Last Updated January 2026
Choosing to shop with us means you've placed trust in us to handle your personal data responsibly. In sharing your personal data we hope you in return benefit from a tailored and convenient shopping experience. With trust comes responsibility and we take this responsibility very seriously.
This privacy policy helps you to understand how we use your personal data and who we share it with. It applies if you shop on our websites, use our apps, shop in our stores, contact customer services or if you otherwise share your personal data with us; for example if you contact us with a query or where you tell us that you would like to receive marketing communications from us.
We change the terms of this privacy policy from time to time and you should check it regularly. The last updated date is shown at the beginning of the document. If we make any material changes we will take steps to bring it to your attention.
When we say “we”, “our” or “us” in this policy we are referring to the companies that make up the NEXT Group. This privacy policy applies to the following companies:
Next Retail Limited, Next Holdings Limited, Next Distribution Limited, Next Manufacturing Limited, Next Sourcing Limited, Next Retail (Ireland) Limited, Next Germany GmbH, NEXT (US) LLC, Next General Trading LLC, Next General Trading FZE, Next Beauty Limited, Lipsy Limited, Victoria’s Secret (VS Brands Holdings UK Limited), GAP (West Apparel UK Holdings Limited), Reiss (Pink Topco Limited), JoJo Maman Bébé (Regent BidCo 1 Limited), Joules (The Harborough Hare Holdings Limited) and Fatface (Bridgetown Holdco Limited).
The company named within the Terms & Conditions on the website or app is the data controller of your personal data, which means we are responsible for deciding how and why your personal data is used. We are also responsible for making sure it is kept safe, secure and handled legally.
We sometimes work with other organisations in connection with some of the processing activities described in this privacy policy, such as social media platforms. Where that data is collected and sent to other organisations for processing that is for a common purpose, we will be making decisions together in relation to that particular processing and will be ‘joint data controllers’ with the organisations involved. As joint data controllers, we and the other organisations involved in making these decisions will be jointly responsible to you under data protection laws for this processing.
We operate to the highest standards when protecting your personal data and respecting your privacy. If you have any questions about your personal data, or how we use it, you can contact our Data Protection Officer via email at dataprotection@next.co.uk or by writing to our registered office at the following addresses:
UK registered address: Data Protection Officer, NEXT Group, Desford Road, Enderby, Leicester, LE19 4AT.
EU registered address: Data Protection Officer, NEXT Retail (Ireland) Ltd, 13–18 City Quay, Dublin 2, D02 ED70, Ireland.
You have a number of “Data Subject Rights”, we have explained below what they are and how you can exercise them. You can read more about these rights on the UK Information Commissioner's Office website at ico.org.uk/for-the-public, or on your local Data Protection Authority website.
The above rights may be limited in some circumstances, for example: if fulfilling your request would reveal personal data about another person, if you ask us to delete data which we are required to have by law, or if we have compelling legitimate interests to keep it. We will let you know if that is the case and will then only use your data for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal data.
If you have any general questions or want to exercise any of your rights, please see the “how you can get in touch” section of this privacy policy. In order to maintain the security of our customers' personal details, we may need to request proof of identity before we disclose personal data to you in response to any request.
We encourage you to get in touch if you have any concerns with how we collect or use your personal data. You have the right to lodge a complaint directly with a Data Protection Authority. The Data Protection Authority in the UK, where we are based, is the Information Commissioner's Office (ICO), you can contact the ICO here: ico.org.uk/make-a-complaint. Our main supervisory authority in the EU is the Data Protection Commission (DPC) based in the Republic of Ireland, you can contact the DPC here: forms.dataprotection.ie/contact.
We will only ever process your data if we have a lawful basis to do so. The lawful bases we rely on are:
We collect and use the data that you provide to us directly, for example; when you register for an account; we use cookies and other similar technologies to collect data from your devices when you interact with our advertising or use our website (you can find out more information in the “Cookie Policy” section below); we keep records when you speak to our customer service teams; we use CCTV in our stores for security monitoring and market research purposes; we take personal data from a number of third parties to help us manage your account and improve your shopping experience.
