Privacy Policy
Last updated: 05/09/2025
This Privacy Notice provides you with information about how James and James Fulfilment Ltd (herein referred to as “J&J Global”, ‘We’ or ‘Us’) collect, process and take care of your personal information.
Who we are
J&J Global is an eCommerce fulfilment company backed by a global network of fulfilment centres across the UK, Europe, North America, and Australia. We provide the technology, knowledge, and infrastructure to enable eCommerce growth and operational success.
For the purposes of this Privacy Notice, the data controller is James and James Fulfilment Ltd, a company registered in England and Wales (Company No. 07155473). Registered office: Liberty 196, Rhosili Road, Northampton, NN4 7JE.
We are registered as a data protection fee payer with the Information Commissioner’s Office (ICO), registration reference Z2489219.
Please note: James and James Fulfilment Ltd operates as a subsidiary of Park Bidco Group Limited (Company No. 12469557). We do not share public, customer, or client data with Park Bidco Group for commercial purposes. Any data shared with our parent company is limited to essential internal administrative or corporate oversight purposes and is subject to the same robust security measures described in this notice.
How to contact us
If you have any questions about this notice or how we collect, use, store, share, or otherwise process your personal information, please contact our Data Protection Officer:
[email protected] | +44 1604 968 821
What this Privacy Notice covers
This Privacy Notice covers the processing of personal information where J&J Global acts as the Data Controller. We act as the Data Controller when J&J Global exercises overall control of the personal information processed – in other words, when we decide how personal information is collected, stored and used.
This Privacy Notice does not apply to data we process as the data processor.
For more information on how your personal information is processed when J&J Global is acting as the data processor, please refer to the Privacy Notices of the Data Controller.
What personal information we process about you
Depending on the circumstances we interact with you, we may process the following personal information:
- Identity and contact information: Such as your name, email address and phone number, company and shipping address.
- Professional information: Such as your job title, the company you work for, your department information, job history, image and other information on your LinkedIn profile
- Billing information: Such as your credit card details, bank account details, payment provider information, records about your transactions with us, and billing address.
- Account information: Such as your login credentials, user ID, order ID, purchase history and account preferences.
- Communications information: Such as records of interactions you have with us, including messages, emails, meetings notes, call transcripts and call recordings.
- Usage information: Such as information about your usage of our products and services, including metadata.
- Device and technical information: Such as your IP address, browser type, browser version, device, language preferences, browsing behavior, cookie preferences and location information.
- Marketing preferences: Such as your choices for receiving promotions or newsletters and invitations to upcoming events.
- Analytical and performance information: Such as information we collect when you engage with us or use our products and services, order volumes and inventory data.
- Feedback: Any feedback or other information provided to us that we may use to improve and market our product and services
- Information publicly available on the internet and in public records
- Any other information you choose to provide to us, including but not limited to survey results or customer feedback form data.
We may collect the following information indirectly:
- Device and technical information: Collected automatically through your browser or device when you visit our website (e.g., IP address, browser type, operating system, referring URLs, and interactions with our site).
- Analytical and audience information: Obtained via cookies, pixels and similar technologies from analytics, advertising, and social media providers. This helps us understand website performance, user engagement, and the effectiveness of our marketing.
- Identity, contact, and professional information: Gathered from publicly available sources (such as business directories or LinkedIn) or third-party data providers/brokers, where permitted by applicable law.
How we process your personal information
How we process your personal information may depend on how you interact with us.
