WH Smith PLC – link to home page WH Smith PLC – link to home page

Privacy notice

The pages on this website (“the website”) are published by Investis Limited (“us” or “we”) on behalf of WH Smith PLC (“WH Smith PLC”).

When you visit our website, our web server collects some basic information such as your internet service provider’s domain name, which pages you accessed on our site and when. We use this information only to analyse the use of our website to help guide improvements. We do not collect any personally identifiable information.

Your privacy

WHSmith respects your privacy and is committed to protecting your personal data in your interactions with us online and in our stores. This privacy notice will inform you how we process your personal data, how you can exercise your rights, and how to register a complaint.

Data controller contact details

WHSmith PLC (company registration number 5202036).

Address: WHSmith PLC, Aldgate Tower, 2 Leman St, London E1 8FA

Data Protection Officer: [email protected]

How we use your personal data

In most instances our processing of your data will be in relation to your visits to our website and stores.

We will use your personal data:

  • To offer our products and services on our websites and in our stores
  • To respond to comments, enquiries, and complaints
  • To capture CCTV images and audio in stores for the purpose of preventing crime and prosecuting offenders
  • To create new customer accounts on our websites
  • To collect your address and contact details for delivery purposes
  • To collect payment, facilitate reimbursements and collect debt
  • To request a review or participation in a survey after making a purchase or using our services
  • To verify your age with credit agency TransUnion (https://www.transunion.co.uk/legal-information/bureau-privacy-notice) or through in person identity verification when purchasing age sensitive products
  • To send reminders if you abandon (exit websites) after a search, product view, or do not complete your order
  • To offer participation in prize draws and competitions
  • To administer and protect our business and websites (including troubleshooting, data analysis, testing, system maintenance, development, support, reporting and hosting of data)
  • To offer choices regarding the loading of non-essential cookies (e.g. advertising, Google Analytics)
  • To use data analytics to improve our website, products/services, marketing and customer experience
  • To make suggestions and recommendations to you about goods or services
  • To offer support from third party suppliers providing services to us
  • To share with other Group companies when required to meet legal and contractual obligations
  • When we sell or merge any part of our business

How we collect data

We use different methods to collect data from and about you including through direct interactions, automated technologies, public information and through third-party service providers. These data collection methods include:

  • Completion of online or in-store forms
  • Purchase of our products or services in store or through our website
  • Account creation including WHSmith Scan & Go application
  • Engaging with our social media accounts including competitions and complaints
  • Providing feedback or taking part in a survey
  • Engaging with external advertising on third-party sites
  • CCTV, body worn cameras, audio recordings and other surveillance images and footage
  • As you interact with our website, newsletters, or emails we may automatically collect technical data about your equipment, browsing actions and patterns
  • We may collect technical information about your journey through our sites with Google Analytics

Data collected

When you complete an online form, register or shop with us online, register or shop using the Scan & Go application, we may process different kinds of personal data about you such as your name, gender, date of birth, billing/delivery address, e-mail address and telephone number.

We may also collect and retain information about your interactions with us either in store, online, through social media, or through our contact centres so that we can process your transactions and deal with any future queries. We may use your identity, contact, technical, usage and previous purchases to form a view on which products, services and offers may be relevant for you and display them to you on the website. We also process aggregated data such as statistical or demographic data. If we combine or connect aggregated data with your personal data, we treat the combined data as personal data.

We do not ordinarily collect any special categories of data or information about criminal convictions and offences. We may collect health data if you report a store incident or if we are required to meet legal obligations in respect of the health and safety of our customers and staff.

If you do not provide the data when we need to collect personal data by law, or under the terms of a contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

Lawfulness of Processing

In most instances our legal basis for processing your personal data relates to the performance of the contract you have entered for the purchase of a product or to take steps at your request prior to entering into a contract. We also process personal data to comply with our legal obligations (e.g. fraud investigations and criminal investigations) and for our legitimate interests (or those of a third party) to operate and develop our business operations and appoint suitable service providers.

Generally, we do not rely on consent for processing your personal data, other than for our own direct marketing. You have the right to withdraw consent to marketing (or to object to receiving marketing where we do not rely on consent) at any time. This can be done by unsubscribing from marketing communications or sending an email to: [email protected] or [email protected].

