Privacy & Data Protection Policy

Last updated December 2025

Established in 1770, John Jarrold advertised his honourable intentions as a shopkeeper and assured customers of his “utmost assiduity to merit their encouragement.” These are values we hold strong today throughout our company including our views on your data and privacy protection.

Jarrold & Sons Limited respects your privacy and is committed to protecting your personal data. This privacy notice is to let you know how Jarrold & Sons Limited processes and manages your personal data. This includes through your use of this website, what you tell us about yourself, what we learn about you by having you as a valued customer and the choices about what marketing you would like us to send you. This notice explains how we do this and tells you about your privacy rights and the law that protects you.

Jarrold & Sons Limited is the controller and responsible for your personal data (referred to as “Jarrolds”, “we”, “us”, or “our” in this privacy notice). This privacy notice is issued on behalf of Jarrold & Sons Limited.

This privacy notice covers our processing of your personal data both in-store and online and whether you are a customer of the Jarrolds Department Store (including our in-store restaurants, wine bars or coffee bar), Jarrolds Cromer, Jarrolds, Wymondham, Jarrolds Stationery & Art, or The Retreat.

Our Privacy Promise

We promise:

Data Protection Law

As well as our Privacy Promise, your privacy is protected by data protection and privacy law, including the UK version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

The types of personal data we collect

“Personal data” means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Type of personal data	Description
Behavioural / Profile Data	Details about how you use our website, including purchases or orders made by you, your interests, preferences, feedback and survey responses.
Consents Data	Any permissions, consent or preferences that you give us. This includes how you want us to contact you.
Contact Data	Your email address, telephone number, billing and postal addresses and how we contact you.
Financial Data	If you have applied for Interest Free Credit, we will store details to be able to process your direct debit. We do not store any credit or debit card information as required under our PCI-DSS compliance.
Identity Data	Your first name, last name, any previous names, username or similar identifier, title, date of birth and gender.
Security Data	CCTV footage recorded when you visit one of our stores (including any footage and audio recording captured using body-worn equipment).
Technical Data	Details on your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
Transactional Data	Previous purchase history from any of our stores whether online or in-store.

Where we collect personal data from

We collect personal data about you where you have supplied information directly to us, for example when you:

When you attend one of our stores, CCTV will be operation in order to protect you, other customers, and our business from crime. On occasion our security staff may also utilise body-worn equipment which can record audio and video footage.

To help us improve our services, we automatically collect behavioural/profile and technical data about your device, browsing actions, and usage patterns via cookies and similar technologies, including customer data and marketing platforms.

Please also see our cookie policy at https://www.jarrolds.co.uk/cookies-policy for further details.

How we use your personal data

Data protection law says that we must have one or more lawful reasons to process your data. Typically, we rely on one or more of the following lawful bases for processing your personal data:

What we use your personal data for	Type of personal data	Lawful basis
To process and deliver your order made online at Jarrolds.co.uk, including sending service messages and updates about orders and deliveries.	●      Contact Data ●      Financial Data ●      Identity Data	●      Performance of a contract with you
To maintain your account on the Jarrold App and enrich your in app experience.	●      Behavioural/Profile Data ●      Consent Data ●      Contact Data ●      Transactional Data	●      Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business) ●      Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes
To allow you to make a reservation or book an event with one of our in-store restaurants	●      Contact Data ●      Identity Data	●      Legitimate interest (to manage your registration or booking)
To respond to any enquiries and/or complaints at any of our events or restaurants	●      Contact Data	●      Legitimate Interests: To manage our relationship with you and ensure that we are able to support you with any queries or complaints
To accommodate any dietary preferences (including food allergies and religious requirements) and any other accessibility requirements you may have when attending one of our events or restaurants.	●      Contact Data ●      Health Data ●      Religious Data	●      Consent (wherever we process your Health Data or Religious Data) ●      Legitimate Interest (To prepare for and support any health or religious accommodations you request prior to attendance)
To manage our relationship with you (including dealing with your feedback and correspondence)	●      Contact Data ●      Identity Data ●      Transactional Data	●      Performance of a contract with you ●      Necessary to comply with a legal obligation ●      Necessary for our legitimate interests (to keep our records updated and ensure we maintain high standards of customer service)
To develop new ways to meet our customers’ needs and to grow our business.	●      Behavioural/Profile Data ●      Technical Data ●      Transactional Data	●      Necessary for our legitimate interests (to improve our offering to customers)
To provide customer finance	●      Contact Data ●      Financial Data	●      Performance of a contract with you
To administer our Jarrolds Loyalty club and to send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your Behavioural/Profile Data	●      Behavioural/Profile Data ●      Consent Data ●      Contact Data ●      Transactional Data	●      Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business) ●      Consent (having obtained your prior consent to receiving direct marketing communications)
To send you marketing emails about our products, services and any ongoing or upcoming promotional offers or events that we think may be of interest to you	●      Contact Data	Consent where data is captured by way of cookies or you have positively opted in to sharing data for marketing purposes; and/or Legitimate Interests: Where you are an existing customer, we also rely on our legitimate interests to increase our customer engagement
To send you any postal marketing materials about our products, services and any ongoing or upcoming promotional offers or events that we think may be of interest to you	●      Contact Data	Legitimate Interests: To increase our customer engagement and boost our target audiences
To enable you to partake in a promotion, competition or complete a survey	●      Contact Data ●      Consent Data ●      Identity Data	●      Performance of a contract with you ●      Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	●      Behavioural/Profile Data ●      Technical Data	●      Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) ●      Necessary to comply with a legal obligation
To protect you, other customers, our staff and our business from in-store crime	●      Security Data	●      Necessary for our legitimate interests (for operating a safe and secure business) ●      Necessary to comply with a legal obligation
To provide personalised shopping services to you	●      Contact Data ●      Transactional Data ●      Behavioural/Profile Data	●      Consent where you have expressly asked us to provide services ●      Contract Necessity where the processing relates to any purchase you have made; and/or ●      Legitimate Interests: Where we process your data to tailor your experience and provide a bespoke personal shopper and/or concierge service
To provide beauty services to you	●      Contact Data ●      Health Data ●	●      Legitimate interest (to manage your registration or booking) ●        Consent (wherever we process your Health Data)