The below table describes the purposes we may process your personal information and our lawful basis for doing so.
| Categories of Personal Information | Our Use of the Data | Lawful Basis for Processing |
|---|---|---|
| Identity and contact information: Name, email, phone number | We use this data for account management, to respond to your inquiries, and to send you important service-related communications. | Legitimate Interests (Article 6(1)(f) UK GDPR) for business development; and Performance of a Contract (Article 6(1)(b) UK GDPR) for managing the client relationship. |
| Identity and contact information: Company and shipping address | We use this data to identify your organisation and ensure the correct and timely delivery of services to your designated location. | Performance of a Contract (Article 6(1)(b) UK GDPR). This processing is necessary to fulfill our contractual obligation to deliver services to your organisation. |
| Professional information: Job title, company, department | We use this data to understand your role and tailor our communications to you. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in communicating with you effectively as a business contact to provide services that align with your professional role. |
| Professional information: Job history, image, LinkedIn profile | We use this data for B2B sales and marketing to identify and engage with prospective business clients. | Legitimate Interests (Article 6(1)(f) UK GDPR). It is a legitimate business interest to use publicly available professional information to identify and engage with potential clients for sales and marketing. This processing is subject to a Legitimate Interests Assessment (LIA), and individuals have the right to object. |
| Billing information: Credit card details, bank account, payment provider information | We use this data to process payments and to verify your financial transactions with us. We use this data to prevent fraud for established clients. | Performance of a Contract (Article 6(1)(b) UK GDPR) for processing payments; and Legitimate Interests (Article 6(1)(f) UK GDPR) for fraud prevention, as it’s in our legitimate business interest to protect our services and clients from fraudulent activities. |
| Billing information: Transaction records, billing address | We use this data for accounting, record-keeping, and to comply with tax and audit requirements. | Legal Obligation (Article 6(1)(c) UK GDPR). We are required by law to process this data to comply with our financial, tax, and audit record-keeping obligations. |
| Account information: Login credentials, user ID | We use this data to authenticate your access to our online services and to maintain the security of your account. | Performance of a Contract (Article 6(1)(b) UK GDPR). This is necessary to fulfill our contractual obligation to provide secure access to our core services. |
| Account information: Order ID, purchase history, account preferences | We use this data to provide and improve our services, and to understand your needs as a business client. | Performance of a Contract (Article 6(1)(b) UK GDPR) for service delivery; and Legitimate Interests (Article 6(1)(f) UK GDPR) for service improvement and understanding client needs. |
| Communications information: Messages, emails, meeting notes | We use this data to manage our relationship with you, to resolve any issues, and for internal quality assurance. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in effectively managing our business relationship, resolving issues, and ensuring service quality through internal records. |
| Communications information: Call transcripts, call recordings | We use this data for quality assurance, staff training, and for our internal records to ensure accurate communication. Participants are notified at the beginning of the call that it is being recorded, in line with the transparency principle of Article 5 of the UK GDPR. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in using this data for quality control and training to improve our services, and this interest is balanced against the individual’s right to privacy through clear notification. |
| Usage information: Usage of products/services, metadata | We use this data to monitor the performance of our services, to improve their functionality, and to understand how they are being used. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in using this data for service analytics to monitor performance and improve our services to meet client needs. |
| Device and technical information: IP address, browser version, device, location | We use this data for website functionality, to ensure network security, and to conduct basic website analytics. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in processing this data to ensure the security and stability of our network and to provide core service functionality. |
| Device preferences and technical information: Language preferences, browsing behavior, cookie preferences | We use this data to improve your user experience, to provide relevant content, and to customise our services to your preferences. | Consent (Article 6(1)(a) UK GDPR). We rely on your consent for processing this data, which is collected via our cookie banner or preference centre, in line with PECR. |
| Marketing preferences: Promotions/newsletters, event invitations | We use this data to communicate with you about our products, services, and upcoming events based on your stated preferences. | Consent (Article 6(1)(a) UK GDPR) for new leads or visits to the J&J Global Website; or Legitimate Interests (Article 6(1)(f) UK GDPR) for existing clients under soft opt-in rules for marketing similar products and services. |
| Analytical and performance information: Order volumes and inventory data | We use this data for internal business purposes, such as forecasting, capacity planning, and operational performance analysis. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in using this data to forecast demand, plan capacity, and improve our internal business operations. |
| Feedback provided to us | We use this data to improve our products and services. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in using your feedback to improve our products and services and to inform our marketing strategy. |
| Publicly available information on the internet and public records | We use this data for B2B sales and marketing, to verify the information you have provided, and to enhance our lead generation efforts. | Legitimate Interests (Article 6(1)(f) UK GDPR). We have a legitimate interest in using publicly available business data to conduct B2B sales and marketing. This processing is subject to a Legitimate Interests Assessment (LIA), and individuals have the right to object. |
| Any other information: e.g., survey results, feedback forms | We use this data to improve and evaluate our products and services, and for internal reporting. | Consent (Article 6(1)(a) UK GDPR). The processing of this data is based on your voluntary consent, which is provided when you submit the information via surveys or feedback forms. |
Our legal obligations
We may process your personal data where it is necessary for us to comply with a legal obligation, such as responding to a request from a law enforcement agency or a tax authority. This is our lawful basis under Article 6(1)(c) UK GDPR.Additionally, we may process your personal data where necessary to establish, exercise, or defend against legal claims, including in the case of a legal dispute or to enforce our legal rights. This processing is based on our Legitimate Interests (Article 6(1)(f) UK GDPR) to protect our business, clients, and assets. We will always ensure this is proportionate and respects your rights.
