Last Updated: 2026-03-30. This document is an informational template only and does not constitute legal advice. For full GDPR compliance — including data processing agreements, records of processing activities (Article 30), data protection impact assessments, and controller/processor obligations — consult a qualified data protection specialist.

1. Data Controller Details

Mondi Home UK (BOA HOME FURNİTURE LTD, registration: ) is the data controller for personal data collected through https://mondihome.co.uk/. All data processing activities described in this notice are carried out under our control and responsibility.

Registered address: 375 – 377 High Road, London, England, N17 6QN, United Kingdom
Data Protection Officer / Privacy contact: info@mondihome.co.uk
General contact: info@mondihome.co.uk
Applicable jurisdiction: UK-EU

2. Applicable Data Protection Legislation

We process personal data in compliance with applicable legislation, including:

  • UK GDPR (as retained and amended in UK law following the UK’s exit from the EU) and the Data Protection Act 2018;
  • EU GDPR (Regulation (EU) 2016/679) — applicable to data subjects in the European Economic Area;
  • Privacy and Electronic Communications Regulations (PECR) 2003 (UK);
  • ePrivacy Directive 2002/58/EC and national implementing legislation (EU);
  • Consumer protection legislation including the Consumer Rights Act 2015 (UK) and EU Consumer Rights Directive 2011/83/EU, to the extent it governs how personal data is used in consumer transactions;
  • Any other applicable national or sector-specific data protection rules.

3. Lawful Bases for Processing Personal Data

We rely on the following lawful bases under Article 6 of the UK / EU GDPR:

  • Performance of a contract (Art. 6(1)(b)): Processing necessary to fulfil your purchase, manage your account, process returns, or take pre-contractual steps at your request. This covers almost all e-commerce transaction processing.
  • Legal obligation (Art. 6(1)(c)): Processing required by law, including retention of transaction records for tax compliance, anti-money laundering obligations, consumer protection duties, and VAT record-keeping.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our genuine business interests where these are not overridden by your rights. Examples include fraud detection and prevention, abandoned basket emails to existing customers (where permitted), security monitoring, improving our services, and direct marketing to existing customers (subject to opt-out rights). A Legitimate Interests Assessment (LIA) is conducted for each such activity.
  • Consent (Art. 6(1)(a)): Where we rely on consent — for example, for newsletter subscriptions, non-essential cookies, or certain marketing communications — we obtain freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time by emailing info@mondihome.co.uk or using the unsubscribe link in any marketing email.
  • Vital interests (Art. 6(1)(d)): In exceptional circumstances, to protect the vital interests of an individual.

4. Special Category (Sensitive) Personal Data

We do not intentionally collect or process special-category personal data (Article 9 GDPR: data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, data concerning sex life or sexual orientation, etc.) unless:

  • You explicitly provide such data in a support request, product review, or other communication (in which case it is processed under Art. 9(2)(a) — explicit consent); or
  • Processing is required by law (Art. 9(2)(b)) — for example, if required by workplace safety or accessibility regulations.

5. Categories of Personal Data Processed in an E-Commerce Context

  • Identity data: Name, username, order reference numbers.
  • Contact data: Email address, postal address, phone number.
  • Transaction data: Order history, basket contents, product views, wishlists, reviews, returns history.
  • Financial data: Payment method type, transaction amounts, invoice details (not full card numbers — those are held by our payment processor).
  • Technical data: IP address, device identifiers, browser information, session IDs.
  • Behavioural data: Site navigation patterns, search queries, click-through paths, abandoned basket data.
  • Communications data: Customer support correspondence, survey responses, review submissions.
  • Marketing data: Consent records, communication preferences, promotional code redemptions.

6. Processing Activities and Purposes

Activity Purpose Lawful Basis
Order processing and fulfilment Accepting, processing, and dispatching orders Contract
Payment processing Authorising and recording payments Contract; Legal obligation
Returns and refunds Processing returns, refunds, and warranty claims Contract; Legal obligation
Tax and accounting records VAT/sales tax compliance, financial reporting Legal obligation
Fraud prevention Detecting and preventing fraudulent orders and chargebacks Legitimate interests; Legal obligation
Account management Creating and managing customer accounts Contract
Customer support Responding to queries and complaints Contract; Legitimate interests
Transactional emails Order confirmations, dispatch notifications, delivery updates Contract
Marketing to new subscribers Newsletters, promotional offers Consent
Marketing to existing customers Soft opt-in for similar products/services (UK: PECR reg.22; EU: Art.13(2) ePrivacy) Legitimate interests
Product personalisation and recommendations Recommending products based on browsing and purchase history Legitimate interests; Consent
Website analytics Understanding site usage and improving user experience Legitimate interests; Consent (for cookies)
Abandoned basket recovery Reminding users of items left in basket Legitimate interests; Consent