Data sharing

We may share your personal data in certain circumstances, including:

  • For the purpose of completing your order and delivering your product through third-party courier services.
  • To process purchase payments in store and on the website through third-party payment providers.
  • With other WHSmith Group entities
  • Trusted technical partners for the purposes of website development and improvements.
  • We may, from time to time, expand, reduce or sell WHSmith and this may involve the transfer of divisions or the whole business to new owners.
  • CCTV and other surveillance images and footage may be shared with law enforcement, regulatory authorities, and third parties for the purpose of preventing crime and prosecuting offenders. We use technology supplied by Vision R (https://visionr.com/privacy-gdpr) to study customer journeys through our stores and Auror (https://www.auror.co/) to support fraud and crime prevention in our stores. In some of our stores, staff and security support staff wear Solo Protect (https://www.soloprotect.com/uk) audio recording devices to record abusive and criminal activity when activated.
  • If you have opted in to receive marketing from third parties, you can opt out of these marketing communications at any time. Clicking on links to third-party websites, plug-ins and applications contained within this website, or enabling those connections, may allow third parties to collect or share data about you. When you leave our website, we encourage you to read the privacy notice of every website you visit.
  • We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
  • We will process your personal data for as long as necessary including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Customer data is normally retained for a period of six years, or until we are no longer required to retain copies to meet regulatory obligations. In some circumstances we may anonymise your personal data for research or statistical purposes.
  • We retain CCTV and other surveillance images for up to three months unless required to retain for a longer period for the purpose of supporting a law enforcement investigation, legal proceedings or meeting other regulatory obligations.

Marketing

We may send marketing communications about our own goods and services if you have opted in to receive our marketing messages, or you have previously bought or enquired about similar goods or services from us (including by placing items in your basket but not completing an order) and you have not opted out from receiving our marketing messages. You can unsubscribe from marketing at any time.

You may see WHSmith promotional messages on other websites. These messages will be displayed based on cookies placed during your recent visit to our websites. Please see our Cookie Policy for more details, including how you can update your preferences.

Use of social media management platforms

From time to time, we may use a social media management platform to assist with posting content and responding to customer messages and comments on our social media channels. This helps us manage our social interactions more efficiently and provide timely responses. Any personal information shared with us via social media will continue to be handled in line with our Privacy Notice.

International data transfers and data security

Some of our third-party processors may transfer or access your data outside of the UK and EEA. Our contractual agreements with third party service suppliers include appropriate security and data transfer safeguarding mechanisms such as the EU Standard Contractual Clauses (SCCs), the UK Addendum to the SCCs or the UK International Data Transfer Agreement (IDTA).

We have appropriate technical and organisational security measures in place to meet our security obligations in respect of your personal data. If you have concerns about the security of your data, please contact the Data Protection Officer: [email protected]

Your individual rights

Under data protection law you have rights in respect of the processing of your data, including:

  • Right of Access - You can request a copy of the personal data we hold about you.
  • Right to Rectification - You have the right to have inaccurate personal data rectified, or completed if it is incomplete. Please keep us informed if your personal data changes during your relationship with us.
  • Right to Erasure - Also known as the Right To Be Forgotten, you have the right to request that we delete personal data we hold about you in certain circumstances. If it is not possible to delete the information immediately because we must meet legal or other obligations, we will inform you of the retention period.
  • Right to Restriction of Processing - In certain circumstances you have the right to request the restriction of the processing of your personal data.
  • Right to Data Portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
  • Right to Object - You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You can ask us or third parties to stop sending you marketing messages at any time by contacting us or by unsubscribing from marketing communications in any communication sent to you.
  • Rights in respect of automated decision-making.

You will not have to pay a fee to exercise any of the rights. We will respond within one month but if your request is particularly complicated and we will need more time to provide the information, we may extend the response period by another two months. We will inform you within the first month if that is the case. We may need to request specific information from you to help us confirm your identity. We may also contact you to ask you for further information or clarification to speed up our response.

We may charge a reasonable fee if your access request is manifestly unfounded, repetitive or excessive.

Cookie notice

You can make choices regarding the loading of non-essential cookies or set your browser to refuse all or some browser cookies.

Contact us

If you have questions or complaints about the processing of your personal data, please contact the Data Protection Officer:

[email protected]

Data Protection Officer

WHSmith PLC, Aldgate Tower, 2 Leman St, London E1 8FA

Complaints

 

If you have a complaint regarding the processing of your data please complete this form and we will acknowledge complaints within 30 days, keep you informed of progress, and explain the outcome.

If you are not satisfied with the response you receive from us, you have the right to contact the regulator in your country.

United Kingdom

Information Commissioner’s Office

+ 44 0303 123 1113

www.ico.org.uk

EEA

Office of the Information Commissioner (OIC)

6 Earlsfort Terrace, Dublin 2, D02 W773

[email protected]

+353 1 639 5689

Updates

We will update this Privacy Notice from time to time, please note the update date.

Last Updated: April 2026

V3.2026