To process any orders that you place with us and to facilitate any returns
Lawful basis: Contract
To provide you with access to an account
Lawful basis: Contract
To provide customer service to you
Lawful basis: Consent/Legitimate Interest in providing customer support
To offer and manage any credit we provide to you
Lawful basis: Contract/Legal Obligation/Legitimate Interest in ensuring product suitability and managing debts
To personalise and improve your experience when you shop
Lawful basis: Consent/Legitimate Interest in providing relevant and personalised experiences when you shop with us
To inform you about products and services that may interest you
Lawful basis: Consent
Lawful basis: Legitimate Interest in assessing how and where to place advertising
To personalise and engage with you on social media
Lawful basis: Consent/Legitimate Interest to personalise the marketing and services we provide to you
To keep in touch with you
Lawful basis: Consent/Contract
Lawful basis: Legitimate interest in marketing to you and keeping customers updated
To ensure the Website and the services we offer you operate properly
Lawful basis: Consent
Lawful basis: Legitimate Interest in planning and delivering efficient operations and to prevent and detect crime or fraudulent activity
To develop and improve our products, range and services
Lawful basis: Legitimate Interest in understanding our customers’ needs and behaviours to provide a better experience
You can view the privacy policy for Experian and Merkle, including the ways in which they use and share personal data here:
experian.co.uk/privacy/privacy-policies
To prevent and detect crime and other incidents
Lawful basis: Recognised Legitimate Interest / Legitimate Interest in keeping our customers and staff safe, reducing theft and fraud
To fulfil our legal obligations
Lawful basis: Legal Obligation
We use a number of different social media platforms to communicate with you and to promote products and services. We process your personal data using these platforms in a variety of ways, as follows:
Pages/accounts. We use your personal data when you post content or otherwise interact with us on our official pages and accounts on Facebook, Instagram, Pinterest, Snapchat, TikTok, LinkedIn, X (formerly Twitter) and other social media platforms. We also use the Page Insights service for Facebook, Instagram, Pinterest, TikTok, Snapchat and X to view statistical data and reports regarding your interactions with the pages and accounts we administer on those platforms and their content. Where those interactions are recorded and form part of the data we access through these page insights services, we and the relevant platform are joint data controllers of the processing necessary to provide that service to us.
Cookies. We use cookies and similar technologies in our website to collect and send data to social media platforms about actions you take on our website and applications. In particular:
Our relationship with Meta and LinkedIn. As we are joint data controllers with these platforms for certain processing, we and each platform have:
Meta also processes, as our processor, contact information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing Meta carries out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to the social media platforms they operate.
Further information. The Meta company that is a joint data controller of your personal data is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA (if you are a UK-registered user) or Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland (if you are an EEA-registered user). The LinkedIn company that is a joint data controller of your personal data is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For further information regarding these platforms and their use of your personal data, please see:
What are cookies?
Cookies are small text files that are stored on your computer, mobile device or other web enabled device when you visit one of our websites or apps. Cookies allow us to “remember” your actions or preferences over a period of time, or they may contain data related to the function or delivery of our websites. We also use the term “cookie” to describe similar technologies such as pixels or tags.
What do we use cookies for?
Some cookies are required by our site to enable you to transact whilst other cookies enable us to give you an enhanced, personalised web experience. We use cookies for the following purposes:
We also offer you the facility to share your experience on our website through social sites. More information about how these sites use cookies can be found on their websites.
What cookies do we use?
We use the following cookies on our websites and apps:
Can I turn off or block cookies?
We use cookies to ensure that we provide the best possible standard of service to our online customers. You can change your cookie preferences at any time by clicking on “Manually Manage Cookies” at the bottom of the page. You can then adjust the available sliders to on or off, then click “Confirm my choices”. If you choose not to consent to the use of cookies your experience of our website may be impaired and many integral aspects of the website, including (but not limited to) adding items to your shopping bag and accessing your account, will not work.
Alternatively, most web browsers allow some control of most cookies through the browser settings. To find out more about how to manage cookies, including how to delete cookies, visit www.allaboutcookies.org
We keep your personal data as long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. During that time we take steps to remove any personal data as soon as we no longer need it.