7. Data Recipients and Processors

We share personal data with the following categories of recipients, all of whom are bound by appropriate data processing agreements (DPAs):

  • Payment processors — process card and alternative payment transactions under PCI-DSS compliance;
  • Logistics and courier partners — required to deliver your orders (name, delivery address, contact number shared);
  • Cloud hosting and infrastructure providers — store website data and databases;
  • Email service providers — send transactional and marketing emails;
  • Analytics platforms — analyse site performance and user behaviour (subject to your cookie consent);
  • Fraud and identity verification services — screen orders for fraudulent activity;
  • Customer support software providers — manage support tickets and live chat;
  • Advertising and retargeting platforms — serve targeted advertisements (subject to consent);
  • Professional advisers — lawyers, auditors, and accountants under duties of confidentiality;
  • Regulatory and law enforcement authorities — where required by law.

8. International Data Transfers

Where processors operate outside the UK or EEA, we implement transfer safeguards including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), adequacy decisions, or other approved mechanisms. Transfer Impact Assessments (TIAs) are conducted where required. Details of specific safeguards are available upon request.

9. Data Retention

We retain personal data only as long as necessary:

  • Transaction and order records: Minimum 7 years (legal / tax obligation).
  • Customer account data: Duration of account + up to 3 years post-closure.
  • Customer service records: Up to 3 years from last interaction.
  • Marketing consent records: Until withdrawal + 1 year for compliance evidence.
  • Fraud and security logs: Up to 2 years.
  • Cookie consent records: Up to 3 years or as required by applicable ePrivacy rules.

10. Automated Decision-Making and Profiling

We may use automated processing (e.g. fraud-scoring algorithms, product recommendation engines) to support or inform decisions. We do not make solely automated decisions that produce legal or similarly significant effects on individuals without a human review step, except where permitted by law with appropriate safeguards. If you have concerns about automated processing, contact info@mondihome.co.uk.

11. Your GDPR Rights

Subject to applicable exemptions, you have the following rights (exercisable free of charge in most cases):

  • Right of access (Art. 15): Obtain a copy of personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or complete incomplete data.
  • Right to erasure (Art. 17): Request deletion where no compelling reason for continued processing exists. Note: legal obligations (e.g. tax records) may override deletion requests.
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format for transfer to another controller (applies to consent- or contract-based automated processing).
  • Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing and profiling. Marketing opt-outs are always honoured immediately.
  • Rights relating to automated decisions (Art. 22): Not be subject to solely automated significant decisions without human review.
  • Right to withdraw consent: Withdraw any consent at any time without affecting lawfulness of prior processing.

Submit requests to: info@mondihome.co.uk or by post to Mondi Home UK, 375 – 377 High Road, London, England, N17 6QN, United Kingdom.
Response time: within one calendar month (extendable by two months for complex requests). Identity verification may be required. Most requests are free of charge.

12. Right to Complain to a Supervisory Authority

If you are unsatisfied with our handling of a data protection complaint, you have the right to lodge a complaint with:

  • UK: Information Commissioner’s Office (ICO) — ico.org.uk
  • EU: Your national data protection authority — edpb.europa.eu

We encourage you to contact us first so we may address your concern directly.

13. Data Security

We apply appropriate technical and organisational measures (TOMs) including TLS/SSL encryption, access controls, regular security assessments, staff training, and contractual obligations on processors. In the event of a personal data breach, we will notify the supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

14. Updates to This Notice

We review this notice periodically. Material changes are communicated via our website or direct notification. The “Last Updated” date at the top reflects the most recent revision.

15. Contact

Mondi Home UK (BOA HOME FURNİTURE LTD)
375 – 377 High Road, London, England, N17 6QN, United Kingdom
DPO / Privacy: info@mondihome.co.uk
General: info@mondihome.co.uk
Website: https://mondihome.co.uk/