Privacy Policy

Sapphire Retail International Limited is dedicated to protecting your privacy under the Data Protection Act (2018), Part 2, within the UK GDPR ‘Right to be Informed’. Our policy recognizes the importance of protecting your personal information; explaining what personal information constitutes, how we use the information, who has access to your data, and what are your rights regarding your personal information.

This Privacy Notice was last updated in July 2024.

1.0  Key Terms 

1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this Privacy Notice.  

1.2 For your benefit and understanding, we will now provide an easy-to-understand definition of each term: 

  • Business Continuity Plan (BCP): This is a prevention and recovery system for potential threats, such as natural disasters or cyberattacks. BCP is designed to protect personnel and assets and make sure they can function quickly when a disaster strikes.
  • Data Controller: A Data Controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to securely protect the personal data.
  • Data Processing Agreement (DPA): Whenever a Data Controller uses a Data Processor to process personal data on their behalf, a written contract needs to be in place between the parties. Similarly, if a processor uses another organization (i.e., a Sub-Processor) to help it process personal data for a Data Controller, it needs to have a written contract in place with that Sub-Processor. This is commonly referred to as a DPA.
  • Data Processor: In a similar way to Data Controllers, Data Processors must protect people’s personal data. However, they only process it in the first place on behalf of the Data Controller. They would not have any reason to have the personal data if the Data Controller had not asked them to do something with it. 
  • Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK. It contains three separate data protection regimes:
  • Part 2: sets out a general processing regime (the UK GDPR);
  • Part 3: sets out a separate regime for law enforcement authorities; and
  • Part 4: sets out a separate regime for the three intelligence services.
  • Data Subject: A Data Subject is a living person who can be identified from personal data.
  • Incident Response Plan (IRP): A document that outlines an organization's procedures, steps, and responsibilities of its incident response programme, for example when responding to a personal data breach.
  • Individual Rights: In UK data protection law, individuals have rights over their personal data. These rights allow the individual to ask the Data Controller to do something, or stop doing something with their personal data. There are eight individual rights.
  • Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights.
  • International Data Transfer: An international data transfer refers to the act of sending or transmitting personal data from one country to another.
  • International Data Transfer Agreement (IDTA): This agreement regulates the transfer of personal data between countries. The IDTA is the ICO-drafted and approved UK version of the new EU Standard Contractual Clauses drafted and approved by the ICO in the UK.
  • Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests.
  • Personal Data: Personal data is information about who you are, where you live, what you do, and more. It is all information that identifies you as a Data Subject.
  • Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data.
  • Processing: Processing means taking any action with someone’s personal data, including processing the data for a specific purpose, storing the data, and archiving the personal data.
  • Restricted Transfer: Restricted transfers include the transfer of personal data to an overseas company within our corporate group, but do not include the transfer of personal data to a receiver who is employed by us.
  • Sub-Processor: A Sub-Processor acts under the instructions of the Data Processor, meaning that they may process individual’s personal data on behalf of the Data Processor. Sapphire Retail International Limited will always seek the permission of the Data Controller before appointing any Sub-Processors.
  • UK GDPR: This stands for General Data Protection Regulation (GDPR), the UK’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018). 
2.0 Scope 

2.1 The scope for Sapphire Retail International Limited is any Data Subject, whose personal data is processed upon instruction, in line with UK privacy legislation including the DPA 2018, PECR (2003), and UK GDPR.  

2.2 We also acknowledge any additional responsibilities requested by the industry regulator in the UK, the Information Commissioner’s Office (ICO). 

2.3 The DPA 2018 and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical paper filing system. 

2.4 Sapphire Retail International Limited will adhere to the seven UK GDPR data processing principles when handling personal data: 

  • Lawfulness, Fairness, and Transparency;
  • Purpose Limitation;
  • Data Minimization;
  • Accuracy;
  • Storage Limitation;
  • Integrity and Confidentiality (Security);

2.5 All associates and employees of Sapphire Retail International Limited who interact with Data Subjects are responsible for ensuring that this Privacy Notice is drawn to their attention, at the earliest available opportunity. 

3.0 Lawfulness 

3.1 Sapphire Retail International Limited is a private limited company, based in England, under company registration number 15267340, complying with the laws of the United Kingdom, paying further reference to the Companies Act (2006). 

3.2 Sapphire Retail International Limited is registered with the ICO under registration number ZB717884. 

3.3 Sapphire Retail International Limited acts as a Data Processor and Data Controller. We are responsible for the personal data that we process (on behalf of the Data Subject), and have our own measures for ensuring compliance with the UK data controller regulations (personal data we are responsible for). 

3.4 Sapphire Retail International Limited also determines the scope of the personal data processing, what personal data we process, and for what purpose. 

