Sainsbury's Group Privacy Policy
Last updated September 2024.
We understand that your privacy and the security of your personal information is extremely important. This notice sets out what we do with your personal information, what we do to keep it secure, from where and how we collect it, as well as your rights in relation to the personal information we hold about you.
This policy applies if you interact with us through our stores, over the phone, online, via email, through our mobile applications or otherwise by using any of our websites or interacting with us on social media.
If you don’t want to read all the detail, here are the things we think you’d really want to know:
- The Sainsbury’s Group currently includes Sainsbury’s Supermarkets, Sainsbury’s Bank, Argos, Tu Clothing, Habitat, Argos Financial Services, Argos Distributors (Ireland) Ltd and Nectar (to see the Nectar Privacy Policy click here).
- Your personal information is, where appropriate, shared within the Sainsbury’s Group.
- We do use a number of third parties to process your personal information on our behalf and some of them are based outside of the European Economic Area.
- You have a number of rights over your personal information. How you can exercise these rights is set out in this notice.
- We do send direct marketing, if we’re allowed to. And we do this to encourage you to buy our products and services by sending you offers and ideas that we feel will be of benefit to you. If you want us to stop then here’s how.
- We also use your information to display more relevant online advertising and marketing relating to our products and services on websites across the Sainsbury’s Group, on other websites and online media channels.
- Our websites and apps are not intended for children, and we do not knowingly collect children’s data.
- Sainsbury’s Bank may use your behavioural biometric personal data for the purposes of customer authentication for electronic payments. Please see here for further details.
Who are we?
When we say ‘we’ or ‘us’ in this policy, we are referring to the companies that make up the Sainsbury’s Group.
The companies that currently make up the Sainsbury's Group are:
- Sainsbury’s Supermarkets Ltd (registered office: 33 Holborn, London, EC1N 2HT)
- Sainsbury’s Bank Plc (registered office: 33 Holborn, London, EC1N 2HT)
- Argos Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Habitat Retail Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Argos financial services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited) (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW);
- Argos Distributors (Ireland) Ltd (registered office: Argos Distributors (Ireland) Ltd, Ballybin Road Ashbourne, Co. Meath);
- Nectar Loyalty Limited (registered office: 33 Holborn, London, EC1N 2HT); and
- Argos Business Solutions Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW).
What sorts of personal information do we hold?
- Information that you provide to us such as your name, address, date of birth, telephone number, email address, bank account and payment card details and any feedback you give to us, including by phone, email, post, or when you communicate with us via social media;
- Information about the services that we provide to you (including for example, the things we have provided to you, when and where, what you paid, the way you use our products and services, and so on);
- Information required to make decisions about your applications for products and services we offer (for example, insurance, loans or credit cards);
- Your account login details for our websites and apps, including your username and chosen password;
- Information about whether or not you want to receive marketing communications from us;
- Information about any device you have used to access our services (such as your device’s make and model, browser or IP address) and also how you use our services. For example, we try to identify which of our apps you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too;
- Your contact details and details of the emails and other electronic communications you receive from us, and how you interact with them. For example, whether the communication has been opened, if you have clicked on any links within that communication and the device you used. We do this because we want to make sure that our communications are useful for you, so if you don’t open them or don’t click on any links in them, we know we need to improve our Services;
- Information from other sources such as specialist companies that provide customer information. For example, credit reference agencies such as Experian, the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, pay TV providers and the DVLA, as well as information that is publicly available; and
- Information captured by our CCTV, automatic number plate recognition (ANPR) and body worn recording devices (together ‘CCTV’) if you visit any of our premises.
- Behavioural biometric information (e.g., your typing speed, device movement and swiping activity) as part of the Bank’s two factor authentication requirements under applicable laws (see here for further information)
Our legal basis for processing your personal information
Whenever we process your personal information, we have to have something called a “legal basis” for what we do. The different legal bases we rely on are:
- Consent: You have told us you are happy for us to process your personal information for a specific purpose (s);
- Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
- Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services;
- Vital interests: The processing of your personal information is necessary to protect you or someone else’s life;
- Legal obligation: We are required to process your personal information by law.
How do we use your personal information?
We may use your information in the following ways:
- To provide our products and services - we need to use your personal information to make our products and services available to you. If you then decide to order any of our products or services, or enter one of our competitions then we’re delighted, thank you. After that, we need to provide them to you, process your payment and sometimes award you Nectar points. We need to use your details to do all this.
- To improve your shopping experience - we try to understand our customers so we can provide you with a great shopping experience, personalised offers, shopping ideas and online advertising. Understanding how you use our Apps, how you interact with the Sainsbury’s Group, where and when you shop, the products and services you buy and how you use and browse our websites helps us to do this.
