Skip to content

HAVE YOU SEEN OUR BRAND NEW TV ADVERT? CLICK HERE TO WATCH IT!

SUMMER SALE NOW ON! SHOP JEWELLERY & BAGS WITH UP TO 20% OFF

WEBSITE PRIVACY NOTICE

This Privacy Notice sets out how we collect, use and manage your personal data.  Where we refer to “personal data” in this privacy notice, this means data which relates to you, and which personally identifies you either directly or indirectly. 

NOTICE

Your personal data privacy is very important to us, which is why we have published this notice for your information purposes. This is designed to explain what, why and how we use your personal data as well as provide you with information regarding our regulatory authority.

If you have a question, want to exercise your rights or make a complaint about our use of your
information, please contact us or by email to complaints@handt.co.uk. You can also make a complaint to the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113. www.ico.org.uk.

Data Controller and Data Protection Officer

A data controller is an organisation that collects, uses and manages personal data and has responsibility for how the personal data is collected, used and managed.

A data protection officer is the person in an organisation who has responsibility for monitoring compliance with data protection law and for ensuring that personal data is protected within an organisation

Who is the Data Controller?

Harvey and Thompson Limited (‘H&T’) of Times House, Throwley Way, Sutton, Surrey SM1 4AF is the data controller of personal data that you provide when you order goods or use our services.

We are registered with the Information Commissioner's Office with registration number Z5870831.

Harvey and Thompson Limited are an indirect subsidiary of FirstCash Holdings Inc, who as owners of H&T may act as a data processor from time to time.

Our Data Protection Officer can be contacted via the address on our contact us page. or via email at DPO@handt.co.uk

The types of personal data we collect

We may collect and use both personal and sensitive customer data for the purpose of providing or carrying out the services or products for which you have engaged with H&T.

In the case of capturing and storing sensitive data we will only do so where necessary and following consent from the data subject or where an UK GDPR Article 9 exemption exists.

How we use your personal data 

We use your personal information for a variety of reasons related to providing you with our products and services, our business activities and administration, and compliance with our legal and regulatory obligations.

We may use your personal data in the following ways:

 

•    To provide goods and services and to manage your retail account including administering payments, returns and responding to queries.

•    To administer any financial services products that you have.

•    To administer any prize draw or competition you may enter.

•    To analyse your shopping preferences or how you interact with or use our websites.

•    For research and statistical purposes.

•    For marketing purposes, including to send you special offers or discounts and to tell you about products and services from us or third parties. This may also include profiling to ensure we market to you about relevant products and services. We would only do this with your consent.

•    To record and monitor outbound and inbound telephone conversations with you to ensure consistent service levels, to prevent or detect fraud, to resolve queries and complaints and for performance management and training purposes.

Where you have applied for a credit product (such as a pawnbroking agreement) we will also use your data to process and assess your application for credit and to administer your credit product. We refer to this as a "credit product".

Where you are using one of our other services, such as a foreign exchange transaction, this is to provide you with services and to manage our risk. We refer to these as "money services”.

For certain third party provided services such as Western Union, any personal data you provide directly to them will be subject to their own privacy notice and data handling practices. 

Where you have used Klarna to pay for goods bought via our retail platform, both H&T and Klarna would be controllers and processors of that data, which would be processed by H&T to perform and manage your purchase and relationship e.g for confirming your identity, sending goods, handling questions and disputes, in order to prevent fraud and, where appropriate, send relevant marketing if you have chosen to opt in. H&Ts Privacy Notice applies to the processing of your personal data. Please also see Klarna’s Privacy Notice for further details as to how they process your data.

What is the lawful basis for these uses?

In most cases our use of your information is necessary and carried out on the following legal grounds:

- for the performance of a contract with you (such as your credit product or money services).

- where necessary for our legitimate interests (such as the proper administration of our business and managing our legal risks);

- and where necessary in order to comply with a legal obligation (for example making reports to our regulatory authority or to law enforcement agencies).

Where our use of your data is not necessary for one of the purposes outlined above, we may seek your consent to use it in a particular way, for example if we want to send you marketing information, ask you to provide feedback or you tell us about a change in circumstances relating to your health.

Where we ask for your consent, you may refuse and can withdraw your consent at any time by contacting us using the details set out below.

What information about you do we use

We collect and use the following information about you:

- Information about you including your contact details and personal details and, if you are applying for a credit product, information about your financial circumstances.