3.5 From time to time we may appoint Data Processors on behalf of Sapphire Retail International Limited. We will always ensure that a written agreement is in place with each of our Data Processors documenting how personal data will be processed, safeguarded, and stored. These Data Processors may be located outside the UK. Sapphire Retail International Limited has the overall responsibility for all Data Processors. 

3.6 Sapphire Retail International Limited has a duty of care acting as a Data Controller to appoint a UK based Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is CSRB Limited. They can be contacted via email at dpo@csrb.co.uk.  

3.7 Sapphire Retail International Limited uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data: 

  • Contract - personal data is processed by us for the purposes of supplying our quality textile products to domestic and international markets, whilst satisfying the needs of our customers;
  • Legal Obligation – personal data is processed by us to meet a requirement set out in UK law or statute. For example, we are legally required to meet the UK anti-money laundering regime requirements as set out in the Proceeds of Crime Act 2002 (POCA) (as amended by the Serious Organised Crime and Police Act 2005 (SOCPA)), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the Terrorism Act 2000 (TA 2000) (as amended by the Anti-Terrorism, Crime and Security Act 2001 (ATCSA 2001) and the Terrorism Act 2006 (TA 2006)).
  • Legitimate Interests – personal data is processed by us to communicate with you regarding important business or commercial information (such as updates to this Privacy Notice), and to inform you of complimentary products and/or services provided by us.

3.8 Sapphire Retail International Limited may transfer personal data we collect about you to countries outside the UK, namely Pakistan. We treat each international data transfer individually and assess the risk associated with the transfer and whether a suitable level of adequacy with UK data privacy legislation is available, within the country to where the personal data is being transferred. Where required we will only make a Restricted Transfer, which limits the personal data transferred out of the UK, and deems the transfer must be both necessary and proportionate. 

3.9 Sapphire Retail International Limited will always undertake risk assessments before making international data transfers, between our UK based limited company, and any international group companies. A requirement of Article 46 of UK GDPR, is the implementation of standard data protection clauses, which impose contractual obligations on the sender and the receiver of personal data, and grant rights to people whose personal data is transferred. The standard contractual clause we use is more commonly known as an International Data Transfer Agreement (IDTA). 

4.0 Fairness 

4.1 Sapphire Retail International Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data.  

There are eight individual rights: 

  • Right to be informed – Data Subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this Privacy Notice and any subsequent privacy documentation;
  • Right of access – you have the right to know what personal data we have on record and request a copy;
  • Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;
  • Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records;
  • Right to restriction of processing – where certain conditions apply you have a right to ask us to only process your personal data for certain processing activities;
  • Right of portability – you have the right to have the personal data we hold about you transferred to another Data Controller;
  • Right to object – you have the right to object to certain types of data processing such as marketing; and
  • Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.

4.2 Sapphire Retail International Limited will only handle personal data in ways that individuals would reasonably expect and not use it in ways that have unjustified adverse effects on them.  

4.3 Sapphire Retail International Limited will obtain personal data in a fair way. We will seek explicit consent from the Data Subject or securely transfer personal data into the business where a lawful base for processing can be identified from Article 6 of the UK GDPR, as identified in clause 3.7 above. 

4.4 Sapphire Retail International Limited always considers the rights and freedoms of Data Subjects when processing personal data. This could be for individuals or those part of a wider group.  

5.0 Transparency

5.1 Transparency is fundamentally linked to fairness. Sapphire Retail International Limited will always be clear, open, and honest with people from the start, about who we are, and how, and why we need to use your personal data. 

5.2 Sapphire Retail International Limited will inform Data Subjects from the outset regarding the types of personal data we need to process, usually within our business terms, contract and engagement documentation, this Privacy Notice, and other privacy documentation. 

5.3 Sapphire Retail International Limited processes the following personal data types as a minimum: 

  • Account Data (e.g., name, email address, telephone number, date of birth).
  • Order Processing Data (e.g., name, email address, telephone number, delivery address).
  • Payment Data (e.g., debit card details, credit card details, bank details, billing addresses).
  • Marketing Data (e.g., previous purchase history, cookie and location data, date of birth).

5.4 Sapphire Retail International Limited informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear and plain language. We do this ensuring all Sapphire Retail International Limited’s employees receive annual data protection and UK GDPR training, whilst having a company information governance framework with up-to-date policies, procedures, and processes. 

5.5 Sapphire Retail International Limited hopes we can resolve any query or concern you raise about our use of your personal data. Sapphire Retail International Limited has appointed a certified independent Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data processing and the protection of your personal data, please contact our DPO via email at dpo@csrb.co.uk.  

5.6 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.  

