Last Updated December 2023
Choosing to shop with us means you've placed trust in us to handle your personal data responsibly. In sharing your personal data we hope you in return benefit from a tailored and convenient shopping experience. With trust comes responsibility and we take this responsibility very seriously.
Next Retail Limited, Next Holdings Limited, Next Distribution Limited, Next Manufacturing Limited, Next Sourcing Limited, Next Retail Ireland Limited, Next Germany GmbH, Next General Trading LLC, Next General Trading FZE, Next Beauty Limited, Lipsy Limited, Victoria’s Secret (VS Brands Holdings UK Limited), GAP (West Apparel UK Holdings Limited), Reiss (Pink Topco Limited), JoJo Maman Bébé (Regent BidCo 1 Limited) and Joules (The Harborough Hare Limited).
The company named within the T&Cs on the website or app is the data controller of your personal data, which means we are responsible for deciding how and why your personal data is used. We are also responsible for making sure it is kept safe, secure and handled legally.
We operate to the highest standards when protecting your personal data and respecting your privacy. If you have any questions about your personal data, or how we use it, you can contact our Data Protection Officer via email at firstname.lastname@example.org or by writing to our registered office at the following addresses:
UK registered address: Data Protection Officer, NEXT Group, Desford Road, Enderby, Leicester, LE19 4AT.
EU registered address: Data Protection Officer, NEXT Retail (Ireland) Ltd, 13–18 City Quay, Dublin 2, D02 ED70, Ireland.
You have a number of “Data Subject Rights”, we have explained below what they are and how you can exercise them. You can read more about these rights on the UK Information Commissioner's Office website at ico.org.uk/for-the-public, or on your local Data Protection Authority website.
The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal data about another person, if you ask us to delete data which we are required to have by law, or if we have compelling legitimate interests to keep it. We will let you know if that is the case and will then only use your data for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal data.
We encourage you to get in touch if you have any concerns with how we collect or use your personal data. You have the right to lodge a complaint directly with a Data Protection Authority. The Data Protection Authority in the UK, where we are based, is the Information Commissioner's Office (ICO), you can contact the ICO here: ico.org.uk/make-a-complaint. Our main supervisory authority in the EU is the Data Protection Commission (DPC) based in the Republic of Ireland, you can contact the DPC here: forms.dataprotection.ie/contact
We will only ever process your information if we have a lawful basis to do so. The lawful bases we rely on are:
To process any orders that you place with us and to facilitate any returns Lawful basis: Contract
To provide you with access to an account Lawful basis: Contract
To provide customer service to you Lawful basis: Legitimate Interest in providing customer support
To offer and manage any credit we provide to you Lawful basis: Contract/Legitimate Interest in ensuring product suitability and managing debts
To personalise and improve your experience when you shop Lawful basis: Consent/Legitimate Interest in providing relevant and personalised experiences when you shop with us
To inform you about products and services that may interest you Lawful basis: Consent
Lawful basis: Legitimate Interest in assessing how and where to place advertising
To personalise and engage with you on social media Lawful basis: Consent/Legitimate Interest to personalise the marketing and services we provide to you
To keep in touch with you Lawful basis: Consent/Contract
Lawful basis: Legitimate interest in marketing to you and keeping customers updated
To ensure the Website and the services we offer you operate properly Lawful basis: Consent
Lawful basis: Legitimate Interest in planning and delivering efficient operations and to prevent and detect crime or fraudulent activity
To develop and improve our products, range and services Lawful basis: Legitimate Interest in understanding our customers’ needs and behaviours to provide a better experience
To prevent and detect crime and other incidents Lawful basis: Legitimate Interest in keeping our customers and staff safe, reducing theft and fraud
To fulfil our legal obligations Lawful basis: Legal obligation
We use a number of different social media platforms to communicate with you and to promote products and services. We process your personal data using these platforms in a variety of ways, as follows:
Pages/accounts. We use your personal data when you post content or otherwise interact with us on our official pages and accounts on Facebook, Instagram, Pinterest, Snapchat, TikTok, LinkedIn, X (formally Twitter) and other social media platforms. We also use the Page Insights service for Facebook, Instagram, Pinterest, TikTok, Snapchat and X to view statistical data and reports regarding your interactions with the pages and accounts we administer on those platforms and their content. Where those interactions are recorded and form part of the data we access through these page insights services, we and the relevant platform are joint data controllers of the processing necessary to provide that service to us.
Our relationship with Meta and LinkedIn. As we are joint data controllers with these platforms for certain processing, we and each platform have:
Meta also processes, as our processor, contact information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing Meta carries out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to the social media platforms they operate.
Further information. The Meta company that is a joint data controller of your personal data is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA (if you are a UK-registered user) or Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland (if you are an EEA-registered user). The LinkedIn company that is a joint data controller of your personal data is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland For further information regarding these platforms and their use of your personal data, please see:
What are cookies?
What cookies do we use?
We use the following cookies on our websites and apps:
Can I turn off or block cookies?
