Last Updated: 2026-03-30. This document is an informational template only and does not constitute legal advice. Have a qualified solicitor or attorney review and adapt it for your specific business model, industry, and jurisdiction before publishing.

1. Who We Are — Data Controller

Mondi Home UK (trading as BOA HOME FURNİTURE LTD, company/VAT registration: ) operates the e-commerce website at https://mondihome.co.uk/. For the purposes of the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (EU GDPR 2016/679), and applicable national data protection legislation, we are the data controller responsible for your personal data.

Registered address: 375 – 377 High Road, London, England, N17 6QN, United Kingdom.
General enquiries: info@mondihome.co.uk
Data Protection Officer / Privacy contact: info@mondihome.co.uk
Jurisdiction focus: UK-EU

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, transfer and protect personal data when you visit our website, create an account, browse or purchase products or services, contact our customer support, or otherwise interact with us. It applies to all visitors, registered users, customers, and newsletter subscribers.

This Policy covers our own data practices. Where our website links to third-party websites, payment gateways, social media platforms or delivery partner portals, those third parties operate under their own privacy policies and we are not responsible for their data practices.

3. Personal Data We Collect

When you use our website or services — particularly in the context of purchasing goods or services online — we may collect and process the following categories of personal data:

3.1 Identity and Account Data

  • First name, last name, username or display name
  • Date of birth (where age verification is required)
  • Gender (where voluntarily provided for personalisation)
  • Profile photograph or avatar (where provided)

3.2 Contact Data

  • Email address
  • Postal / billing address
  • Delivery address (if different from billing)
  • Telephone or mobile number

3.3 Transaction and Order Data

  • Products and services you have purchased or enquired about
  • Order numbers, invoice references, and order history
  • Basket / cart contents, saved wishlists, and product reviews you leave
  • Delivery preferences (e.g. nominated day, safe-place instructions)
  • Returns, refund, and complaint records
  • Gift messages and special instructions

3.4 Financial and Payment Data

  • Transaction amount, currency, and payment method type (e.g. credit card, PayPal, bank transfer)
  • Last four digits of payment cards (stored by our payment processor for identification; full card numbers are never stored on our servers)
  • Billing address for card-verification purposes
  • Invoice and VAT receipt data required for tax compliance

All payment card processing is handled by PCI-DSS compliant third-party payment processors. We do not store, transmit or process full payment card numbers on our own systems.

3.5 Technical and Device Data

  • IP address, browser type and version, device type and operating system
  • Screen resolution, time zone, and language settings
  • Session identifiers, login timestamps, and access logs
  • Referring URL, search terms that led to our site, and exit pages

3.6 Behavioural and Usage Data

  • Pages viewed, products browsed, time spent on pages, and scroll depth
  • Click-through paths and in-site search queries
  • Abandoned basket / checkout recovery data
  • Wishlist activity and product comparison history
  • Features used and settings configured

3.7 Communications Data

  • Emails, live chat transcripts, and contact form submissions sent to us
  • Customer service ticket history
  • Product review submissions and seller ratings
  • Survey and feedback responses

3.8 Marketing and Preference Data

  • Marketing opt-in / opt-out preferences and consent timestamps
  • Communication channel preferences (email, SMS, push notifications)
  • Personalisation preferences and saved searches
  • Referral codes and affiliate tracking parameters

We do not intentionally collect special-category (sensitive) personal data such as health information, racial or ethnic origin, religious or political beliefs, or biometric data, unless you voluntarily provide it (for example, in a written communication) and there is a valid lawful basis.

4. How We Collect Your Personal Data

  • You provide it directly — when you register an account, complete a purchase, subscribe to our newsletter, submit a product review, contact customer support, complete a survey, or enter a competition.
  • Automatically through technology — as you browse or interact with our website, we collect technical and behavioural data through cookies, server logs, pixel tags, and similar tracking technologies (see our Cookie Policy).
  • From third parties — we may receive data from payment processors confirming transaction status; from shipping partners confirming delivery outcomes; from social media platforms if you use social sign-in; from analytics providers; and from fraud-prevention services.
  • From publicly available sources — for example, public business registers or social media, where relevant to a commercial relationship.

5. Purposes and Legal Bases for Processing

We only process your personal data where we have a valid lawful basis. Our main processing activities are set out below.

Purpose Lawful Basis
Processing and fulfilling your orders, including payment processing, dispatch, and delivery Performance of a contract
Managing your account and providing customer support Performance of a contract
Processing refunds, returns, warranties, and complaints Performance of a contract; Legal obligation
Issuing VAT invoices and maintaining accounting records Legal obligation
Detecting and preventing fraudulent transactions and chargebacks Legitimate interests; Legal obligation
Sending order confirmations, dispatch notifications, and delivery updates Performance of a contract
Sending marketing emails, promotional offers, and newsletters (where opted in or as a soft opt-in to existing customers in permitted jurisdictions) Consent; Legitimate interests
Personalising your shopping experience including product recommendations based on browsing and purchase history Legitimate interests; Consent
Abandoned basket recovery emails (where permitted) Legitimate interests; Consent
Improving our website, services, and product range through analytics Legitimate interests; Consent (for non-essential cookies)
Complying with consumer protection, tax, anti-money laundering, and other legal obligations Legal obligation
Establishing, exercising, or defending legal claims Legitimate interests; Legal obligation

Where we rely on legitimate interests, we have conducted a balancing test confirming that our interests do not override your fundamental rights. You may object to such processing at any time (see Section 11).

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies essential to e-commerce functionality (e.g. shopping cart persistence, secure checkout sessions) as well as optional analytics and advertising cookies where you consent. Please read our Cookie Policy for full details, including how to manage your preferences.

