Privacy Policy

Last Updated: October 2025

WHSmith takes the privacy of your Personal Information seriously. This Privacy Policy (the “Policy”) is provided by WHSmith PLC and the members of its corporate group WHSmith, InMotion Stores, Marshall Retail Group, MRG Portland LLC, MRG Portland II LLC and Soundbalance PDX LLC (collectively “WHSmith,” “we,” “us,” or “our”), and describes how we collect, use, and disclose Personal Information. The Policy also describes the rights and choices you may have with respect to your Personal Information.

Capitalized terms are defined within the Policy. This Policy may be updated from time to time. We encourage you to review the Policy periodically for updates. By visiting our Website or otherwise using our Services, you also acknowledge and accept our Terms of Use, which you can access at this link.

Applicability

This Privacy Policy applies when you visit or interact with us on our websites (the “Website”), which may include other WHSmith websites or platforms that link to this Policy.

It also applies when you use other Services, such as:

Visiting our stores;
Purchasing products from us at our stores;
Interacting with our advertisements or other marketing materials on third-party websites including social media platforms; and
Signing up for news or offers from us.

Our Website may offer links to access websites of third parties, including social media channels. Third-party websites may independently solicit and collect information from you, including Personal Information, and in some instances, they may provide us with information about your activities on those third-party websites.

We do not control the information collection practices of third-party websites, and we encourage you to review the privacy policies presented on every website you visit.

Collection of Personal Information

Personal Information We Collect

Personal Information means information that we could reasonably use to directly or indirectly identify, locate, or contact you, including by serving you with personalized (also referred to as targeted) advertisements. It also includes other information that may be associated with, or related to you, by reference to your name, or to another identifier. Personal Information does not include information that is de-identified, aggregated, or anonymized. The Personal Information we collect about you may include:

Contact information such as your name, postal or service address, email address, telephone number, username, or other similar identifiers, such as social media handles and other social profile information from platforms such as LinkedIn, Facebook, Instagram, and Twitter/X when you interact with us on these platforms.
Payment & transaction information such as your name, billing address, bank account or payment card details, which is securely collected and stored by a third-party payment processor on our behalf, as well as boarding pass details when you purchase duty-free goods, or a copy of your receipt and other transaction details to process a return.
Account information, such as credentials to access your accounts with us including usernames; password; security questions and answers.
Communication information such as your language preferences, the content of recorded customer service calls to us, messages you send us through the “Contact Us” form on our Website, emails, text messages, or other information that you send to us.
Location information when you search for one of our stores through our Store Locator.
Commercial information such as your purchase and returns history and product preferences and purchasing tendencies.
Mobile device data such as your mobile device ID, model, manufacturer, operating system, browser type and version, Internet service provider, mobile carrier, or Internet Protocol (IP) address.
Internet and electronic network activity information such as browsing history, search history, or details about your interactions with our Website or advertisements, including information we capture through cookies, pixels, analytics tools, and other tracking technologies. This information may include data such as services viewed or searched for and other information you type or enter into the Services, interactions with advertisements, including information provided in those ads or to those advertisers; information from other platforms where we interact with you including social media platforms operated by other companies; length of visits to certain pages, page interaction information (such as scrolling, hovering, clicks, and mouse-overs), Uniform Resource Locators (URLs) of webpages you visited before and after you browsed our Website, and methods used to browse away from a given webpage. For more information about how we use tracking technologies, please see the Tracking Technologies section below.
Video and audio information video or audio images that are captured by the security premises monitoring equipment in our offices and stores and videoconference recordings.
Supplier and Business to Business (B2B) information about professionals associated with our commercial customers, suppliers and partners in the context of our relationships with these companies including business contact information, tax ID or other government-issued identifier, bank account or payment card details, professional affiliations, interests and credentials, and demographic information collected for supplier qualification and diversity programs.
Other information that you provide in your use of our Services.
Information created or inferred based on other Personal Information, such as information from the use of our Services that we use to detect fraudulent behavior, and/or to develop an understanding about your use of our Services to serve you with personalized content we think you may be interested in.

How We Collect Personal Information

We use different methods to collect information from and about you. These include collection through Direct Interactions, Tracking Technologies, Our Affiliates, Other People and Companies, and Publicly Available Sources.