| Categories of Personal Information | Requirement Type & Purpose | Consequences of Non-Provision |
|---|---|---|
| Financial Information: Bank account details, credit card numbers. | By Law & Contract: Necessary to process payments, manage billing, and comply with financial regulations such as anti-money laundering (AML) laws. | We will be unable to process payments and cannot fulfil our contractual obligations to provide fulfilment services. |
| Identity Information: Full name, business address, proof of ID (e.g., passport). | By Law: Required to verify identity and to comply with legal obligations for business registration and tax reporting with government bodies like HMRC. | We may be unable to enter into a contractual agreement or business relationship. |
| Shipping Information: Designated delivery address. | By Contract: Essential for fulfilling orders and ensuring the correct and timely delivery of the products or services to the end consumer. | We will be unable to process orders or have goods delivered to their end destination. |
| Contact Information: Email address and phone number. | By Contract: Needed for managing your account, providing service updates, and communicating with you about your orders or inquiries. | We will be unable to provide key service-related communications or updates, which may impact your access to and use of our services. |
Our use of AI and automated processing
We do not use Artificial Intelligence (AI) or automated processing in a way that has legal or similarly significant effects on you. This is in line with our obligation under Article 22 of the UK GDPR, which gives individuals the right not to be subject to decisions based solely on automated processing. All decisions that could have a substantial impact on you are made under human review.
Cookies and other tracking technologies
We use cookies, pixels, and similar technologies to track website performance, build audience awareness, and collect information about your browsing behaviour over time. The information collected may be used to build a profile of your interests to personalise your online experience and deliver relevant content and advertising. This processing is based on your explicit consent, which we collect via our cookie banner. This complies with Article 6(1)(a) UK GDPR and the ePrivacy Regulation (PECR). You are free to manage or withdraw your consent at any time.
Who we share your personal information with
Like most companies, we sometimes need to share your personal information with third parties to help provide our service to you.
The categories of third parties we may share your personal data with include:
- Third party service providers: We may share your personal data with third party service providers, and businesses that process your personal data on our behalf (‘processors’ and ‘subprocessors’), to help provide our products or services to you. We also use third-party processors for other business functions such as managing incoming enquiries, sending customer emails, sales lead generation, operational performance, and hosting our warehouse management systems.
- Advertising companies: We may share your personal data with marketing partners and advertising companies for analytical purposes.
- Third party professionals and advisors: We may share your personal information when necessary, such as with tax consultants, lawyers and our externally appointed data protection officer
- Law enforcement, regulators and other government agencies: When required by law or governing regulations, we may need to share your personal data.
- Corporate affiliates: We may share your personal information with other entities in the Park Bidco group.
- Mergers and acquisitions: If J&J Global is acquired by or merges with another company, we may need to share your personal information for this purpose.
For an exhaustive list of Data Processors that we use within the limits of legitimate interest, lawful obligations, performance of a contract and/ or consent, please see our List of Data Processors.