We consider you a customer:
We keep CCTV footage on our systems for up to 30 days, it is then deleted. Where accidents, incidents, criminal activities or breaches of our policies are recorded CCTV footage will be kept for longer, however only as long as necessary.
We work with a number of trusted third parties to provide you high quality goods and services. Anybody we work with is subject to stringent security and data protection assessments before we begin to do business with them and on an ongoing basis.
We always make efforts to anonymise data and only pass over personal data that is absolutely necessary for the purposes it is being processed. We always do so securely.
We have contracts in place with all suppliers that help us to ensure security and privacy of your personal data, these are reviewed and updated regularly and always in line with data protection laws.
The identities of the CRAs, and the ways in which they use and share personal data, are explained in more detail at:
- Experian Credit Reference Agency Information Notice
We also take data from CRAs to allow us to make decisions about your credit account and credit facility.
The identities of the DCAs, and the ways in which they use and share personal data, are explained in more detail at:
Our main operations are based in the UK and your personal data is generally processed, stored and used within the UK. In some instances your personal data may be processed outside the UK. For example, we operate a customer contact centre in Pune, India. Operatives in this location will have access to your account data in order to assist you with your query. We also work with suppliers and partners who may make use of Cloud and /or hosted technologies across multiple geographies.
If you place an order with us and you are outside of the UK we will transfer the personal data that we hold on you to the UK to facilitate your order and may also transfer your personal data to third parties located in your country of residence to enable us to deliver products you order from us. If and when this is the case, we take steps to ensure there is an adequate level of security so your personal data is protected in a similar way as if it was being used within the UK.
Where we need to transfer your personal data outside the UK, and if the recipient country has not been determined as providing an equivalent adequate level of protection as the UK and EU, we will use one of the following safeguards:
We always ensure that personal data is secure by continuously developing our security systems and training for our employees. We have implemented appropriate technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of processing, in accordance with applicable law.
If you use any third party apps, websites or services to access our services, your usage is subject to the relevant third party's terms and conditions, cookies policy, and privacy policy. For example, if you interact with us on social media, your use is subject to the terms and conditions and privacy policies of the relevant social media platform (Facebook, X etc.). The same applies if you use third party services, like Amazon's Alexa. In certain cases we may be required to share your personal data, in relation to transactions and usage of the services, with the relevant third party.
If you would like to exercise any of your rights mentioned within this privacy policy you can submit these through our privacy portal.
If you would like to make a data protection complaint you can write to us the email or address below, or you can complete our online complaint form. Once you submit your complaint to us we will respond within the 30 day timeframe and will provide you with an outcome of your complaint.
Alternatively, should you need to contact our Data Protection Officer please email: dataprotection@next.co.uk or you can write to:
UK registered address:
Data Protection Officer
NEXT Group
Desford Road
Enderby
Leicester
LE19 4AT
EU registered address:
Data Protection Officer
NEXT Retail (Ireland) Ltd
13–18 City Quay
Dublin 2
D02 ED70
Ireland
This section applies to you if you are located in the Republic of Korea and to the extent that NEXT is subject to the Personal Information Protection Act (“PIPA”). This Republic of Korea Appendix supplements the information in the NEXT Group Privacy & Cookie Policy and should be read in conjunction with the NEXT Group Privacy & Cookie Policy. To the extent there is any conflict or inconsistency, this section shall prevail. This Republic of Korea Appendix may be amended or updated from time to time.
Personal Information Processed with Data Subject’s Consent
We process the following personal information, which includes pseudonymised data, with the consent of the data subject in accordance with Articles 15(1)(1) and 22(1)(7) of the PIPA.