- If you are taking out a credit product, information provided to us by any loan broker that introduced you to us.

- If you are taking out a credit product or using a money service, Information about you from third party organisations to verify your identity and, in the case of credit products, Fraud Prevention Agencies (FPAs) and tracing agents; 

- information obtained from other public data sources which might include data from the electoral roll, public records including county court judgments, and bankruptcy and insolvency data to the extent this is necessary and justified on one of the legal bases above;

- Information about your use of our website and call recordings when you speak to us over the telephone; and

- Information you (or your third-party representative(s)) provide us with or share publicly to the extent this is necessary and justified on one of the legal bases above. 

- CCTV footage and audio from H&T store estate (see appendix 2 for further details on CCTV).

Special Category Data and Vulnerability information

In certain circumstances, we may collect and process “Special Category” personal data where necessary to provide our services, comply with legal or regulatory obligations, protect customers, or support customers who may be vulnerable. 

This may include information relating to:
•    Physical or mental health conditions;
•    Illness, disabilities, or medical conditions; 
•    Information concerning a customer’s vulnerability or personal circumstances;
•    Information indicating a need for additional support or communication adjustments. 

We may process this information for purposes including:
•    Assessing and supporting vulnerable customers;
•    Ensuring fair customer outcomes;
•    Identifying appropriate support measures or communication methods; 
•    Complying with regulatory obligations and guidance;
•    Fraud prevention, safeguarding, or protection against financial harm;
•    Handling complaints and disputes;
•    Supporting responsible lending and customer care processes

Where required under applicable data protection law, we will ensure that an appropriate lawful basis and condition for processing applies. This may include processing that is necessary for reasons of substantial public interest, for example to comply with regulatory requirements or to protect vulnerable individuals. 

In circumstances where we cannot rely on another lawful condition for processing, or where appropriate in the context of the processing activity, we may request your explicit consent before collecting or using this information. 

Access to special category data is restricted to authorized personnel with legitimate business need, and we apply additional safeguards and security measures when handling this type of information. 

Who do we share your information with?

We may share your information with:


•    The broker who introduced you (if applicable);
•    Third-party service providers, such as tracing agents, our legal advisors, our auditors and professional service providers and our website support;
•    Providers of information tech, cloud-based software as a service, website hosting and management, data analysis, data back-up and security.
•    Dotdigital, online marketing company.
•    Law enforcement agencies or regulatory bodies where we are required to do so.
•    Other members of our group of companies, and any purchaser or proposed purchaser of all or part of the same or their assets, together with their professional advisors, including in the United States of America.
•    You or your third-party representatives (in line with your rights); or
•    any person or person’s seeking to acquire all or part of our business and/or assets and any potential assignees of your credit agreement, along with their third-party advisors.
•    Third parties, including other pawnbrokers and/or credit providers, where we believe, in good faith, that this is necessary to prevent or investigate fraud, theft or other criminal activity and in order to protect our rights, property, safety or reputation or the rights, property, safety or reputation of any of our clients or partners.
•    Customer satisfaction review agencies
•    Fraud prevention services
•    Ecommerce platforms
•    Financial Solutions providers

Where we share your data, we will always seek to implement reasonable safeguards  such as data encryption at rest, use of  Secure File Transfer Protocol, (SFTP), Secure Sockets Layer (SSL) and anti-malware defences to ensure it is safe. Further details on where we share your data and how we safeguard it can be found later in this document.

Records remain on file with CRAs and FPAs for 6 years after they are closed, whether settled by you or defaulted. This information may be supplied to other organisations which search your credit
record. 

More information about CRAs and how they use personal information is available in the Credit Reference Agency Information Notice (also known as the "CRAIN") at
www.experian.co.uk/crain/index.html or you can contact the agencies below: 

TransUnion

Consumer Services Team, PO Box 491, Leeds, LS3 1WZ Tel: 0330 024 7574 or visit www.transunion.co.uk/crain

Equifax PLC

Customer Service Centre, PO Box 10036, Leicester, LE3 4FS Tel: 0800 014 2955 or visit www.myequifax.co.uk

Experian

Consumer Help Service, PO Box 8000, Nottingham, NG80 7WF Tel: 0344 481 8000 or visit www.experian.co.uk

Vanquis

If you have been introduced to us by Vanquis Bank who wanted to bring to your attention the opportunity of accessing our pawnbroking services; we have agreed to share with them some details about how you manage your payments in relation to any pawnbroking loan you take out, so that Vanquis Bank may at a point in the future review your creditworthiness in relation to any future application you may make to them.