Alternatively, most web browsers allow some control of most cookies through the browser settings. To find out more about how to manage cookies, including how to delete cookies, visit www.allaboutcookies.org
We keep your personal data as long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. During that time we take steps to remove any personal data as soon as we no longer need it.
We consider you a customer:
We keep CCTV footage on our systems for up to 30 days, it is then deleted. Where accidents, incidents, criminal activities or breaches of our policies are recorded CCTV footage will be kept for longer, however only as long as necessary.
We work with a number of trusted third parties to provide you high quality goods and services. Anybody we work with is subject to stringent security and data protection assessments before we begin to do business with them and on an ongoing basis.
We always make efforts to anonymise data and only pass over personal data that is absolutely necessary for the purposes it is being processed. We always do so securely.
We have contracts in place with all suppliers that help us to ensure security and privacy of your personal data, these are reviewed and updated regularly and always in line with data protection laws.
The identities of the CRAs, and the ways in which they use and share personal data, are explained in more detail at:
We also take data from CRAs to allow us to make decisions about your credit account and credit facility.
The identities of the DCAs, and the ways in which they use and share personal data, are explained in more detail at:
Our main operations are based in the UK and your personal data is generally processed, stored and used within the UK. In some instances your personal data may be processed outside the UK. For example, we operate a customer contact centre in Pune, India. Operatives in this location will have access to your account data in order to assist you with your query. We also work with suppliers and partners who may make use of Cloud and /or hosted technologies across multiple geographies.
If you place an order with us and you are outside of the UK we will transfer the personal data that we hold on you to the UK to facilitate your order and may also transfer your personal data to third parties located in your country of residence to enable us to supply products you order from us. If and when this is the case we take steps to ensure there is an appropriate level of security so your personal data is protected in the same way as if it was being used within the UK.
Where we need to transfer your personal data outside the UK, and if the recipient country has not been determined as providing an equivalent adequate level of protection as the UK, we will use one of the following safeguards:
In certain U.S. states consumers have certain rights regarding the personal information that businesses have about them, such as the California Consumer Privacy Act (the ‘CCPA’). This includes the rights to request access or deletion of your personal information, as well as the right to direct a business to stop selling your personal information.
Categories of Personal Information and Purposes
The categories of personal information we may collect about you (or have collected in the preceding 12 months) include:
Please see the section on “The information we collect and how we use it” above for more information on the purposes for which we collect your personal information.
Disclosing Your Personal Information
Please see the section on “Third Parties we share data with and receive data from” for a description of the third parties with whom we may share your personal information (or have shared your personal information in the last 12 months).
Right to opt-out of sale:
While we do not sell personal information in exchange for any monetary consideration, we do share personal information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your personal information is collected and shared. To make an opt-out of sale request, contact us according to the ‘How to get in touch’ section below and please include “Do Not Sell” in the subject line.
Right to request disclosure:
You have the right to request disclosure about what categories of personal information we have sold or disclosed for a business purpose about you and the categories of third parties to whom the personal information was sold or disclosed. You have a right to request disclosure of specific pieces of personal information. Below is a complete list of the personal information that you can include in your request.
Right to request deletion:
You have the right to request that we delete any personal information about you that was collected from you. Please note that there are exceptions where we do not have to fulfil a request to delete personal information, such as when the deletion of information would create problems with completing a transaction or compliance with a legal obligation.
Right to non-discrimination:
We will not discriminate against you (e.g., through denying goods or services or providing a different level or quality of goods o/r services) for exercising any of the rights afforded to you.
Right to rectification:
You have the right to request that we correct any incorrect personal information we hold on you to ensure that it is complete and as accurate as possible.
Califorina shine the light:
Under California’s “Shine the Light” law California residents who use our website and who provide personal information to us in order to obtain our products and services may request certain information regarding our disclosure of personal information to third parties for their own direct marketing purposes. This includes the categories of personal information and the names and addresses of those businesses with which we shared your personal information with in the previous calendar year. You may request this information once per calendar year. To make such a request, please send an email to email@example.com
Limit the use of my personal information:
You have the right to limit the use of your sensitive personal information in certain circumstances. We will only collect sensitive personal information, as defined by the applicable California or other local law, for the purposes allowed by law or with your consent.
How do we handle your requests?
We endeavour to respond to a verifiable consumer request within the required timeframes. If we need more time, we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain why we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We do not knowingly collect or solicit personal information from anyone under the age of 13. If you are under 13, please do not attempt to register for services or send any personal information about yourself to us. If we learn that we have collected personal information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us their personal information, please contact us.
We always ensure that personal data is secure by continuously developing our security systems and training for our employees. We have implemented appropriate technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of processing, in accordance with applicable law.
Alternatively, should you need to contact our Data Protection Officer please email: firstname.lastname@example.org or you can write to:
UK registered address:
Data Protection Officer
EU registered address:
Data Protection Officer
NEXT Retail (Ireland) Ltd
13–18 City Quay
Are you sure you want to navigate away from this site?
If you navigate away from this site
you will lose your shopping bag and its contents.