This privacy notice sets out how we collect, use and manage your personal data. Where we refer to “personal data” in this privacy notice, this means data which relates to you and which personally identifies you either directly or indirectly.

1. Data Controllers and Data Protection Officer

A data controller is an organisation that collects, uses and manages personal data and has responsibility for how the personal data is collected, used and managed.

A data protection officer is the person in an organisation who has responsibility for monitoring compliance with data protection law and for ensuring that personal data is protected within an organisation.

Shop Direct Ireland Limited ('SDI') provides your goods and is the data controller of personal data that you provide when you order goods.

SDI also provides credit, subject to status, and is the data controller of personal data you provide when you request a credit account.

Very Ireland is a registered business name of SDI. SDI is registered in the Republic of Ireland, number: 106058 and is authorised and regulated by the Central Bank of Ireland. Registered Office: Cape House, Westend Office Park, Snugborough Road, Blanchardstown, Dublin 15, D15 Y9DV. SDI's website is www.very.ie

In the context of this privacy notice when we use the term 'we' it means SDI.

SDI are part of the Very Group UK.

Group Companies who may receive your information include Shop Direct Finance Company Limited and Shop Direct Home Shopping Limited.

The Data Protection Officer for SDI can be contacted at The Data Protection Unit, Shop Direct Ireland Limited, Cape House, Westend Office Park, Snugborough Road, Blanchardstown, Dublin 15, D15 Y9DV.

2. How We Use Your Data

We collect, use, and manage your personal data to provide goods and services to you and to administer the credit account you may have with us.

We will use your personal data in the following ways:

• To provide goods and services and to manage your retail account including administering payments, returns and responding to queries.

• To assess whether to offer you a credit facility and for ongoing administration of any credit facility. This includes accessing and sharing information with the Central Credit Register ('CCR'), as required under the Credit Reporting Act 2013.

• To administer any financial services products that you have.

• To administer any prize draw or competition you may enter.

• To analyse your shopping preferences or how you interact with or use our website.

• For market research and statistical purposes.

• For marketing purposes including to send you special offers or discounts and to tell you about our products and services. You control your preferences in respect of how your personal data is used for marketing and you can change these preferences when you log in to My Account.

• To record and monitor outbound and inbound telephone conversations with you to ensure consistent service levels, to prevent or detect fraud, to resolve queries and complaints and for performance management and training purposes.

We will collect personal data directly from you when you purchase goods or services, apply for a credit account, or change any of your details (such as your name or address) via My Account or through our Contact Centres. We require you to provide personal data in order to assess whether to enter into a contract with you or to perform our contract with you and if you do not provide the personal data we request, we will be unable to enter into or fulfil this contract.

When you visit our website, it will store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make our site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web experience. As we fully respect your right to privacy, you can choose not to allow some types of cookies. For further information please see our Cookies Policy.

We may obtain data from third party sources such as credit reference agencies and other data sources to verify and keep your information updated, to provide you with new services and to enhance the level of services we provide to you. Additionally, we may obtain data from third parties that support credit decisioning, fraud prevention agencies and publicly available information relating to you on the internet (for example on social media websites).

If you choose to hear about our sales and offers on our goods and services, we will capture your consent and we will send marketing communications to you on this basis. You reserve the right to opt out of this at any time, please see below at Section 6 for information on how to exercise your rights.

3. Why We Need Your Personal Data

We need to process your personal data for a number of different reasons, and these are our legal bases for processing. We also need to keep your personal data for as long as is necessary for us to operate our business and to comply with legal and regulatory obligations.

We rely on one or more of the following legal bases for processing personal data:

• To perform our contract with you or to enter into a contract with you

We need to process your personal data to fulfil our contract with you or to assess whether to enter into a contract with you, whether this is in selling and delivering goods and services to you or providing credit facilities or other financial services products to you.

• To fulfil our legitimate interests or the legitimate interests of a third party

When we process personal data to fulfil our legitimate interests, we will use it in a way in which you would reasonably expect, and which will have a minimal privacy impact. When we or third parties are relying on legitimate interests to process your data, we will balance our interests against your interests and the privacy impact of the processing on you and we will process your personal data responsibly.

Examples of our legitimate interests are: fraud prevention, preventing and investigating crime including financial crimes, assessing affordability and creditworthiness and IT security.

• To comply with legal obligations to which our business is subject

We have to comply with relevant laws and regulation in order to provide retail and financial services products and we will need to process your personal data in order to comply with these legal obligations.