Sale of personal data
We do not sell your personal data in the conventional sense. However, in limited circumstances, we may need to transfer your data to carefully selected third parties. This is treated as a “sale” under some data protection laws.
We will only transfer your data in this manner when you have given your explicit consent. This is our lawful basis under Article 6(1)(a) UK GDPR.
When we seek your consent, we will always provide clear information on:
- The categories of personal data to be transferred.
- The identity or categories of recipients.
- The specific purpose for which they will use your data.
You are under no obligation to consent to such transfers, and you have the right to withdraw your consent at any time. Please be aware that withdrawing your consent will not affect the lawfulness of any transfer that took place before the withdrawal.
Data sharing outside of the UK
Where we need to store your personal information outside of the United Kingdom, we make sure your personal information remains subject to the same robust protections as it would be in the United Kingdom. For example, we either:
- Ensure the country we are transferring the personal information to has been recognised as having adequate privacy regulations by the Information Commissioner’s Office (ICO) or
- That there are appropriate safeguards in place (as per Article 46, 47 or 49 of the UK GDPR) in the form of UK Addendums, to EU Standard Contractual Clauses for data processing (SCCs) and Data Processing Agreements (DPAs) wherever necessary.
For a copy of the safeguards relied on to transfer your personal information outside of the United Kingdom, please get in touch with us.
How long we keep your personal information
To determine the appropriate retention period, we follow a documented retention schedule. We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, and the purposes for which we process it. We also take into account our legal, regulatory, tax, accounting, and other record-keeping requirements.
End Customer Data Retention Schedule
This schedule outlines our data retention periods for personal information we collect as a data controller from end customers, in line with the storage limitation principle (Article 5(1)(e) UK GDPR). We only keep this information for as long as is necessary to fulfill the purposes for which it was collected.
| Categories of Personal Information | Purpose of Collection | Retention Period | Justification |
|---|---|---|---|
| Identity & Contact Information (names, emails, phone numbers) | Order fulfilment, delivery confirmation, returns, customer service | 13 months | Necessary to comply with legal obligations (Art. 6(1)(c)) and performance of a contract (Art. 6(1)(b)). |
| Delivery Information (delivery addresses) | Accurate delivery, updates, proof of delivery for claims | 13 months | Legal obligations (Art. 6(1)(c)); provides evidence to manage claims for a reasonable time. |
| Transactional Information (order details, tracking data) | Order confirmations, shipment tracking, returns management | 13 months | Legal obligations (Art. 6(1)(c)) and maintaining a full transaction record. |
Client Data Retention Schedule
This schedule outlines our data retention periods for personal information collected from our clients, in line with the storage limitation principle (Article 5(1)(e) UK GDPR). We only keep this information for as long as is necessary to fulfil our specific legal and contractual obligations, such as complying with HMRC’s Fulfilment House Due Diligence Scheme (FHDDS).
| Categories of Personal Information | Purpose of Collection | Retention Period | Justification |
|---|---|---|---|
| Identity & Contact Information (client names, contact numbers, emails, communications) | Client identification, due diligence, relationship management | Minimum 6 years (mandated by HMRC) | Legal obligations (Art. 6(1)(c)) under FHDDS from end of business relationship. |
| Tax/Trade Registration Information (VAT, EORI, VAT exemption, company registration) | Tax compliance and verification | Minimum 6 years (mandated by HMRC) | Legal obligations (Art. 6(1)(c)) under FHDDS regulations; auditable records. |
| Inventory & Customs Data (import descriptions/quantities, import entry numbers), plus order info and integrations | Inventory management, customs clearance, compliance record‑keeping | Minimum 6 years (mandated by HMRC) | Legal obligations (Art. 6(1)(c)) to maintain verifiable records for customs audits. |
Marketing Data Retention Schedule
This schedule outlines our data retention periods for personal information collected by our marketing team, in line with the storage limitation principle (Article 5(1)(e) UK GDPR). We only keep this information for as long as is necessary to fulfil our marketing purposes.