Marketing

We may use your Behavioural/Profile Data, Contact Data, and Technical Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

You will receive marketing communications from us if you have requested information from us or purchased goods and/or services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product purchase or warranty registration.

Who we share your personal data with

Although we have been established since 1770, our core business and passion are the retailing of products and services. As such, we may have to share your personal data occasionally with other likeminded companies who take privacy seriously to enable us to support our business, such as:

Type of service provider	Reasons to share personal data
Printers	To be able to send you invitations to exclusive customer evenings and brochures.
E-Mail Marketing	To be able to create targeted email marketing campaigns to send you our latest offers, store news, and invites to customer evenings.
Postal Marketing (Magazine)	To be able to create postal marketing campaigns to send our latest offers, store news, and invites to customer evenings.
Payment Service Providers	To be able to help us to process payments, prevent fraud and reduce credit risk.
Postal Services	To be able to arrange the delivery and tracking of items sent through the post or a courier.

Sending personal data outside of the UK

Your personal data may be transferred for processing by our external third parties, some of whom may be based outside the UK. External third parties include service providers who provide IT and system administration services to us, and professional advisers who provide banking, legal, insurance, and accounting services to us.

We will only transfer your personal data to countries that provide an adequate level of protection for personal data (currently all countries in the European Economic Area have been found to provide such protection) or if the transfer is subject to appropriate safeguards as required under data protection laws in the UK or if a specific derogation applies.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

If you choose not to give personal data

We may need to collect personal data by law, or under the terms of a contract to supply goods and/or services.

If you choose not to give us this personal data, it may delay or prevent us from meeting our obligations. It may also mean that we cannot supply the goods and/or services you have requested from us and we would therefore have to cancel your order.

Any data collection that is optional will be made clear at the point of collection.

Data security

We employ appropriate security measures and safeguards to keep your personal information secure, including but not limited to the following:

• Network protection: Traffic between our systems and the public internet is filtered through enterprise firewalls.
• Encryption: Personal data is encrypted in transit using industry-standard protocols. Payment card details are always encrypted.
• Access controls: Systems are protected by strong authentication and role-based access so people only see the information needed for their job. Offices, venues, and data centres have physical access controls.
• Monitoring and testing: We monitor for vulnerabilities and suspicious activity and run regular penetration tests to check and strengthen our defences.
• Identity checks: We verify identity before sharing any personal information by phone or email to prevent disclosure to the wrong person.
• Administrative and physical safeguards: We apply organisational, technical, and physical measures across collection, storage, and disclosure of personal data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

In-store concessions

Various third parties (e.g. third party brands or retailers) operate concessions in our stores. These third parties may collect your personal data for their own purposes (e.g. if you wish to join their mailing list). This personal data will be processed in accordance with the privacy practices of the relevant third party, so you should always make sure that you understand the privacy practices of that third party and ask for details of their privacy policy. The presence of any concession operated by a third party in any of our stores does not constitute any endorsement, sponsorship or recommendation by Jarrolds of that third party or their privacy practices.

Third-party marketplace suppliers

For some items, we ask a trusted supplier to ship your order directly to you from their warehouse. We remain responsible for your order and your data, but we must share limited information with that supplier so they can fulfil the delivery.

To process a drop-ship order we share only what is necessary with the supplying partner:

• Identification and contact: name, delivery address, email, phone
• Order details: items purchased, quantities, options, delivery notes
• Delivery preferences: safe place instructions or access notes you provide

We do not share your payment card details with suppliers.

Jarrolds are the controller for your order and customer record. The supplying partner usually acts as our processor to pick, pack and ship your item under our instructions. In limited cases (e.g., product registration, manufacturer warranty, repairs), the partner may act as an independent controller for that specific activity. When that happens, they should provide their own privacy information.

We share data using the following lawful bases

• Contract: to take payment, fulfil and deliver your order, handle returns and customer service.
• Legitimate interests: to prevent fraud, ensure product safety/recalls, and manage supply-chain logistics.
• Legal obligation: to meet tax, accounting, or product-safety requirements.