| Purpose of Collection and Use | Collected Items | Period of Retention and Use |
|---|---|---|
| To provide customer service | Call recordings, correspondence, automated machine learning/AI interaction data | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To personalise and improve the shopping experience | Interaction records (web/app/marketing), purchase history, demographics, account data, third party data, device information, email address | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To inform about products and services (Marketing) | Cookies, aggregated/anonymised data about customer segments, interaction data with adverts on 3rd party platforms | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To personalise and engage on social media | Personal data for engagement, cookie data, application code data, statistical interaction reports | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To keep in touch (Communications) | Contact details (Email, SMS, WhatsApp, etc.), marketing preferences, website interaction records, purchase history, account data | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To ensure website and service operations | Cookies, IP address, device type, data for logistics planning, demand forecasting, management information, dealing with errors on our site, and general research and development | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| To develop and improve products and services | Anonymised customer insights, customer feedback (surveys), demographics/lifestyle/shopping behavior (3rd party data), email tracking data (opens/clicks), website or app interaction data, other third-party data for product development | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
Purpose of Collection and Use: To provide customer service
Collected Items: Call recordings, correspondence, automated machine learning/AI interaction data
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To personalise and improve the shopping experience
Collected Items: Interaction records (web/app/marketing), purchase history, demographics, account data, third party data, device information, email address
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To inform about products and services (Marketing)
Collected Items: Cookies, aggregated/anonymised data about customer segments, interaction data with adverts on 3rd party platforms
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To personalise and engage on social media
Collected Items: Personal data for engagement, cookie data, application code data, statistical interaction reports
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To keep in touch (Communications)
Collected Items: Contact details (Email, SMS, WhatsApp, etc.), marketing preferences, website interaction records, purchase history, account data
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To ensure website and service operations
Collected Items: Cookies, IP address, device type, data for logistics planning, demand forecasting, management information, dealing with errors on our site, and general research and development
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Purpose of Collection and Use: To develop and improve products and services
Collected Items: Anonymised customer insights, customer feedback (surveys), demographics/lifestyle/shopping behavior (3rd party data), email tracking data (opens/clicks), website or app interaction data, other third-party data for product development
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Personal Information Processed on Other Lawful Bases
NEXT (“We” or the “Company”) process the following personal information, which includes pseudonymised data, on lawful bases other than the data subject’s consent.
| Legal Basis | Purpose of Collection and Use | Collected Items | Period of Retention and Use |
|---|---|---|---|
| Article 15(1)2 of the PIPA (compliance with specific legal provisions or statutory obligations) | To fulfil legal obligations | [e.g., Account data, order history, payment history, health and safety incident records, records to meet regulatory and tax requirements] | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Article 15(1)4 of the PIPA (performance of a contract) | To process any orders that you place with us and to facilitate any returns and provide access to an account | Payment details, account data, delivery address details, name, email address, telephone number, home address, date of birth, account password | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Article 15(1)6 of the PIPA (as necessary for the immediate benefit of the life, physical integrity, or property of the data subject or a third party) | To prevent and detect crime | Account activity, application and purchase history, device identifiers, IP addresses, account numbers | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
Legal Basis: Article 15(1)2 of the PIPA (compliance with specific legal provisions or statutory obligations)
Purpose of Collection and Use: To fulfil legal obligations
Collected Items: [e.g., Account data, order history, payment history, health and safety incident records, records to meet regulatory and tax requirements]
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Legal Basis: Article 15(1)4 of the PIPA (performance of a contract)
Purpose of Collection and Use: To process any orders that you place with us and to facilitate any returns and provide access to an account
Collected Items: Payment details, account data, delivery address details, name, email address, telephone number, home address, date of birth, account password
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Legal Basis: Article 15(1)6 of the PIPA (as necessary for the immediate benefit of the life, physical integrity, or property of the data subject or a third party)
Purpose of Collection and Use: To prevent and detect crime
Collected Items: Account activity, application and purchase history, device identifiers, IP addresses, account numbers
Period of Retention and Use: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
We provide personal information to third parties for their independent use as described below.