| Categories of Personal Information | Purpose of Collection | Retention Period | Justification |
|---|---|---|---|
| Customer Names & Email Addresses | Marketing communications and promotional offers | Up to 3 years (or until consent withdrawn) | Consent (Art. 6(1)(a)) with absolute right to withdraw at any time. |
| Industry Information | Market analysis and segmentation | Up to 5 years | Legitimate interests (Art. 6(1)(f)) to analyse long‑term trends and ensure relevance. |
| Website Activity Data (cookies) | Optimise user experience and deliver relevant advertising | 13 months | Consent (Art. 6(1)(a)); aligns with ICO guidance on cookies. |
How we keep your personal information secure
It is really important to us to keep your personal information safe and secure. We have implemented a range of appropriate technical and organisational measures to help safeguard your personal information and prevent unauthorised access, in line with Article 32 of the UK GDPR.
Technical measures
Data Encryption: We use encryption for data both in transit (when it is being sent) and at rest (when it is stored) within our warehouse management system.
Network Security: We utilise firewalls, Virtual Private Networks (VPNs), up-to-date antivirus software, and robust network monitoring to protect against external threats and unauthorised access.
Physical Security: Our Fulfilment Centres and offices have robust security measures, including restricted access via biometrics, CCTV and intruder alarms to protect hardware and data from physical interference.
Device Management: We utilise remote device management tools, to safeguard data from being extracted physically from our managed devices. We also utilise hard drive encryption and other monitoring software for devices that are not managed under this workspace
Password Protection: We utilise password protection for all of the platforms that we use. We also utilise multi factor authentication (MFA) as an additional safeguard for data privacy.
Organisational measures
Access Control: We implement strict, permission-based access to our systems, ensuring that only authorised personnel can view personal information. Access reviews to all of our platforms are conducted on a monthly basis.
Staff Training: All staff are regularly trained on data protection principles, security policies, and their responsibilities when handling personal information.
Audits and Procedures: We conduct regular internal audits to assess and improve our security measures with regard to personal data. We have clear internal policies and procedures for handling data incidents and reporting breaches to our Data Protection Officer.
Document Control: We promote a paperless environment wherever possible, to ensure that documentation that can be physically extracted is kept to a minimum. All non-essential documentation that does not need to be stored to satisfy legal obligations, relating to consent, legitimate interests, or the performance of a contract is shredded.
Offboarding Process: Any employee that leaves the business, undergoes a “data cleanse” of all systems and access credentials are removed where not prohibited by governing law. This ensures that malicious access is mitigated as much as possible.
Your rights
You have certain rights protected by law over how your personal information is processed (subject to certain exceptions):
- Right to access: You have the right to ask us if we process your personal information and for copies of your personal information
- Right to be informed: You have the right to be informed about how we process your personal information
- Right to rectification: You have the right to ask us to correct personal information you think it inaccurate
- Right to erasure: You have the right to ask us to delete your personal information in certain circumstances
- Right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances
- Right to information portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances
- Right to withdraw consent: You have the right to withdraw your consent at any time.
When you purchase goods from one of our clients, we act as a data processor for your personal information. In this role, the vendor you purchased from is the data controller and holds the primary responsibility for your personal data.
If you wish to exercise your data subject rights (such as the right to access, rectify, or erase your data), you should contact the vendor of the goods directly. We will then work with them to assist in fulfilling your request as required by Article 28 of the UK GDPR.
Your right to object
You have the right to object to the processing of your personal information in certain circumstances. This right is protected under Article 21 of the UK GDPR.
Please note that where we process your data for direct marketing purposes, you have an absolute right to object at any time. When you exercise this right, we must stop processing your personal information for direct marketing without delay.
For all other objections, we will assess your request to ensure our legitimate interests do not override your rights and freedoms.
International residents
If you are located outside the United Kingdom or European Union, you may have additional privacy rights under your local laws. The following sections explain how we address specific requirements in certain jurisdictions.
