We are a group of companies which includes Mamas & Papas (Stores) Limited, Mamas & Papas (Digital) Limited and Mamas & Papas (Concessions) Limited (collectively called “Mamas & Papas”). Each is a Data Controller responsible for deciding how your personal information is collected, stored and used.
We collect the personal information that you provide when you:
This is in order to fulfil the specific process that you have asked for. We will never collect more than is necessary in line with the Data Minimisation Principle of GDPR.
We will hold about you:
When you make an appointment at a Car Seat Fitting, Parent to be Event or a Personal Shop we may request your baby’s due date or child’s birthday. We use this information to be able to deliver a tailored experience for you and your baby.
We use the above data to carry out your instructions to us i.e. when you buy something from us online, we use your information to take payment and deliver the items to you.
When you have an “Authorised Person” on your account, we will need to take the same personal information relating to them, so that they can access your account and go through the Identification and Verification Process. In your account, we also have a notes section in which we record details of conversations that we have with you; this is so that we have an audit trail and for dispute resolution.
We operate CCTV monitoring to ensure staff and customer safety and for the prevention and detection of crime. Please see our CCTV notices displayed in store for further information.
We do not collect any information from Third Parties.
Our legal basis for processing your information is “for the performance of a contract”. This is applicable when you buy something from us or create an account or use or buy vouchers from us.
For Marketing we use the basis of Consent for processing. In limited circumstances we may also rely on legitimate interests instead of consent where we have used “Soft-Opt in”.
A legitimate Interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
When you book a Car Seat Fitting Appointment, Parent to be Event or a Personal Shop we use the legal basis of taking preliminary steps for a contract as our legal basis as this is at your request prior to you potentially purchasing goods from us.
For our mailing and marketing lists, we use the basis of consent for processing. This can be withdrawn at any time by using the unsubscribe link contained within each e-mail.
For meeting legal and compliance obligations, we rely on the basis for compliance with a legal obligation.
We will not be able to process your order, as we will be unable to enter into a contract with you or respond to you or meet our obligations under it.
We do not use your personal information to make automated decisions about you.
We will only use your personal information for the purposes set out above.
We will keep your personal information in our active systems for six years in accordance with our Records Retention Policy. The personal information will then be moved to a secure deep archive where it will be stored for up to Ten years to satisfy legal obligations relating to product recalls and child personal injury claims. Where you have consented for us to contact you for marketing purposes we will store your personal information for up to three years before asking you to re-consent to our contacting you for marketing purposes.
We may share your personal information with trusted third parties from time to time. We will not, however, share your personal information with a third party for marketing purposes. We do not sell any personal information to any third party so that they can send you their marketing material.
We have set out below the third parties we may share your personal information with. We will put in place technical and organisational measures to protect your data and how your personal information may be used in accordance with data protection laws:
We will only disclose such personal information to any third party as is necessary to enable them to carry out the function or purpose for which it is disclosed. For example, we will only disclose such personal information to a carrier as is necessary to enable them to deliver or collect your product.
Our legal basis for sharing your personal information with the other organisation’s set out above is that it is in our legitimate interests to do this to run our business effectively and to provide the best customer experience to you. If you would like further information about our legitimate interests, then please contact our DPO.
We may, from time to time, transfer information outside of the European Economic Area (EEA). When we do, we will ensure that the same level of protections are in place as if your data were processed within the EEA.
We have put in place technical and organisational measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties (see above) who have a business need-to-know. They are subject to a duty of confidentiality.
We have put procedures in place to deal with any suspected data security incident and will notify you and any applicable regulator of a suspected incident where we are legally required to do so.
Our security procedures mean that we may occasionally request proof of identity before we are able to disclose personal information to you.
You have a number of rights over your personal information, which are:
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), (the UK regulator for data protection issues. See www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO and so, if you are happy to do so, please contact us in the first instance and we will try to resolve your issue