• Consent

If we are relying on your consent as our legal basis to process your personal data, you have the right to withdraw consent at any time.

Please see Section 6 below, “Your Rights”, for details on how to exercise your rights.

4. Storage Limitation

We will keep your personal data for the purposes set out in this privacy notice and only for as long as any legal basis continues to apply. Below is a list of the main reasons we need to retain your personal data:

• Compliance with the requirements of the Central Bank of Ireland, or other relevant Authority

• Compliance with Anti-Money Laundering Regulations

• Reporting obligations to the CCR

• Ensuring we have relevant information in the event of any queries or complaints

• Being able to identify if you have purchased a product which is subject to a product recall

• Being able to service any product or service guarantee you have purchased

• To assist with the establishment, exercise, or defence of legal claims

The length of time we need to keep the personal data will vary depending on the nature of the personal data and the reason we are obliged to hold it. The retention period for customer data is 7 years from the date a customer account becomes inactive (14 months after the date of the last financial transaction). We will apply appropriate risk-based measures to protect your personal data which may include pseudonymising or anonymising the personal data. If personal data is pseudonymised, this means it is de-identified so you are no longer identifiable, but we can re-identify you if we have a requirement to do so. If personal data is anonymised, it is de-identified, but can never be re-identified in the future.

5. Who We Transfer Data To

We will only share your personal data with third party organisations to provide the right service to you or to support us in doing so.

We may transfer your personal data to the following third parties:

• Other companies within The Very Group of companies - including for credit assessment purposes or for fraud prevention purposes.

• Technology service providers - our partners who provide IT, ID verification checks and website services.

• Customer service providers - our partners who work with us to administer your account and provide you with any help you may need.

• Telephony providers - our partners who provide telephone services and functionality.

• Delivery companies - our couriers, parcel firms and mail firms who deliver your goods or services and manage any returns on our behalf.

• Distributors and manufacturers of goods - our partners who fulfil orders and deliver products to you and manage any returns on our behalf.

• Product service providers - our partners who provide products and services such as insurance or extended warranties.

• Research service providers - our partners who work with us to provide market research and data analysis services.

• Marketing service providers - our partners who work with us to make sure we send you information about products, services and special offers that are of interest to you.

• Data pool facilitators - we may share and pool information (on an anonymous basis or otherwise) with other third-party retailers or financial service providers. This may help us to improve our products and quality of service to all customers.

• Debt collectors, tracing agencies, debt purchasers or organisations providing debt support - our partners who help us to recover debts, who purchase debts or who offer debt advice and support.

• Regulators and other governmental agencies or law enforcement agencies.

• Organisations who may be interested in purchasing our business or organisations who we may be interested in purchasing - we may sell parts of our business or acquire other businesses and your personal data may be shared with such third parties as part of this process.

We will only transfer your personal data to third parties who adhere to appropriate data security standards and controls. From time to time, we may need to transfer your personal data to other countries. Where this is the case, we will ensure that the transfer is subject to appropriate safeguards to protect your personal data and complies with applicable law which may include having standard contractual clauses in place with the third party. For further information on how data can be transferred to other countries, please find enclosed a link to the European Commission website: https://ec.europa.eu/info/law/law-topic/data-protection_en

Meta

If you have agreed to receive marketing communications from SDI, your personal data including purchasing and browsing activity, may be shared with Meta so that they can serve SDI adverts to you when you are using Meta platforms and apps, including Meta and Instagram. For certain data processing activities relating to this marketing, Meta will act as joint controller.

Further information on how Meta Ireland processes Personal Data, including the legal basis Meta Ireland relies on and the ways to exercise Data Subject rights against Meta Ireland, can be found in Meta Ireland's Data Policy at https://www.facebook.com/about/privacy.

SDI and Meta have entered into an agreement incorporating a 'Controller Addendum' to determine each party's respective responsibilities for compliance with the obligations under the GDPR with regard to the joint processing.

We have agreed that SDI is responsible for providing the above information and agreed that between the Parties, Meta Ireland is responsible for enabling Data Subjects' rights under Articles 15-20 of the GDPR with regard to the Personal Data stored by Meta Ireland after the Joint Processing.

Worldpay

Worldpay is a merchant services and payment processing provider offering a payment gateway for online transactions. SDI have joint controller status with Worldpay and share personal transaction data. For further information on how Worldpay process personal transaction data please see Worldpay's Privacy Statement.