To exercise these rights, please contact us at the details set out in the beginning of this Privacy Notice.
United States (State Privacy Rights – CCPA/CPRA, VCDPA, CPA, CTDPA, DPDPA, UCPA)
If you are a resident of California, Colorado, Connecticut, Delaware, Utah, or Virginia, you may have the following rights under state privacy laws:
- The right to know what personal information we collect, use, disclose, and sell or share.
- The right to request deletion of your personal information.
- The right to correct inaccurate personal information.
- The right to request a portable copy of your information.
- The right to opt-out of the sale or sharing of your personal information.
- The right to request that we limit our use of sensitive personal information (where applicable).
- The right not to be discriminated against for exercising these rights.
To exercise these rights, or to opt-out of the sale/sharing of your information, please contact us at the details set out in this Privacy Notice.
When we provide fulfillment services for a vendor you have purchased from, we act as a service provider under the California Consumer Privacy Act (CPRA). In this role, the vendor is considered the business and is primarily responsible for your personal information.
If you are a California resident and wish to submit a ‘Do Not Sell or Share My Personal Information’ request, you must contact the business (the vendor) directly. We will then assist our client in responding to your request in compliance with our contractual obligations under the CPRA.
Canada (PIPEDA)
If you are located in Canada, you have the right to request access to and correction of the personal information we hold about you, and to withdraw your consent to our processing of your personal information at any time.
Brazil (LGPD)
If you are located in Brazil, you have the right to access, correct, delete, restrict, or object to our processing of your personal data. You also have the right to portability of your data and to withdraw your consent at any time.
Japan (APPI)
If you are located in Japan, we will provide information about how your personal data is shared with third parties and obtain your consent where required. Where we transfer your personal data outside Japan, we will ensure the recipient provides an equivalent level of protection as required by the Act on the Protection of Personal Information (APPI).
United Arab Emirates (PDPL)
If you are located in the UAE, you may have the right to access, correct, delete, or object to the processing of your personal data. Where your data is transferred outside the UAE, we will ensure appropriate safeguards are in place.
Saudi Arabia (PDPL)
If you are located in Saudi Arabia, you have rights to access, correct, and request deletion of your personal data, and to withdraw consent where we rely on consent. We will only transfer your data outside Saudi Arabia in accordance with applicable law and with appropriate safeguards.
China (PIPL)
If you are located in China, we will collect and process your personal information only for the purposes described in this Privacy Policy. We will clearly explain the categories of personal information we collect, the purposes for which we use it, and how long we retain it.
Where we transfer your personal information outside China, we will obtain your separate and explicit consent before doing so and ensure that the recipient provides an equivalent level of protection as required under the Personal Information Protection Law (PIPL).
If we process any sensitive personal information (such as financial information or precise location data), we will provide a clear explanation of the necessity for such processing and obtain your separate consent.
As a resident of China, you have the right to access, copy, correct, or delete your personal information; to withdraw your consent at any time; to request an explanation of how your personal information is processed; and to refuse certain automated decision-making.
To exercise these rights, please contact us at the details set out in this Privacy Notice. If you are not satisfied with our response, you also have the right to raise a complaint with the Cyberspace Administration of China (CAC).
Other Countries
If you are located outside the UK, EU, or the countries listed above, you may still have rights under your local data protection laws. These may include the right to access, correct, delete, or withdraw consent for the processing of your personal data. To exercise these rights, please contact us at the details set out in this Privacy Notice.
Complaints or queries
Please get in touch with us if you have any complaints or queries about how your personal information is processed.
You have the right to raise a complaint with the supervisory authority in the jurisdiction you live, work or where the infringement took place. In the UK, this is the Information Commissioner’s Office. If you need support, you can get in touch with the ICO here.
If you do have a query or a complaint, we would really appreciate the opportunity to respond to your concern in the first instance so please get in touch with us.
Updates to this Privacy Notice
From time to time, we may make updates to this Privacy Notice. Such updates will be posted on our publicly available website. Please get in touch with us if you require a previous version of our Privacy Notice.