6.0 Purpose Limitation 

6.1 Sapphire Retail International Limited will always be clear about what the purpose is for any personal data processing from the very start. We process your personal data for the following purposes: 

  • To create your personal account on our website (e.g., your name, phone number, email address and date of birth, etc.);
  • To process your orders (e.g.,, your name, address, email address, phone number and bank details);
  • To process e-commerce and payments for goods and services (e.g., debit card, credit card, and bank details);
  • To be able to send you the status of your order (e.g., your phone number and email);
  • To be able to send you marketing offers such as newsletters and our catalogues (e.g., your email and phone number);
  • To enable us to answer your queries and to inform you of new or changed services (e.g., your email address);
  • To notify the winners in promotions (e.g., your email address, name, home address and phone number);
  • Managing your account by carrying out credit checks (e.g., name, address, date of birth);
  • To be able to analyse your personal data to provide you with relevant marketing offers and information (e.g., name, buying habits);
  • To be able to validate that you are of legal age for shopping online (e.g., date of birth);
  • To notify you about important legal changes to our Company and the services we provide (e.g., email address).

6.2 Sapphire Retail International Limited will record our purposes for personal data processing as part of our contract obligations. We will also specify them in any additional privacy documentation provided. 

6.3 Sapphire Retail International Limited will only use your personal data for a new purpose if this is either compatible with the original purpose, or we obtain consent, or we have a clear lawful obligation, or function set out in UK law. 

6.4 Where relevant, Sapphire Retail International Limited, may also share personal data with third parties, such as: 

  • Trusted third party partners who we work alongside and who process personal data on our behalf, with regards to agreements and contracts, or for the provision of supplementary support services.
  • Fraud prevention agencies, money laundering agencies, and other professional associations; and
  • Regulators and law enforcement agencies, including the Police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction. We would always inform you ahead of acting on any instructions to proceed.
7.0 Data Minimisation 

7.1 Sapphire Retail International Limited always ensures the personal data we are processing is: 

  • Adequate – sufficient to properly fulfil our stated purpose;
  • Relevant – has a rational link to that purpose; and is
  • Limited to what is necessary – we do not hold more than we need for that purpose.

The UK GDPR does not define these terms. As this is the case, Sapphire Retail International Limited accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.  

7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before any data processing activities take place. 

7.3 Sapphire Retail International Limited undertakes an annual Data Protection Audit with an external certified Data Protection Service Provider, to review our personal data processing, and to check that the personal data we hold is still relevant and adequate for the stated purposes. 

8.0 Accuracy 

8.1 Sapphire Retail International Limited will take all reasonable steps to ensure the personal data we hold is accurate and up to date. 

8.2 Sapphire Retail International Limited will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate. 

8.3 Sapphire Retail International Limited will always record the source of where personal data came from and ensure the source is compliant with UK privacy laws, including the UK GDPR. 

8.4 If we need to keep a record of a mistake, where we have clearly identified it as a mistake, we add this to our records of processing for audit purposes, and continuous improvement. 

8.5 Sapphire Retail International Limited’s records of processing clearly identify any matters of opinion, and where appropriate whose opinion it is, and any relevant changes to the underlying facts. 

8.6 Sapphire Retail International Limited will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data. 

9.0 Storage Limitation and Deletion 

9.1 Sapphire Retail International Limited will not keep personal data for any longer than is necessary to fulfil the original stated purpose for the processing of such personal data. 

9.2 Sapphire Retail International Limited will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified.  

9.3 Any retention of personal data will be carried out in compliance with legal, professional body, and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements. 

9.4 Sapphire Retail International Limited acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to the Data Controller to determine and document accordingly at the earliest possible opportunity.  

9.5 Sapphire Retail International Limited has a personal data retention policy in place, which documents the categories of personal data we hold, what we use it for, and how long we intend to keep it. 

9.6 Sapphire Retail International Limited periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it for the original purpose. 

9.7 Sapphire Retail International Limited also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need their personal data. 

9.8 Sapphire Retail International Limited acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention. 

9.9 When Sapphire Retail International Limited is provided with an instruction to destroy data it must be destroyed irretrievably either in paper or electronic formats. Paper records will be destroyed by an approved contractor who can provide evidence of destruction and a certificate of destruction. Sapphire Retail International Limited will retain this certificate. 

9.10 Sapphire Retail International Limited also has secure destruction procedures and processes for any of the devices it has used for the storage of personal data. Sapphire Retail International Limited will retain evidence of any equipment destruction and confirms that the destruction is beyond any prospect of retrieving data stored within the device. 

10.0 Data Transfer and Confidentiality (Security) 

10.1 Sapphire Retail International Limited will undertake an analysis of the risks presented by our personal data processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) and Incident Response Plan (IRP) annually. 