Transfers outside the EEA

We sometimes need to transfer your personal data outside of the EEA for example to the United Kingdom. For this type of transfer, we have Standard Contractual Clauses (SCC) in place, or alternatively we will rely on the European Commission’s Adequacy Decision. Standard contractual clauses are contractual measures that are pre-approved by the European Commission which ensure the appropriate safeguarding of that data on the side of the data exporter and data receiver. Recently, the European Commission has updated SCCs to be more comprehensive and afford greater protection. For further information about data transfers and specific contractual mechanisms in place, please see below at section 10.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to 'international frameworks' intended to enable secure data sharing.

6. Your Rights

You have certain rights in respect of your personal data and we have processes to enable you to exercise these rights.

Right of Access

This is known as a Subject Access Request. If you want to know if we are processing personal data relating to you and to have access to any such personal data, you can call our Customer Services Team on 1800811222. In order to supply you with your personal data that we hold, we will need to verify your identity.

Right to Rectification

If you believe that we hold inaccurate personal data about you, then you can update this information directly by logging in to My Account and updating the relevant details. Alternatively, you can request that we carry out a review and rectify any incomplete or inaccurate personal data we hold about you by calling our Customer Services Team on 1800811222. Depending on the type of personal data you believe is inaccurate, we may ask you for further proof to ensure that the personal data is being corrected properly. If we are satisfied that the personal data is inaccurate, we will make the necessary changes.

Right to Erasure

You have a right to ask for your personal data to be erased. However, we are not required to erase your data where we need your personal data to comply with a legal obligation or for the establishment, exercise or defence of legal claims. Therefore, we cannot comply with an erasure request, for example, where you have a retail shopping account, owe money on a credit facility or have otherwise bought products and services for which we must keep records. In addition, if you opt-out of marketing communications or have previously opted out of marketing communications, we have to keep a record or such opt-out to ensure that we don't contact you in the future.

Right to Restriction

You have a right to request that processing of personal data is restricted in certain circumstances. Where we restrict your data, we are permitted to store your data but we cannot process in any other way apart from for the establishment, exercise or defence of legal claims or with your consent.

Right to Object

Where we are relying on legitimate interests as a legal basis to process your data, you have a right to object to such processing on grounds relating to your particular situation.

If you object to our use of your personal data for direct marketing purposes, we will opt you out of direct marketing. You can do this by logging into My Account and amending your preferences or you can call our Customer Services Team on 1800811222. You may also object to other processing when we rely on our legitimate interests as the basis for processing, but we do not have to stop the processing if we can demonstrate compelling legitimate grounds for the processing (taking into account our processing activities, the nature of our business and our legitimate interests) and that these grounds override your interests, rights and freedoms or in the event that we need the personal data for the establishment, exercise or defence of legal claims. To enable us to consider any objection we will need to know what specific interests, rights or freedoms relating to your particular situation you believe will potentially be put at risk by our processing. If we do stop processing your personal data (apart from for direct marketing purposes), this may affect our ability to trade with you.

Automated Processing

From time to time, in deciding whether to enter into a contract with you, or during the ongoing performance of a contract, we take decisions based on automated processing which produces legal affects or similarly significantly affects you, for example, deciding whether to offer a credit facility or assessing a fraud risk. We use data from a variety of sources in our automated processing for credit scoring and fraud decisioning and we use statistical methods to produce the results. This logic helps us understand the risk posed by individuals by placing a weighting on certain criteria which is then calculated to give an overall score.

There are a number of consequences of such automated processing:

• we may open a credit account and you can purchase goods and services using this credit account;

• we may decrease your credit limit;

• we may decide to offer you other credit terms such as buy now pay later or interest free credit which will facilitate your purchase of goods and services;

• we may refuse your application for credit or we may decide not to offer certain credit products which may have an impact on your ability to purchase goods and services from us. This is in line with our obligations as a responsible lender as we have to assess affordability for credit purposes and to protect customers from financial distress and difficulty;

• we may conduct a further review or request additional information from you in relation to your request to purchase goods and services if our fraud decisioning highlights any issues.

We also use automated processing in relation to the information we hold about you to make recommendations of products and services we think you would be interested in and to improve your experience when you visit our website by making it relevant and tailored to you.

Right to Portability

In certain circumstances, you can request that we provide to you your personal data in a commonly used format. If you wish to make such a request, you can call our Customer Services Team on 1800811222.