- For safety and security - we use your personal information to help provide safe and secure environments for our customers to shop in, our colleagues to work in and for our businesses to be conducted. To enable this we use CCTV, ANPR technology, body worn recording devices, monitor online behaviour and carry out checks to help us ensure that our customers are genuine to prevent fraud and to help customers use our services appropriately.
- Analytics and profiling - we use your personal information for statistical analysis and to help us understand more about our customers. That includes understanding the products and services you buy, how you shop across the whole Sainsbury's Group and by creating profiles about you. This helps us to serve you better and to find ways to improve our services, stores, apps and websites. These profiles help us to send you offers that are more relevant to you.
- Contacting you - we use your personal information to contact you. This may be in relation to a service update, an issue you have raised with us, to conduct market research or to ask for your feedback.
- Marketing and advertising - we use your personal information to provide relevant marketing communications (including by email, phone, SMS, post or online advertising), relating to our products and services, and those of our suppliers and the Sainsbury’s Group. As part of this, online advertising may be displayed on websites across the Sainsbury’s Group and on other organisations’ websites and online media channels. We may also use information about how you shop with us to measure the effectiveness of these campaigns.
- Financial Services - if you interact with Sainsbury’s Bank or Argos financial services, your personal information is also used for Sainsbury's Bank's credit and capital management purposes and other purposes set out in the financial services section of this notice.
Cookies and similar technologies
We use cookies to help give you the best experience on our websites and to allow us and third parties to tailor ads you see on ours and other websites. For more information please see our full Cookie Policy.
CCTV
We use CCTV across all sites in the Sainsbury’s Group for the protection of our colleagues, customers and business. This includes investigating accidents, incidents, criminal activities and breaches of our policies. CCTV is also in operation in our petrol stations and car parks for these purposes. Some car parks are run by third parties, so please check the local notice.
Some of our colleagues also wear body worn devices to protect themselves and our customers. These are only activated in high-risk situations such as when there is a threat of violence. These devices record both audio and video.
Occasionally we share CCTV with public or regulatory authorities or in response to requests from individuals seeking to protect their rights, the rights of others or helping to prevent crime and nuisance. We will only share CCTV if we consider a request to be appropriate.
Who might we share your personal information with?
Banking and Financial Services information
Credit Reference Agencies
When do we share data with Credit Reference Agencies?
When you apply for a credit product from the Sainsbury’s Group (e.g., a Sainsbury’s Bank loan, or credit card, or an Argos store card), we may perform credit reporting and identity checks on you with one or more of the main credit reference agencies – Experian, Equifax and TransUnion (the “Credit Reference Agencies”). We also run checks with the Credit Reference Agencies periodically to help us manage our relationship with you which may include for purposes of credit limit adjustments and card reissue.
Why do we share data with Credit Reference Agencies?
The Credit Reference Agencies provide us with information about you which helps us to understand your credit-worthiness – how easily you will find it to repay credit to us. This may include information about your financial history, salary, current financial situation, and shared credit. These activities are essential in helping promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
We share your personal information to check the accuracy of the information you provide us, trace and recover debts; and to help prevent fraud, money laundering and criminal activity. We also periodically share information with the Credit Reference Agencies about how you are using your Sainsbury’s or Argos credit product so that they can keep the records they hold about you accurate and up to date. This information reveals how you pay back your loans and credit card debts. If you fail to pay back your loan or credit card in full or on time, we will inform the Credit Reference Agencies who will record this as an outstanding debt. This can be viewed by other organisations.
Join Accounts and Credit Reference Agencies
If you make an application for one of our credit products with another person (e.g., a spouse or partner) (a “joint application”), we will search for information about both of you with the Credit References Agencies, and both us and the Credit References Agencies will link your records together.
Your records will stay linked with the Credit References Agencies until either you or the other account holder requests that the files are no longer linked. If one account holder’s credit score is negatively affected (e.g., by skipping payments or making payments late) while these records are linked, this will have a negative impact on the other account holder’s credit score and ability to obtain further credit with us and/or other organisations.
It is important that both account holders understand the implications of being linked in this way before you make an application. Read the paragraph Joint Accounts/Additional Card Holders below for more information about how we use this personal information.
Contacting the Credit Reference Agencies
The three main Credit Reference Agencies are TransUnion, Equifax and Experian.
Each of the Credit Reference Agencies have signed up to a joint policy (“CRAIN”) which explains how these agencies use and shares personal data they receive about you and/or your business that is part of or derived from or used in credit activity.