To facilitate efficient provision of its services, we ensure that data is shared only to the extent necessary and with the consent of the data subject, as outlined in the following cases under Article 17(1)1 of the PIPA.
| Recipient’s Name | Items of Personal information Transferred | Recipient’s Purpose of Use | Period of Retention and Use by Recipient |
|---|---|---|---|
| NEXT Group companies | All personal information collected | To provide personalised services across NEXT’s group companies | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Delivery partners (including brand partners) | Name, delivery address details, email address, telephone number, home address | To help NEXT deliver the goods you order to customers, dispatch and deliver goods to you directly] | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Marketing companies and online advertising (e.g., Facebook, Google) | Electronic communications, cookies, pixels, and device IDs | To help NEXT manage electronic communications, show customers the advertising customers are most likely to be interested in, management of email marketing operations, mobile messaging services, analysis of the effectiveness of advertising and communications campaigns | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Consumer profiling organisations | Demographic or other data, purchase history, browsing history, marketing data | To help better understand customers' demographics, lifestyles or shopping | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
| Payment processors | Payment card details, payment data | To process credit and debit card payments and store payment data. | As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements. |
Recipient’s Name: NEXT Group companies
Items of Personal information Transferred: All personal information collected
Recipient’s Purpose of Use: To provide personalised services across NEXT’s group companies
Period of Retention and Use by Recipient: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Recipient’s Name: Delivery partners (including brand partners)
Items of Personal information Transferred: Name, delivery address details, email address, telephone number, home address
Recipient’s Purpose of Use: To help NEXT deliver the goods you order to customers, dispatch and deliver goods to you directly]
Period of Retention and Use by Recipient: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Recipient’s Name: Marketing companies and online advertising (e.g., Facebook, Google)
Items of Personal information Transferred: Electronic communications, cookies, pixels, and device IDs
Recipient’s Purpose of Use: To help NEXT manage electronic communications, show customers the advertising customers are most likely to be interested in, management of email marketing operations, mobile messaging services, analysis of the effectiveness of advertising and communications campaigns
Period of Retention and Use by Recipient: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Recipient’s Name: Consumer profiling organisations
Items of Personal information Transferred: Demographic or other data, purchase history, browsing history, marketing data
Recipient’s Purpose of Use: To help better understand customers' demographics, lifestyles or shopping
Period of Retention and Use by Recipient: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
Recipient’s Name: Payment processors
Items of Personal information Transferred: Payment card details, payment data
Recipient’s Purpose of Use: To process credit and debit card payments and store payment data.
Period of Retention and Use by Recipient: As long as you are a customer of ours and generally for up to 7 years afterwards to comply with legal requirements.
We delegate the processing of personal information as described below, and the delegatees may process personal information according to the purpose of the delegation:
| Delegatee | Description of Delegated Services |
|---|---|
| Asendia |
|
| Worldpay |
|
| Paypal |
|
| Apple Pay (Apple Inc.) |
|
| Alipay |
|
Delegatee: Asendia
Description of Delegated Services:
Delegatee: Worldpay
Description of Delegated Services:
Delegatee: Paypal
Description of Delegated Services:
Delegatee: Apple Pay (Apple Inc.)
Description of Delegated Services:
Delegatee: Alipay
Description of Delegated Services:
In accordance with Article 26(1) of the PIPA, we include provisions in agreements to ensure the following: prohibition of processing personal information for purposes other than those related to the delegated services, implementation of technical and managerial protection measures, restrictions on further sub-delegation, management and supervision of delegatees, and liability for damages. We continuously supervise our delegatees to ensure that personal information is processed securely. Additionally, under Article 26(6) of the PIPA, our consent is required whenever a delegatee intends to sub-delegate the processing of personal information.
Any changes to the details of the delegated services or the delegates will be promptly disclosed through this Republic of Korea Appendix.
For information regarding the outsourcing of personal information processing, please refer to the 4. Overseas Transfer of Personal Information section.