Right to Complain to the Data Protection Commission (DPC)

You have the right to complain to the Data Protection Commission (DPC) if you are concerned about the way we have processed your personal information. Please visit the DPC's website for further details at: www.dataprotection.ie

7. Credit Applications

In order to process your credit application and during our relationship with you, where a credit account exceeds a certain limit, we will share information with third parties including credit reference agencies or registers. Under the Credit Reporting Act 2013 we are required to share information on qualifying credit applications and agreements with the Central Credit Register ('CCR'). To do this, we will supply your personal (such as PPSN) and credit (amount of the loan) information to the CCR and they will give us information about you. This will include information about your financial situation and financial history. The CCR will also link your records together to create a Single Borrower View.

The CCR provides a reliable and secure source of credit information, showing an accurate picture of your qualifying loans and guarantees reported which will facilitate enhanced creditworthiness assessments and responsible lending.

We will continue to exchange information about you with the CCR while you have a relationship with us. We will also inform the CCR about your settled and closed accounts. If you borrow and do not repay in full and on time, the CCR requires us to report on any restructure during the lifecycle of the agreement due to arrears or financial distress. This information may be supplied to other organisations by the CCR.

When the CCR receives a search from us they will place a search footprint on your credit file that may be seen by other lenders.

You may request a credit report free of charge once a year. Further information can be found in the Consumer Area www.centralcreditregister.ie

Fraud Prevention/Anti-Money Laundering

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. We ask you to verify your ID digitally to help protect you from financial crime and to meet our anti-money laundering obligations as a financial services provider regulated by the Central Bank of Ireland. We do this by using automated systems and services provided by trusted third parties who help us to verify identity and prevent certain types of fraud.

8. What Data we Process and Share

The personal data you have provided, we have collected from you, or we have received from third parties may include your:

• name

• date of birth

• nationality (only where you have had to supplement ID)

• gender (only where you have had to supplement ID)

• residential address and address history (only where you have had to supplement ID/apply for credit with SDI)

• contact details such as email address and telephone numbers

• financial information (only where you apply for credit with SDI)

• employment details (only where you apply for credit with SDI)

• identifiers assigned to your computer or other internet connected device including your Internet Protocol (IP) address

• Eircodes (required to enable us deliver good to you as quickly and accurately as possible)

When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also necessary to enable us to enter into and perform our contracts with you.

We, and our processors acting on our behalf (including fraud prevention and delivery companies) may share and enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

9. Automated decisions

As part of the processing of your personal data, decisions may be made by automated means. This means we use this to determine that you pose a fraud or money laundering risk if:

• our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct; or is inconsistent with your previous submissions; or

• you appear to have deliberately hidden your identity

You have rights in relation to automated decision making: if you want to know more, please contact our Customer Services Team on 1800811222.

Consequences of Processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

10. More Information

Opting Out: From time to time we may contact you with details on special promotional offers or products that we think you would be interested in, via Email, Telephone, SMS, Post, app notifications or you may receive such information from specially selected Third Parties. If you do not want to receive these communications you can opt-out in the following ways:

Via My Account-Existing customers who have registered their account online - log into My Account, go to 'My Details' / 'Contact Preference' and tick each method of contact you wish to opt-out of.

By calling us on 1800811222 or writing to us at the below address if you don't have an account or your account isn't registered online. Please state which contact method you wish to be removed from (existing customers should provide their Account Number). Please clearly state whether you wish to be removed from our marketing communications, marketing communications from Third Parties, or both.

To opt-out of marketing emails from us, click on the “unsubscribe” link contained at the end of marketing emails and follow the subsequent instructions.

To turn off app notifications go to your device settings, click “Notifications”, and disable notifications for the Very app. Please be aware if you are accessing your account via a shared device, other members of your household may see app notifications that we send.

Please note:

Requests not received in the specific format indicated, are in danger of being misdirected. We reserve the right for our customer advisors to contact you regarding your account where necessary.

Please make sure that you have read and understood our privacy notice which is updated from time to time and which explains how we safeguard any data which you provide to us and the basis for which we process your data in order for us to fulfil your online orders and credit account.

How to contact us

If you are unhappy about how your personal data has been used please refer to the complaints section on the website at https://www.very.ie/help/en/online-help-system.page.

If you have any queries about how we use your information or on data protection generally please contact us at the Data Protection Unit, Shop Direct Ireland Limited, Cape House, Westend Office Park, Blanchardstown, Dublin D15 Y9DV.

Shop Direct Ireland Limited trading as Very is regulated by the Central Bank of Ireland.

Last Updated 17th June 2024