10.2 Sapphire Retail International Limited makes sure that we can restore access to personal data in the event of any data incidents or personal data breaches, by the implementation of an appropriate data backup procedure. 

10.3 Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism, such as Cyber Essentials certification, and additional quality standards. 

10.4 We ensure that any Data Processor we engage implements appropriate technical safeguards for all data. 

10.5 Sapphire Retail International Limited does track website behaviour in order to offer Data Subjects an enhanced client experience and for organisational analytics. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. The cookie consent must be freely given, specific, informed, and unambiguous. Further information about the use of cookies can be found in the Sapphire Retail International Limited Cookie Policy. 

11.0 Accountability 

11.1 Accountability is one of the UK GDPR data processing principles. Sapphire Retail International Limited takes our accountability commitments with the UK GDPR very seriously, as documented by this Privacy Notice.  

11.2 Sapphire Retail International Limited has put in place several measures that we can, and in some cases must take, including: 

  • adopting and implementing data protection policies and procedures;
  • taking a ‘data protection by design and default’ approach;
  • maintaining documentation of our processing activities;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting personal data breaches;
  • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;
  • ensuring all Sapphire Retail International Limited employees receive annual UK GDPR and privacy legislation training;
  • appointing a certified and independent Data Protection Officer; and
  • adhering to relevant codes of conduct and signing up to certification schemes (where applicable).

11.3 Sapphire Retail International Limited understands that accountability obligations are ongoing. We review and, where necessary, update the measures we have put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation. 

11.4 Sapphire Retail International Limited understands that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action. 

11.5 If you have any questions or concerns about how we process and protect your personal data not covered in this Privacy Notice please contact the Sapphire Retail International Limited DPO by email at dpo@csrb.co.uk.  Alternatively, you can always reach out to our customer services team at wecare@sapphire-online.com

Cookie Notice 

Sapphire Retail International Limited is a Private Limited Company and our company registration number is 15267340. Like many other websites, https://uk.sapphire-online.com/ uses cookies and similar technologies to enhance your shopping experience with us and provide you with a more personalized journey, tailored to your needs.

What are cookies? 

A cookie is a simple text file which contains an identifier used to store basic information and settings relating to your device and preferences. To learn more about cookies, please visit http://www.allaboutcookies.org/verify

Cookies are useful because they allow our website to ‘recognise’ you via your device and recall your settings and preferences from previous visits. This helps us in a number of ways, explained in the next section. 

How does Sapphire Retail International Limited use cookies? 

We use cookies to store only the necessary information required to enhance your shopping experience with us by providing you with a tailored customer journey, with personalized recommendations for you. From time to time, we may also use third-party cookies from our partners in an encrypted format.

The first time you visit our website via a particular device (e.g. desktop, laptop, or mobile), we will provide a clear on-screen notification about our cookies and give you the choice if you accept them, decline them, or would like to find out more. 

If you accept cookies our website will place the relevant cookies on your device. The next time you visit the website, your device will check to find the relevant cookies and, if your device has them, it sends the cookie information back to the website. 

Which types of cookies do we use? 

We use the following types of cookies to enhance your shopping experience with us:

  • Strictly Necessary Cookies: These are basic cookies that are essential for the smooth running of our website and cannot be turned off. They enable you to seamlessly navigate our website and access it to its fullest. These cookies do not store any of your personal information
  • Performance Cookies: These cookies collect information about how our website is used, such as users and traffic, which pages and products are visited the most. Collecting this data allows us to provide you with a personalized experience, built specifically for you. If you reject the usage of this cookie, we will be unable to provide you with a tailored experience built around your needs
  • Functionality Cookies: These cookies allow us to store and remember website navigation (such as your username, language, or the region you are in) in order to provide enhanced, more personalized features
  • Marketing Cookies: These cookies allow us to deliver targeted advertisements that are relevant to you and your interests. By allowing these cookies, you get exclusive insight into all our on-going and upcoming sale events and product launches. They also allow us to limit the number of times you see an advertisement in order to only reach out to you when it is relevant to you.

Your right to manage cookies 

Most modern browsers allow you to manage the cookies saved on your device. If you do not want to receive cookies, you can set your browser to notify you when you receive one, then choose to decline it. You can also clear your cache at any time you wish. For more information you may wish to check the cookie controls in your browser

If you have questions 

If you have any questions about this Cookie Notice, or would like to contact us about any other data privacy matter, you can contact our independent Data Protection Officer (DPO) by email return at dpo@csrb.co.uk. Alternatively, you can reach out to our Customer Services team at wecare@sapphire-online.com

Updated: July 2024