We provide and delegate the processing of personal information collected from service users to parties located overseas, as outlined below:
Provision of Personal Information to Overseas Third Parties
| Legal Basis | Recipient (Contact Info.) | Destination Country | Purpose of Use by Recipient | Items Transferred | Timing and Method of Transfer | Period of Retention and Use by Recipient |
|---|---|---|---|---|---|---|
| Article 28-8 (1)(1) of the PIPA (data subject’s consent | Bloomreach, Inc. (www.bloomreach.com) | United States | For the purposes of personalising and delivering marketing communications | Name, email address, marketing preferences, purchase history, website and app interaction data, cookies and device identifiers | Transmitted electronically via secure dedicated network on an ongoing basis as customers opt in to marketing | As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements |
| Article 28-8 (1)(1) of the PIPA (data subject’s consent | Google LLC (www.google.com) - Google Ads | United States | For the purposes of delivering and personalising paid marketing/advertising | A hashed version of email address and device ID | Transmitted electronically via secure dedicated network on an ongoing basis as customers opt in to marketing | As long as you remain a customer of ours, and for up to 5 years thereafter |
Legal Basis: Article 28-8 (1)(1) of the PIPA (data subject’s consent
Recipient (Contact Info.): Bloomreach, Inc. (www.bloomreach.com)
Destination Country: United States
Purpose of Use by Recipient: For the purposes of personalising and delivering marketing communications
Items Transferred: Name, email address, marketing preferences, purchase history, website and app interaction data, cookies and device identifiers
Timing and Method of Transfer: Transmitted electronically via secure dedicated network on an ongoing basis as customers opt in to marketing
Period of Retention and Use by Recipient: As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements
Legal Basis: Article 28-8 (1)(1) of the PIPA (data subject’s consent
Recipient (Contact Info.): Google LLC (www.google.com) - Google Ads
Destination Country: United States
Purpose of Use by Recipient: For the purposes of delivering and personalising paid marketing/advertising
Items Transferred: A hashed version of email address and device ID
Timing and Method of Transfer: Transmitted electronically via secure dedicated network on an ongoing basis as customers opt in to marketing
Period of Retention and Use by Recipient: As long as you remain a customer of ours, and for up to 5 years thereafter
Delegation of personal information processing and storage for performance of contract
| Legal Basis | Recipient (Contact Info.) | Destination Country | Purpose of Use by Recipient | Items Transferred | Timing and Method of Transfer | Period of Retention and Use by Recipient |
|---|---|---|---|---|---|---|
| Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract | EXL Services (UK) Limited (contract counterparty); processing performed by EXL Services personnel located in Pune, India | United Kingdom and India | To perform customer service functions on behalf of Next, including handling customer queries, complaints and related interactions | Name, email address, telephone number, order history, account data, correspondence and interaction records | Transmitted electronically via secure dedicated network on an ongoing basis as customer service queries arise | As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements |
| Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract | Zendesk, Inc. (www.zendesk.com) | United States | To provide Next's primary customer service platform, through which all customer queries and support interactions are managed | Name, email address, telephone number, order history, account data, correspondence and interaction records, customer service ticket data | Transmitted electronically via secure dedicated network on an ongoing basis as customer queries are received | As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements |
| Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract | Genesys Telecommunications Laboratories, Inc. (www.genesys.com) | United States | To manage inbound customer interactions into Next's contact centres, including telephone calls and other inbound communications | Name, telephone number, call recordings, interaction data, account data | Transmitted electronically via secure dedicated network on an ongoing basis as inbound contact centre interactions occur | As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements |
Legal Basis: Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract
Recipient (Contact Info.): EXL Services (UK) Limited (contract counterparty); processing performed by EXL Services personnel located in Pune, India
Destination Country: United Kingdom and India
Purpose of Use by Recipient: To perform customer service functions on behalf of Next, including handling customer queries, complaints and related interactions
Items Transferred: Name, email address, telephone number, order history, account data, correspondence and interaction records
Timing and Method of Transfer: Transmitted electronically via secure dedicated network on an ongoing basis as customer service queries arise
Period of Retention and Use by Recipient: As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements
Legal Basis: Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract
Recipient (Contact Info.): Zendesk, Inc. (www.zendesk.com)
Destination Country: United States
Purpose of Use by Recipient: To provide Next's primary customer service platform, through which all customer queries and support interactions are managed
Items Transferred: Name, email address, telephone number, order history, account data, correspondence and interaction records, customer service ticket data
Timing and Method of Transfer: Transmitted electronically via secure dedicated network on an ongoing basis as customer queries are received
Period of Retention and Use by Recipient: As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements
Legal Basis: Article 28-8 (1) 3 of the PIPA (delegation of personal information processing and storage for performance of contract
Recipient (Contact Info.): Genesys Telecommunications Laboratories, Inc. (www.genesys.com)
Destination Country: United States
Purpose of Use by Recipient: To manage inbound customer interactions into Next's contact centres, including telephone calls and other inbound communications
Items Transferred: Name, telephone number, call recordings, interaction data, account data
Timing and Method of Transfer: Transmitted electronically via secure dedicated network on an ongoing basis as inbound contact centre interactions occur
Period of Retention and Use by Recipient: As long as you are a customer of ours, and generally for up to 7 years afterwards to comply with legal requirements
If you choose to refuse the transfer of your personal information overseas, please be aware that refusing such transfer will prevent us from providing some or all of its services. Should you prefer not to have your personal information transferred overseas, you may opt to cancel your membership on the website or request withdrawal by contacting us at dataprotection@next.co.uk.