Third party organisations that provide applications / functionality, data processing or IT services to H&T

We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud-based software as a service, website hosting and management, data analysis, data back-up, security and storage services.

The servers are located in secure data centres around the world, and personal data may be stored in any one of them. Further details of these providers are set out below.

Name Role Location of data storage
MS Azure Software / cloud services UK/US
Shopify External Website EU/US/Canada
Critiqom Customer Letters UK/EEA/US
Google Email Global
Comply Advantage AML EEA/Global
Dot Digital Marketing email and SMS Global
First Cash CCTV Monitoring US/Mexico

Fair Processing Notice

 

The personal information we have collected from you may be shared with fraud and Anti Money Laundering prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. Identity checking and re-verification may result in services not being offered, being suspended or being withdrawn.  If fraud is detected, you could be refused certain services, or finance. 

Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by accessing the CIFAS Fair Processing Notices (www.cifas.org.uk/fpn).

Where is your information stored / processed ?

We’re based in the UK, but sometimes we or our third parties need to transfer, store or process your personal information outside the UK. 
 
Some of these jurisdictions may not provide the same level of protection for personal data as provided in the UK as they will have different data protection laws.  This may include transfers to countries including (but not limited to)  United States of America, India, Dublin, and Australia. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.

How will we safeguard your personal data?

No matter where we process your personal data, we will always ensure it is protected in a manner as described in this privacy notice and in accordance with applicable laws. Therefore, when we do transfer your personal data outside of the UK, we’ll make sure that suitable safeguards are in place before we transfer your personal information to countries outside the EEA. 

Safeguards include:

·         If that country is covered by UK adequacy regulations (please see appendix for list of countries), we will rely on that decision to undertake our transfer; or

·         For transfers of personal data where UK adequacy regulations are not applicable an ‘International Data Transfer Agreement (IDTA)’ or ‘Standard Contractual Clauses addendum’ will be put in place prior to any processing. 

How long will your information be kept on file?

We keep your information for as long as it is needed to provide you with the services you have requested and, to the extent it is necessary for the protection of our legitimate interests, and in line with our retention policy. In some limited cases, by law, we are required to keep certain information longer than the retention periods. If you would like to know more, please contact us.

 

Below is a non-exhaustive list of some of the reasons we need to retain your personal data:

- Compliance with the requirements of the Financial Conduct Authority

- Compliance with Anti Money Laundering Regulations

- Reporting obligations to the Credit Reference Agencies

- Ensuring we have relevant information in the event of any queries or complaints

- Being able to identify if you have purchased a product which is subject to a product recall

- Being able to service any product or service guarantee you have purchased

- To assist with the establishment, exercise or defence of legal claims

 

The length of time we need to keep the personal data will vary depending on the nature of the personal data and the reason we are obliged to hold it. We will apply appropriate risk-based measures to protect your personal data which may include pseudonymising or anonymising the personal data. If personal data is pseudonymised, this means it is de-identified so you are no longer identifiable, but we can re-identify you if we have a requirement to do so. If personal data is anonymised, it is de-identified but can never be re-identified in the future.

If you would like to know more, please contact us.

Your rights

Right of access

You have a right to access the personal information we hold about you and be told why we use it. This is known as a Subject Access Request. If you want to know if we are processing personal data relating to you and to have access to any such personal data contact DPO@handt.co.uk.

Right of rectification

You can ask us to correct or update your information to ensure it is accurate and complete.

The right to erasure/be forgotten and right to restrict processing

You can ask us to stop processing and to delete your data in certain circumstances (for example where it is processed with your consent, or it is no longer necessary for us to process it).

Right to data portability

You have a right to ask us to provide you with information in a form that suits you, and/or to provide your information to a third party.

Right to object

You have a right to object to our processing of your information.

Rights: profiling and automated decisions

You have a right not to be subject to automated decisions which have a legal effect and to be protected by safeguards in respect of any profiling.

Right to object to direct marketing

Where you have consented to receive direct marketing, you can change your mind at any time by contacting us or following the directions in each message. Please allow a few days for us to action your request.