7. Sharing Your Personal Data

We do not sell your personal data. We may share it with the following categories of recipients:

  • Payment processors (e.g. Stripe, PayPal, Klarna, or similar) — to authorise and process transactions. They act as independent data controllers for card data; please review their privacy policies.
  • Delivery and logistics partners — couriers and postal services (e.g. Royal Mail, DPD, UPS, DHL or similar) to fulfil your orders. Your name, address, and contact details are shared to enable delivery and provide tracking updates.
  • Technology and platform providers — hosting, cloud storage, email dispatch, CRM, order management, inventory, and analytics systems acting as data processors under written agreements.
  • Customer support tools — live chat, help desk, and ticketing systems operated under data processing agreements.
  • Fraud and identity verification services — to detect and prevent fraudulent orders and chargebacks.
  • Marketing platforms — email service providers, retargeting networks, and social media advertising platforms where you have given consent for targeted advertising or where permitted by legitimate interests.
  • Professional advisers — lawyers, auditors, and accountants acting under confidentiality obligations.
  • Regulatory authorities and law enforcement — where required by law, court order, or to protect safety and security.
  • Business transfer — in connection with a merger, acquisition, or sale of assets, under appropriate confidentiality obligations.

8. International Data Transfers

Some of our service providers operate outside the UK or European Economic Area (EEA). Whenever we transfer personal data internationally, we ensure adequate safeguards are in place, which may include:

  • UK adequacy regulations or EU Commission adequacy decisions;
  • Standard Contractual Clauses (SCCs) approved by the ICO or European Commission;
  • UK International Data Transfer Agreements (IDTAs);
  • Binding Corporate Rules (BCRs); or
  • Other lawful transfer mechanisms required by applicable law.

To request details of the safeguards in place for a specific transfer, contact info@mondihome.co.uk.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to overriding legal requirements. Key retention periods are as follows:

  • Order and transaction records: 7 years (required by tax and accounting legislation in most jurisdictions; please verify the specific requirement for United Kingdom).
  • Account data: For the duration of your account and up to 3 years after account closure (to handle late warranty or complaint queries).
  • Communication records (customer support): Up to 3 years from the last contact.
  • Marketing consent records: Until consent is withdrawn, plus 1 year after to evidence compliance.
  • Technical logs (IP, access logs): Up to 12 months.
  • Cookie consent records: Up to 3 years or as required by applicable law.

When data is no longer required, it is securely deleted, anonymised, or physically destroyed in accordance with our data retention and disposal procedure.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. Our security measures include:

  • TLS/SSL encryption for all data transmitted between your browser and our servers;
  • PCI-DSS compliant payment processing through certified third-party processors;
  • Role-based access controls limiting staff access to personal data on a need-to-know basis;
  • Regular security vulnerability assessments and penetration testing;
  • Encryption of sensitive data at rest where technically feasible;
  • Staff training on data protection and information security;
  • Contractual security obligations imposed on all data processors.

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly without undue delay.

11. Your Rights

Subject to applicable law and certain exemptions, you have the following rights regarding your personal data:

  • Right of access (Subject Access Request): Obtain a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or complete incomplete data.
  • Right to erasure (“right to be forgotten”): Request deletion where the data is no longer needed, consent is withdrawn, or processing is unlawful. Note that we may need to retain certain data for legal compliance (e.g. tax records).
  • Right to restriction of processing: Ask us to pause processing in certain circumstances (e.g. while accuracy is challenged).
  • Right to data portability: Receive your data in a structured, machine-readable format to transmit to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to object: Object at any time to processing based on legitimate interests (including profiling for direct marketing). We will always honour objections to direct marketing.
  • Rights in relation to automated decision-making: Not be subject to purely automated decisions that produce legal or similarly significant effects, except in limited circumstances.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. To unsubscribe from marketing emails, use the unsubscribe link in any email or contact us directly.

To exercise any right, please contact us at info@mondihome.co.uk or in writing to 375 – 377 High Road, London, England, N17 6QN, United Kingdom. We will respond within one calendar month (extendable by two further months for complex requests, with notice). We may ask you to verify your identity. Most requests are free of charge; we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.

If you are unsatisfied with our response, you have the right to complain to the relevant supervisory authority. In the UK: Information Commissioner’s Office (ico.org.uk). In the EU: the data protection authority in your country of residence.

12. Children’s Privacy

Our website and services are not directed at children under 16 years of age (or such higher minimum age as required by applicable law). We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data without appropriate parental or guardian consent, please contact us at info@mondihome.co.uk and we will take prompt steps to delete such data.

13. Marketing Communications

We may send you marketing communications if you have opted in, or — where permitted — as an existing customer under the soft opt-in provisions of the Privacy and Electronic Communications Regulations (PECR) in the UK or equivalent e-privacy legislation in the EU.

You can opt out of marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email;
  • Updating your preferences in your account settings;
  • Contacting us at info@mondihome.co.uk.

Opting out of marketing communications will not affect transactional emails necessary for your orders (e.g. order confirmations, dispatch notifications, refund confirmations).

14. Third-Party Links and Integrations

Our website may contain links to third-party websites, social media platforms, payment gateways, and embedded content. Clicking these links or using these integrations may allow third parties to collect data about you. We do not control third-party websites or their privacy practices and recommend reading their privacy policies before providing any personal data.

15. Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When material changes occur, we will update the “Last Updated” date and may notify you by email or by posting a prominent notice on our website. We encourage you to review this Policy regularly. Continued use of our website or services after the effective date of any changes constitutes acceptance of the updated Policy.

16. Contact Us

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:

Mondi Home UK (BOA HOME FURNİTURE LTD)
375 – 377 High Road, London, England, N17 6QN, United Kingdom
Email: info@mondihome.co.uk
Website: https://mondihome.co.uk/
Registration: