
To perform our contract with you To comply with a legal obligation |
You Your bank Payment processors Police, fraud detection agencies Address verification companies
|
| 11.3 | To manage our relationship with you, including notifying you about changes to our terms and privacy policy, asking you to leave a review or take a survey, inviting you to take part in a prize draw or competition, delivering relevant website content and advertisements and measuring/understanding the effectiveness of it |
Identity Contact Transaction Profile Communication and Marketing Technical and Tracking |
To perform our contract with you To comply with a legal obligation Necessary to pursue our legitimate interest in growing our business and understanding the markets our products |
You
|
| 11.4 | To administer our websites and social media accounts, including guarding against or responding to malign actors, system maintenance, support, reporting and hosting of data, troubleshooting, testing, compliance with legal and regulatory obligations, use of data analytics to improve website performance and customer experience. |
Identity Contact Transaction Profile Technical and Tracking Communication and Marketing Location |
To perform our contract with you Necessary to pursue our legitimate interests in identifying unlawful activity and maximising website performance, to develop and protect our business. Necessary to comply with a legal obligation |
You Regulators Police and fraud detection agencies
|
| 11.5 | To process your in-store purchases including managing/collecting payments, providing refunds, arranging and making deliveries, and returns. |
Identity Financial Location |
Performance of a contract with you To comply with a legal obligation Necessary to pursue our legitimate interests in receiving payments and detecting fraud. |
You Your bank Payment processors Police and fraud detection agencies
|
| 11.6 | To mitigate the risk of unlawful/unsafe activity on its premises, to establish or defend legal rights, and to manage our premises |
Identity Contact Location Special Category and Criminal Offence |
To comply with a legal obligation Necessary to pursue our legitimate interests in reducing injury and loss through theft, vehicular incidents, physical and verbal abuse of employees and customers. |
You Parking companies DVLA Police and fraud detection agencies FRT suppliers Regulators Courts and Tribunals Insurers and legal representatives DVLA |
12 You do not have to provide us with your personal data. We are not required by law to collect it from you or a third party.
13 If you do want to use our services and/or purchase our products however, we must collect and process your personal data as set out above, to perform our contract with you, to comply with our legal obligations, and to pursue our legitimate interests. We cannot provide our services and/or products to you otherwise.
14 Our websites and social media accounts are not intended for data subjects 13 years old, or younger, IE, children. We do not knowingly collect children’s data by these means.
CCTV
15 We use CCTV at our stores and car parks, to investigate accidents, incidents, and activities we reasonably believe are unlawful/unsafe, which breach our policies, and/or which are the subject of regulatory action, or legal claims.
16 Some of our car parks are monitored, administered, or owned by third party companies. Please check the notices at the car park in which you want to park, which will tell you who the company (if any) is, how you may contact them, and how you may access their privacy notice.
17 We may share CCTV footage with public and regulatory authorities, EG, the police, fraud detection agencies, Courts and Tribunals, and regulators, either because we are required by law to do so, or because it is in our legitimate interests to do so to prevent/detect unlawful/unsafe activity.
18 We may also share CCTV footage with insurers and legal representatives, and in response to requests from others, to establish/defend our/their rights or the rights of others, where they outweigh those whose personal data appear in the footage.
19 We retain CCTV footage for 30 days, before permanently erasing it, unless we require it for the purposes set out above. If so, we will retain it for 7 years from the date of any unlawful/unsafe incident or 7 years from the conclusion of any legal proceedings in connection with it.
FRT
20 FRT is deployed in some of our stores to provide a safe environment for employees and customers, and to assist in the prevention and detection of unlawful/unsafe activity including physical and verbal abuse, and theft. We display clear signage in all stores where it is deployed.
21 The FRT is operated by Facewatch Limited (“Facewatch”). Facewatch is an independent data controller, which processes your personal data when you enter stores where FRT is deployed.
22 We supply incident details to Facewatch and identify images in their system of “Subjects of Interest”, who we reasonably suspect have committed unlawful/unsafe acts. Facewatch reviews this personal data and adds it to a watchlist. It then alerts us if a Subject of Interest later returns to our store. Matches are always checked for accuracy by a Facewatch employee, before they send us an alert.
23 We are the recipients of this personal data, as well as the police and fraud detection agencies. We may also share it with insurers and legal representatives, Courts and Tribunals, and regulators, where required to do so, or where required to establish or defend legal rights.
24 We process your personal data in this way because we have a legitimate interest in preventing as well as detecting unlawful/unsafe activity. We cannot achieve this with CCTV, which permits us only to detect unlawful activity after it has occurred. Reporting incidents to the police is similarly less effective than the use of FRT.
25 We do not share incident details involving data subjects who appear to be under 18 years old with Facewatch, even if we reasonably believe they have committed an unlawful act. We may share their details as an exception, where the unlawful act may result in harm to them.
26 Other retailers that use Facewatch’s FRT may also share details of Subjects of Interest, which Facewatch may then alert us about if they enter our store.
27 Facial recognition algorithms are defined as special category data. Facewatch processes this as a separate data controller. It complies with the additional legal requirements for this processing, as it explains in its privacy notice at https://www.facewatch.co.uk/privacy/. We do not process this special category personal data.
28 We retain incident details, including our own CCTV footage of Subjects of Interest, for 7 years from the date of an incident, or the conclusion of any legal proceedings relating to it.
29 If you wish to access the personal data Facewatch processes about you, or if you have any questions about FRT, you must contact Facewatch directly by emailing dpo@facewatch.co.uk, by calling 0207 9303225, or by writing to The Data Protection Officer at Facewatch Limited, High Street, Hadleigh, Ipswich, Suffolk IP7 5EA.
Special Category and Criminal Offence Data
30 We will not process personal data that is biometric data. We will process Special Category and Criminal Offence Data (as defined above), only in very limited circumstances because we have legitimate interests,
30.1 in establishing/defending legal rights if you claim damages against us for personal injury or, discrimination; or
30.2 in preventing/detecting unlawful acts.
Third Parties Recipients of Your Personal Data
31 We will not sell your personal data to any third party. We may share your it however, to comply with a legal obligation, to perform our contract with you, or because we have legitimate interests in doing so, EG,
31.1 market research agencies, advertising partners, and other such agents and advisors, which help us understand what you do as a customer, so we can stock the products you want, create relevant marketing campaigns, and develop our business;
31.2 companies approved by you such as social media platforms like Facebook, and Instagram;
31.3 scheme providers and payment processors that provide payment solutions such as Visa, Mastercard, PayPal, WorldPay, and Checkout, so we can manage your account and process your payments;
31.4 companies that help us manage and maintain our websites, till systems, online connectivity, IT infrastructure;
31.5 logistics and delivery companies that enable us to deliver products you order on our websites;
31.6 professional advisors such as lawyers, consultants, and insurers;
31.7 security and fraud prevention companies, that help us to ensure the safety and security of our customers, employees, and business;
31.8 companies that help us with our charitable and social goals;
31.9 the police and fraud prevention agencies, so we can prevent and detect unlawful/unsafe activity.
32 If you use the services provided by another organisation to interact with us, such as a virtual assistant or a social media platform, your personal data is also subject to the privacy policies of those organisations.
33 If you use any wi-fi in our stores, then your personal data will be subject to the provider’s privacy policy. Details of the provider are provided when you sign up.
34 We may share your personal data if required to do by law, by a Court/Tribunal Order, by a public or regulatory authority, in accordance with any code of practice to which we are subject, or if we need to do so to establish or protect our legal rights, users, systems and services.
35 We may share your personal data in response to requests from individuals, or their representatives, seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests.
Cookies
36 We use cookies to help give you the best experience on our websites, and to allow us and third parties to tailor adverts you see on ours and other websites. For more information please see our full Cookie policy https://help.homebargains.co.uk/hc/en-gb/articles/360005310438-Cookie-Policy.
Data Retention
37 We will keep your personal data only for the purposes set out in this Notice, and in accordance with the law. We will never keep it for longer any than is necessary to fulfil those purposes.
38 Usually we will retain your personal data for 7 years after the end of your relationship with us. In certain circumstances however, we may be required to retain your personal data for longer.
39 To decide how long we should retain it, we consider the amount, nature, and sensitivity of it, the risk of harm from unauthorised use or disclosure of it, the purposes for which we process it, and if we can achieve those purposes another way, and any legal requirements.
40 We may anonymise your personal data so that you cannot be identified from it, for research or statistical purposes. If so, we may use that anonymised data indefinitely without further notice.
Transfers of Your Personal Data Outside the European Economic Area (“the EEA”)
41 Countries in the EEA are subject to the General Data Protection Regulation 2016/679. Like the UK GDPR, this contains safeguards with which organisations in those countries must comply to ensure the privacy and personal freedoms of data subjects whose personal data they process.
42 We may share your personal data with Google LLC. This is a company incorporated in, and which may process your personal data in, the USA. It is not subject to the General Data Protection Regulation 2016/679.
43 The UK GDPR prohibits controllers in the UK from sharing personal data with organisations outside the EEA, unless it complies with certain safeguards. In this case, Google LLC is a certified organisation for the purpose of the UK extension to the EU US Data Privacy Framework. This means we are permitted to share personal data with Google LLC even though it is in, and may process your personal data in, the USA.
44 If you require further information about this, please contact the Data Protection Officer at the contact details above in “Contacting Us”.
Automated Decision Making
45 We do not make decisions about you, based solely on automated decision making.
Security and Resilience
46 We take the security of your personal data very seriously. We apply the principle of “data protection by design and by default” to our systems and processes, which means security and privacy are considered at every stage. To achieve this, we have put in place a range of organisational, technical, and physical safeguards, including but not limited to,
46.1 restricting access to our buildings, systems, and data to authorised personnel only, with regular reviews of access rights;
46.2 applying layered technical controls such as authentication measures, access controls, network and system security protections, encryption of data at rest and in transit, and separation of systems and roles;
46.3 continuously monitoring our systems and services for risks, threats, and vulnerabilities, and taking prompt action to address them;
46.4 maintaining resilience through regular testing, secure back-ups, disaster recovery arrangements, and business continuity planning;
46.5 following recognised industry standards and good practice to ensure our systems remain up to date and secure;
46.6 maintaining clear policies and procedures for data protection, including staff training, incident response, and reporting personal data breaches to the ICO and affected individuals where required by law.
Your Rights and Entitlements
47 You have rights and entitlements under the UK GDPR and the DPA, including the right to,
47.1 request access to a copy of the personal data we process about you;
47.2 request rectification of personal data that we process;
47.3 request that we restrict our processing of your personal data;
47.4 request that we erase the personal data we process about you;
47.5 complain to us about how we process your personal data;
47.6 request that we port your personal data to another service supplier;
47.7 object to decisions made solely on the basis of automated decision making.
48 If we rely on your consent as the lawful basis for processing your personal data, you may withdraw that consent at any time. If you withdraw your consent, it will not affect the lawfulness of our processing of your personal data prior to your withdrawal of consent. If you wish to withdraw consent, please contact our Data Protection Officer using the contact details above under “Contacting Us”.
49 Your rights under the UK GDPR and the DPA are not absolute. The law contains exemptions to them. If you exercise one or more of your rights, and we rely on an exemption, we will tell you which one, and why we are relying on it.
50 If you wish to exercise any of your rights and entitlements, please contact our Data Protection Officer using the contact details above at “Contacting Us”. You can also exercise your right to request access to your personal data at https://www.tjmorris.co.uk/sar.
51 You may find further information about your rights and entitlements on the ICO’s website at https://ico.org.uk/for-the-public/.
52 You also have the right to ask a Court to help you to enforce your rights and entitlements.
The Data Protection Regulator
53 The ICO is the data protection regulator in the UK. You can find further information about your rights and entitlements under the UK GDPR and the DPA at https://ico.org.uk/for-the-public/.
54 You have the right to complain to the ICO about how we, or any other organisation, processes your personal data. You can telephone the ICO on 0303 123 1113. You can further information about how to complain, at https://ico.org.uk/make-a-complaint/. You can also write to the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
This Notice
55 This Notice was last updated on 22nd September 2025. You can obtain prior versions by contacting the Data Protection Officer using the contact details above, under “Contacting Us”.
56 If we make changes to this Notice, we will take reasonable and proportionate steps to bring those changes to your attention.