This policy applies to information held about clients, suppliers and possible future clients and suppliers, contacts and all other people we hold information about. Please read the following carefully to understand our views and practices regarding your information and how we will treat it.

1. Definitions
Data controller – A controller determines the purposes and means of processing personal data. Data processor – A processor is responsible for processing personal data on behalf of a controller. Data subject – Natural person

Categories of data: Personal data and special categories of personal data Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies. Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs. Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

2. Who are we?
X2Furniture is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: X2Furniture, 22 Mulroy Road, Sutton Coldfield B74 29Y For all data matters contact Clive Poole on

3. The information we collect
By ‘information,’ we mean personal information about you that we collect, use, share, store and transfer in physical and electronic form. This information can be grouped together in the following categories: Identity and Contact Information includes first name, last name, title, email address, telephone number, delivery address, billing address or any other information you provide Financial Information includes bank account and payment card details Transaction Information includes details about payments to and from you and other details of products and services you have purchased from us Contact History means keeping a record of what you have said to us, for example, over the phone, through a web form, by email, on social media or otherwise Social Information means information collected if you choose to link your social media accounts with us.

4. The purpose(s) of processing your personal data
We use your personal data for the following purposes: To send a quote Create an account Process an order Process payments Product update information

5. What is our legal basis for processing your personal data?
Personal data (article 6 of GDPR) Our processing of your personal information is necessary: for the performance of contracts to which you will be a party to and in order to take steps at your request prior to you entering into those contracts; for the purposes of legitimate interests pursued by us.

Legitimate interests Where our processing is based on the legitimate interest grounds described above, those legitimate interests are: (i) collecting personal information to provide you with a smooth and efficient customer experience; (ii) running our business; (iii) to provide the products and services you have requested; (iv) to prevent fraud; and (v) for our own marketing, research and product development.

6. Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with: Companies that help us fulfil your orders such as payment service providers, warehouses, order packers, and delivery and installation companies Professional service providers, such as marketing agencies, advertising partners and website hosts, accountants, solicitors who help us run our business Credit reference agencies, law enforcement and fraud prevention agencies, so that we can help tackle fraud Companies approved by you, such as social media Sites (if you choose to link your accounts to us) We may also share your personal information with: law enforcement agencies, other governmental agencies or third parties if we are required by law to do so; and other business entities should we plan to merge with or be acquired by that business entity, or if we undergo a re-organisation with that entity. We will not provide third parties with aggregated but anonymised information and analytics about our customers.

7. How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary for a period of 7 years in case of any legal claims/complaints; for safeguarding purposes etc. We need to keep customer information long enough to satisfy HMRC and our insurers. We keep information on prospective customers long enough to make our sales enquiry system effective.

8. Providing us with your personal data
We require your personal data as it is a contractual requirement or a requirement necessary to enter into a contract.

9. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: The right to request a copy of the personal data which we hold about you; The right to request that we correct any personal data if it is found to be inaccurate or out of date; The right to request your personal data is erased where it is no longer necessary to retain such data; The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means); The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing; The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).

10. Transfer of Data Abroad
Like most small businesses, we do not have any tailor-made software – we use mainstream packages for everything from our customer records, to email, to accounting. The information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. This means that some of your data may be held in the EEA, and some may be held in services in the USA (with suitable data privacy shields) or elsewhere. We have picked mainstream suppliers with appropriate security standards.

11. Automated Decision Making

12. Data Sharing
We do not sell or exchange your personal data with organisations who may want to sell you something or use your data for research or other purposes. Data Subject Access Requests We would gladly assist in any data subject access requests free of charge. Data subject access requests must be made in writing and we advise emailing

13. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

14. Changes to our privacy policy
Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

15. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our data representative on If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.