We collect and process personal information from overseas for the purposes set forth in the Republic of Korea Appendix.
At any time, you may exercise your right to request that we access, correct, delete, or suspend the processing of your personal information, withdraw consent, refuse automated decisions, or seek an explanation for such decisions. We will take prompt action in response to such requests. However, your rights to access and suspend processing may be restricted under Articles 35(4) and 37(2) of PIPA. Furthermore, we cannot delete personal information if other laws and regulations require its retention.
Under Article 41(1) of the PIPA Enforcement Decree, you may exercise your rights in writing, via email, or similar means. You may also exercise your rights through an authorised representative or agent. In such cases, a power of attorney must be submitted in the form specified in Annex No. 11 of the Notification on How to Process Personal Information, and NEXT will verify the identity of the person exercising the rights.
For children under the age of 14, the above rights must be exercised by their legal representative. Minors aged 14 or older may exercise their rights independently or through their legal representative.
We keep your personal data as long as you are a customer of ours and for up to 7 years afterwards.
We consider you a customer:
During that time, we take steps to remove any personal data as soon as we no longer need it. We will promptly destroy personal information when it is no longer necessary due to the expiration of the retention period or the achievement of the processing purpose.
We will destroy personal information as follows:
We use ‘cookies’ to store and frequently retrieve usage information in order to provide personalised services and convenience to data subjects. Cookies are small amounts of information sent by the server (HTTP) used to operate the website to the data subject's browser. They are stored on the data subject's computer or mobile device and are automatically transmitted from the data subject's browser back to the server when accessing the website.
You may configure your browser settings to allow or block cookies as described below:
Collection, Use, Provision, and Opt-Out of Behavioral Information
We collect and utilise behavioral information, through cookies, to deliver tailored services and benefits, optimised user experiences, and targeted online advertisements. This data is collected in a form that can identify individuals during their interaction with our services.
You can find out more about the cookies used in our Privacy & Cookie policy and the list of cookies used on the website can be viewed within our cookie management platform, click on “manually manage cookies” at the bottom of the website.
In accordance with PIPA, we may use or provide personal information within the scope reasonably related to the initial purpose of collection, considering whether disadvantages have been caused to data subjects and whether necessary security measures such as encryption have been implemented. We will exercise due care in determining whether to use or provide personal information, considering general circumstances including relevant laws and regulations, the purpose of use or provision, how personal information will be used or provided, items to be used or provided, matters to which data subjects provided consent or which were disclosed, impact on data subjects, and protective measures taken.
Specific considerations include:
To ensure the safety of personal information, we implement the following measures:
To protect your personal information and handle related complaints, we have designated the following department responsible for personal information protection:
To address any personal information infringement, individuals may apply for dispute resolution or seek consultation through the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, among others. Additionally, the following institutions can be contacted for further reports and consultations regarding personal information infringement.
This Republic of Korea Appendix is effective from June 2026. Previous versions of the Republic of Korea Appendix are available on request.
Are you sure you want to navigate away from this site?
If you navigate away from this site
you will lose your shopping bag and its contents.
There are no Recently Viewed items to show. Items will appear here as you view them. You can then select the images to revisit the items.
Oops' Something's gone wrong! Please try again