You can find out more about how these Credit Reference Agencies collect, use and share personal information they hold about you, and what your rights are in relation to that information at the websites below:
Debt Collection
If you fall into arrears with a Sainsbury’s Bank or Argos credit product (e.g. credit card, loan, store card), we may share your personal information with the following third parties to trace and recover the debt:
Fraud Prevention (incl. money laundering) and Law Enforcement
Fraud Prevention
Sainsbury’s Bank and Argos Financial Services have systems and controls in place that protect our customers and our businesses against fraud and other kinds of financial crime. This includes collecting device (e.g., location of device and IP address) and behavioural information (e.g., how you interact with our website) when you logon and transact with our websites and mobile apps.
In addition, during your application and time with us as a customer, we'll share your personal information with Fraud Prevention Agencies to help prevent, detect and investigate Fraud & Money Laundering, and verify your identity. If we or our partner agencies detect fraud and/or any unlawful conduct you could be refused certain services, finance or employment now and in the future.
Find out more information about how these agencies collect, use and share personal information they hold about you, and what your rights are in relation to that information at the websites below:
These agencies help financial institutions like banks (including Sainsbury’s Bank), insurance providers and investment companies fight financial crime. Our financial services companies may access and use the information held by the fraud prevention agencies to prevent fraud, ID theft and money laundering, for example, when:
- we are deciding whether to provide credit (e.g., a loan, credit card, store card) during an application for a Sainsbury’s Bank or Argos financial product;
- we manage credit and credit related accounts for our customers;
- we are trying to recover debt;
- we are checking details on proposals and claims for all types of insurance; and
- we have been made aware of potentially fraudulent activities affecting our customers’ accounts.
Anti-money laundering requirements
The financial services companies within our Group (Sainsbury’s Bank plc and Argos Financial Services) are obliged to collect certain information from you to satisfy our obligations under money laundering regulations. If you take out one of our financial products, we may ask you to provide us with copies of documents which confirm your identity, including:
- Passport;
- Driving licence; and
- Bank statement or utility bill
This enables us to protect both our business and our customers from criminals. We have a legal obligation to obtain and hold this information about you. We cannot open a financial services product without obtaining copies of these documents for our records.
Sharing your information with Law Enforcement Agencies or public bodies
Law enforcement agencies (e.g., the police) may also ask us for access to information about our customers for the prevention and detection of crime. We will only provide personal information to these agencies where:
- you have told us you are happy for us to do so;
- there is a threat to your life or the life of another customer/individual;
- the law enforcement agency or public body has been given authority by a Court to ask for this information.; or
- legislation(s) mandates the sharing of the information (e.g., the Inland Revenue Department under the Tax Administration Act 1994)
Joint Accounts/Additional Cardholders
Joint Account Holders
The Sainsbury’s Group offer a number of financial products which you can enter into with another person, including loans and savings products.
When you apply for one of these products with another person (the “joint account holder”), we will:
- search, link and/or record information held by credit reference agencies about you both;
- link joint applicants and/or any individual identified as your spouse or partner, in our own records;
- take both your personal information and the joint account holder’s personal information into account in future applications by either or both of you; and
- continue this linking until the account is closed, or it is changed to a sole account and one of you notifies us that you are no longer linked.
You must be sure that all joint account holders are aware you are sharing their personal information with us for these purposes, and they are familiar with this privacy policy, in particular they understand how their personal information will be used. We will use the joint account holder’s personal information in accordance with this privacy policy and may send information about Sainsbury’s Group products or services to them as well as you. Read the ‘keeping you informed’ paragraph below for more information about this.
Additional Card Holders
When you apply for a Sainsbury’s Bank credit card (or an Argos store card], you can add an additional card holder. We will use an additional card holder’s personal information for the purposes listed above (at “joint account holder”) and always in accordance with this privacy policy. You must therefore ensure that all additional cardholders are aware that you are sharing their personal information with us, and they are familiar with this privacy policy so they understand how their personal information will be used. We will only send information about Sainsbury’s Group products or services to the main card holder.
Interaction with Insurance Providers
The Sainsbury’s Group offers a variety of insurance products to our customers, from Sainsbury’s Bank Travel Insurance to furniture and jewellery warranty cover to protect products purchased in Argos. We work with a number of insurance partners (or ‘underwriters’) to help us provide these products to our customers, as the Sainsbury’s Group is not regulated to provide these products by itself. These are known as branded insurance products.
When you buy a Sainsbury’s- or Argos-branded insurance product, these products will be underwritten by one of our insurance partners. These partners collect all the information about you that they need in order to provide you with the product – they are the ‘data controller’ of that information (i.e., they decide how the information is used) and you can ask them about how they use your information by contacting them using the details provided in your terms and conditions or on their website.
These partners pass certain necessary information about our customers back to us once they’ve bought an insurance product. This information helps us understand what products our customers have and how we can provide the best possible service for those customers across our Group.