Some suppliers or couriers may process data outside your country. Where this happens, we use appropriate safeguards (for example, approved transfer mechanisms or contractual protections) to keep your information protected.

We vet drop-ship partners, require confidentiality and security measures, and monitor compliance. Access is limited to staff who need it to fulfil your order.

If you return a third-party marketplace item or there is a warranty or safety recall, we and the supplier may use your order details to arrange the collection, replacement, refund, or to contact you about a safety notice.

You can contact us at any time to exercise your data-protection rights in relation to third-party marketplace orders. If a supplier acts as an independent controller (e.g., for warranty registration), they will handle rights requests for that activity.

Jarrolds Store Folk

This website also offers the ‘Jarrolds Store Folk’, which is an online marketplace of small, independent local sellers offering various goods and/or services for sale. We refer to such sellers as our ‘Store Folk Members’.

If you place an order for goods or services with a Store Folk Member via the Jarrolds Store Folk marketplace, your contract for the sale of the goods or services (if your order is accepted) will be with the Store Folk Member (and not Jarrolds), and will be on and subject to the Store Folk Member’s terms and conditions of sale.

The Store Folk Member will be a controller and responsible for your personal data. We act as a processor and will pass your personal data (your name, billing address, delivery address, email address, and telephone number but not your financial details) to the Store Folk Member so that it can fulfil your order. Please read the relevant Store Folk Member’s privacy notice for further details on how it processes and manages your personal data.

How long we keep your personal data

We will aim to limit the amount of personal data we hold in compliance with our data retention policy and reduce the amount of data held the older your data becomes. We may keep your data for as long as is legally necessary, for example to support a warranty claim or to support our internal reporting purposes.

Intergroup data sharing

Some group companies provide central services (for example IT hosting, security monitoring, payroll administration, or customer support) and process personal data for us on our behalf. In these cases, we remain the controller. These companies act only on our documented instructions, have limited access, and must keep information confidential and secure. We assess and oversee their activities (including the right to audit). Where required, we will put appropriate contractual arrangements in place.

We share limited personal data with other companies in the Jarrolds group where needed to run our business. Typical reasons include group-wide analytics and reporting, centralised finance and HR support, IT security and fraud prevention. Each group company acts as an independent controller for its own purposes and processes your data in line with this notice (or its own privacy notice, where applicable).

Categories shared: identification and contact details, account and transaction information, usage and device data, and support records.

Legal basis: our legitimate interests in operating an efficient, secure group organisation and delivering our services ; where required, performance of a contract or consent.

Safeguards: access is role-based and proportionate; sharing is logged and governed by intra-group data sharing agreements. If data is accessed from outside the UK/EEA, we use approved transfer safeguards plus technical measures such as encryption and strict access controls.

Your rights and how to use them

Accessing your data:

Email [email protected] with subject “Access request” or write to:
Jarrolds
1 – 11 London Street
Norwich
Norfolk
NR2 1JF

Include your name, any customer ID, and where you want the response sent. If you’d like an electronic copy, say so and provide your email. We’ll respond within one month (extendable by up to two months for complex requests) and may ask for information to confirm your identity where necessary.

Correcting inaccurate or incomplete data:

Tell us what’s wrong and the correct details at [email protected]. We’ll verify and update.

Requesting that we delete your data:

Email [email protected] explaining why you want deletion. We’ll delete where no lawful reason requires us to keep it (e.g. legal obligations) and will tell you if we must retain some data.

Restricting how we use your data:

To do this: Email [email protected] if you believe your data is inaccurate, used unlawfully, no longer needed, or you’ve objected and we’re assessing our grounds. We’ll pause use where the law allows.

Objecting to our use of your data:

Email [email protected] if we rely on legitimate interests. We’ll stop unless we have compelling lawful grounds.

Ask us to stop direct marketing:

Click unsubscribe in our emails, adjust preferences in jarolds.co.uk, or email [email protected]. We will stop marketing (including related profiling).

Data portability:

Email [email protected] to receive the data you gave us in a structured, commonly used, machine-readable format, or ask us to send it to another organisation (where technically possible). Applies when processing is based on consent or contract.

Withdraw consent at any time:

Update settings in jarrolds.co.uk or email [email protected]. This will not affect past processing already carried out.

To complain:

If you have concerns about how we handle your personal data, you can contact us at [email protected] and we’ll try to resolve it.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using the contact details set out below.

Cookies: your choices:

We use “cookies” as a shorthand for cookies and similar technologies (for example, web beacons in emails and link-tracking). They help our site work, improve your experience, and provide insights so we can keep content relevant. Some also support advertising and email analytics.

You can block or delete cookies in your browser settings. Note: parts of our site may not work properly without them.

For details on types of cookies we use and how to control them, see our Cookie Policy on WEBSITE.

Contact Us

Email
[email protected]

Telephone
01603 660661

Post or In-store
Jarrolds
1 – 11 London Street
Norwich
Norfolk
NR2 1JF