Rights in relation to CRAs

You have a right to be told which CRAs we have used and obtain a copy of your file from CRAs.

You have the right to withdraw consent for our processing of your personal data at any time. You can do this in any of our stores, via the business postal address or via email at DPO@handt.co.uk

You can find out more or exercise the above rights by contacting us. Further information is also available from the ICO's website (www.ico.org.uk).

Website use

When you make an enquiry or shop on this website, we will ask you to input and will collect personal information from you such as your name, email address, billing address, delivery address, telephone number, product selections, credit card, or other payment information, photographs, and a
password.

We may also collect, information about where you are on the internet (e.g. the URL you came from, IP address, domain types like .co.uk and .com), your browser type, the country and telephone area code where your computer is located, the pages of our website that were viewed during your visit, the advertisements you clicked on, and any search terms that you entered on our website ("User Information"). We may collect this information even if you do not register with us.

You should be aware that this site is being monitored and may capture information about your visit that will help us improve the quality of our service.

We keep a record of your purchases with us, which means we can create lists of your favourite items to make your shopping experience quicker and more convenient. It also means we can deal a lot quicker with any problems you may experience with your order.

Contact and complaints

If you have question, want to exercise your rights or make a complaint about our use of your information, please contact us, or by email to complaints@handt.co.uk.

You can also make a complaint to the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113. www.ico.org.uk.

Statutory or contractual obligation to provide personal data.

The majority of products and services require you to provide personal data. Where you have applied for a credit product (such as a pawnbroking agreement) you are required by law and under contract to provide personal data. If this is not provided the agreement or product cannot be fulfilled.

Updates

Updates to this policy are published on our website and, where appropriate, may be sent by email and/or post.

Questions

If you have any questions, you should contact us. We have designed this notice to provide you with information in a concise and clear way, but if you have specific questions relating to your own
circumstances, or you simply want to find out more, you can contact us.

Appendix 1

Countries, territories or sectors covered by an EC adequacy decision

•    Andorra 
•    Argentina
•    Canada (commercial organisations only)
•    Faroe Islands
•    Guernsey
•    Isle of Man
•    Japan (private-sector organisations only)
•    Jersey
•    New Zealand
•    Switzerland 
•    Uruguay

These are countries, territories or sectors that the European Commission has made a finding of adequacy about. 

Appendix 2

CCTV Privacy Notice

This appendix provides specific details in addition to, or support of the information captured above, in relation to CCTV operations by H&T. 

What types of personal data and special category (sensitive) personal data do we collect?
The CCTV operated by H&T in and around its premises will collect visual footage which will include footage of people and objects within the range of the cameras. We only collect sensitive data where this is obvious as it is obtained on a recording, e.g. a disability using a physical aid such as a cane or guide dog, or religion through the wearing of particular clothing or headwear, such as a niqab or kippah. 

If you submit a Subject Access Request for the release of footage, we will collect further information needed to process your request. This may include name, contact details, ID, description of people, location, so we can identify the correct footage. Depending on the nature of the request, we may also request details in relation to Police, Insurance and other professionals associated with the case. 

Purpose for processing your personal data

H&T collect CCTV for the following reasons:
•    Crime prevention
•    Security 
•    Asset protection

In addition to the above, we also process data for the purposes of:
•    To process requests for disclosure of CCTV
•    To investigate and where necessary prosecute any fraud, false representation, or misuse of our services, products, systems, or premises. 
•    To investigate queries, complaints in relation to customer service
•    To investigate incidents of customer aggression towards to staff members

What is our legal basis for processing your personal data?

For personal data:
•    Article  6  – legitimate interests – ensuring the safety and security of premises,  staff and assets

Sensitive personal data:
•    It is not H&Ts intention to capture sensitive data, and any data meeting the definition of sensitive / special category will be captured incidentally. Therefore, a lawful basis under Article 9 of the GDPR is not required.  

Who is the information shared with? 

We share your data captured by CCTV with the following:
•    Specified colleagues for the purposes noted above
•    FirstCash 
•    Law enforcement and other legal entities were required by law

Is your data transferred anywhere?

Yes, the structure of our CCTV operations includes the support of our parent company FirstCash,  who provide technical support and monitoring. This means data will be accessed by FirstCash teams in both the United States and Mexico. 

 

Document Control V7 May 2026