Automated decisioning for credit products
When you apply for a Sainsbury’s Bank or Argos credit product (e.g., credit card, loan, store card), we will decide whether we can lend to you by automatically comparing the information you provide to us against our lending criteria. This criteria includes:
credit score, credit history, employment status, existing credit products or previous applications and also an assessment of affordability.
Your information will be compared against this criteria and we will make a decision automatically, using a computer, about whether to offer you credit, and on what rate.
You do have the right to ask us to look at this manually, if you think we may have missed some relevant information during the decision-making process and would like this to be considered. Please contact us using the following details if you would like to discuss an application which has been completed using automated decision-making.
Bank Customer Authentication/Two Factor Authentication
Sainsbury’s Bank is required to meet certain obligations under the secure customer authentication requirements of the Payment Services Directive 2. Two factor authentication is a security process where you will be asked to provide two different authentication factors to verify your identity. We will ask you for both a possession factor and an inherence factor. A possession factor is something that you have, for example, a one-time password that will be provided to you by the Bank. An inherence factor, sometimes known as a biometric factor, is something that you are, unique and inherent to you. To fulfil our obligations under this Directive, Sainsbury’s Bank will process your behavioural biometric personal data. This includes:
- key stroke dynamics relating to typing speed/pressure, mouse movement, device movement and swiping activity (plus BOT or remote access trojan detection) which is combined with other device intelligence such as location and device ID/ type of device.
The personal data captured builds up your authentic user profile. This is layered against other device intelligence and fraud factors then screened by our third-party solution provider, Callsign. By using this method of multi-factor authentication Sainsbury’s Bank can increase the security of electronic payments. This extra layer of security makes it harder for attackers to gain unauthorised access to your device or online accounts.
International transfers of personal information
From time to time we transfer your personal information to our Sainsbury’s Group companies, suppliers or service providers based outside of the EEA for the purposes described in this privacy policy (please see the “Who might we share your personal information with?” section above for further details). When we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.
Keeping you informed about our products and services
We would like to tell you (and joint account holders) about the great offers, ideas, products and services of the Sainsbury’s Group from time to time that we think you might be interested in. Where we have consent or it is in our legitimate interests to do so, we may do this through the post, by email, text message, phone, through online advertising or by any other electronic means.
We won't send you marketing messages if you tell us not to, but if you receive a service from us, we will still need to send you occasional service-related messages and may still send you surveys (you can always opt out of these via the survey email itself). If you wish to amend your marketing preferences, you can do so by logging into any of your Sainsbury’s Group accounts and following the directions, or by logging into our Customer Preference Centre.
Please note that it can take a little while for all marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may have been identified as relevant to your interests and may already be in transit, it cannot therefore be immediately stopped.
Your rights
You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.
These include:
- the right to access a copy of the personal information we hold about you;
- the right to correction of inaccurate personal information we hold about you;
- the right to restrict our use of your personal information;
- the right to be forgotten;
- the right of data portability; and
- the right to object to our use of your personal information.
Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.
If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.
Automated decision making and profiling
We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you. We use profiling to enable us to give you the best service across the Sainsbury’s Group, including specific marketing which we believe you will be interested in.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or affects you in any other significant way.
If you are seeking to exercise this right, please contact us using the details in the “Contact Us” section below.
How long will we keep your personal information for?
We will keep your personal information for the purposes set out in this privacy policy and in accordance with the law and relevant regulations. We will never retain your personal information for longer than is necessary. In most cases, our retention period will come to an end 7 years after the end of your relationship with us. However, in some instances we are required to hold your personal information for up to 12 years following the end of your relationship with us (e.g., for data relating to Sainsbury's Bank mortgage products).
Security
We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:
- We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there;
- We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data;
- Systems are proactively monitored through a “detect and respond” information security function;
- We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
- We enforce a “need to know” policy, for access to any data or systems.
Contact us
If you would like to exercise one of your rights as set out in the “Your rights” or “Automated decision making and profiling” sections above, or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:
If your enquiry relates to Sainsbury’s Supermarkets, Argos, Habitat or Tu:
By email: privacy@sainsburys.co.uk
By post: Data Protection Officer at Privacy Team, Sainsbury's Supermarkets Ltd, 17th Floor, Arndale House, Manchester, M4 3AL
Or if your enquiry relates to Sainsbury’s Bank or Argos Financial Services:
By email: privacy.bank@sainsburysbank.co.uk; or
By post: Data Protection Officer, Sainsbury’s Bank, 1 New Park Square, Edinburgh Park, Edinburgh EH12 9GR
You also have the right to lodge a complaint with the UK regulator, the Information Commissioner's Office. Go to ico.org.uk/concerns to find out more.
Policy change
This privacy policy was most recently updated in September 2024. If we make changes to it, then we will take appropriate steps to bring those changes to your attention.