Direct Interactions

We collect information directly from you when you:

Visit our stores, purchase products from us, or otherwise become a customer.
Complete forms, surveys, or orders that are submitted to us.
Correspond with us by phone, email or other forms of messaging on the Website. This includes messaging us on social media or other platforms, or otherwise engaging with our Services.
Express an interest in our products and Services.
Provide us with pictures or videos of our products or Services after purchase.
Subscribe to our emails or newsletters.
Report a problem with our Website, products, or Services.

Tracking Technologies

As you interact with our Website or other online Services, we and other third-party analytics and marketing partners may use cookies, pixel tags, analytics tools, web beacons, and other tracking technologies to collect internet or electronic network activity information and mobile device data about your computer or device, and your browsing activities. These tracking technologies collect information about your visit to our Website and interactions with our online Services, promotional email messages or communications, and combine it with information that these technologies also collect about your activities over time and across other websites and online services, to personalize advertisements to you based on your interests. We also use information collected by tracking technologies to perform analytics, and maintain the security and functionality of our Website and online Services.

The data collected by tracking technologies does not generally identify you by name. These technologies identify the device you are using, such as by your IP address or device identifier. If you are logged into an online account such as Google, Apple, or a social media platform, the technologies may identify you through that online profile. The information collected by tracking technologies may reveal or be connected to you by name or other identifier when our systems correlate it with the Personal Information you provided directly to us, so that we can create and maintain your account profile, and provide you with advertising that is personalized to your interests.

The types of website technologies we use may change over time, and include:

Functional, necessary, and performance technology to maintain functionality of the Website and help us deliver our Services and products you may purchase; route traffic between servers; retain user preferences; enable you to log in and stay logged in; and help us understand how the Website is performing.
Analytics and research technology to help us research, understand, and improve features and content on the Website, including how users use the Website and the content and products that users view most frequently.
Location technology (including location based on your IP address) to verify your location; prevent fraud; deliver or restrict content based on your location; and provide Services personalized to your location.
Security technology for purposes such as detecting activity that might violate our rules and terms; preventing fraud, unauthorized access or activity, or other misuse of our Services; and protecting our business.
Communication technology for purposes such as determining whether emails or other communications have been opened.
Marketing and online targeted advertising technology for purposes such as providing personalized advertisements about our Services or those of other parties.

Please see the section below titled Your State Law Privacy Choices & How to Exercise Them for ways to opt-out of tracking technologies. You may also adjust your settings in our Cookie Preference Center.

Additionally, many companies that are engaged in marketing and advertising may participate in the Digital Advertising Alliance (“DAA”) You can learn more about the DAA AdChoices Program opt-out program for website browsers at https://www.youradchoices.com/ and mobile apps at https://www.aboutads.info/appchoices.

Our Website honors the user-enabled opt-out preference signal Global Privacy Control (“GPC”). When you have enabled this opt-out preference signal on browsers that support it, our Website will automatically opt you out of targeted advertising cookies. You can allow our Website to “ignore” your opt-out preference signal choices in our Cookie Preference Center.

Our Affiliates

We are part of a corporate group of companies that includes WHSmith, Marshall Retail Group LC, The Marshall Retail Group Canada LLC, InMotion Entertainment Group LLC, WHSmith Group Limited, WH Smith Travel Limited and WH Smith Hospitals Limited (“Affiliates”). When you use our Services, we may access and use account information and other Personal Information that our Affiliates have collected for the purposes of providing Services to you.

Other People and Companies

We collect Personal Information from external sources, including our advertising and social media partners, from other companies whose products and services you use, and from companies that help us understand our customers including advertising agencies and public records companies.

For B2B customers and suppliers, we collect information from the company with which you are affiliated, and information from trade associations or trade shows. We may also infer information about you based on information that you have given us and your past interactions with us and other companies.

We use this Personal Information to supplement the other Personal Information we have collected directly from you and Personal Information that is collected automatically by tracking technologies on our Website, to maintain your customer profile, direct relevant advertisements to you, and to provide you with personalized communications and other content we think you may be interested in.

Publicly Available Sources

We may collect Personal Information from consumer comments about our products or Services through our Website or social media platforms. This includes, for example, reviews of our products or Services that you publish on our Website or a third-party platform.

Use of Personal Information

We use Personal Information for one or more of the following purposes:

To fulfill the purpose for which you provided the information. For example, if you share your name and contact information to ask a question about our products or Services, we will use that Personal Information to respond to your inquiry. If you provide your Personal Information to purchase a product or Service, we will use that information to process your payment. We may also save your information to facilitate new product orders or process returns.
To provide, support, personalize, and develop our Website, products, and Services.
To create, maintain, customize, and secure your account with us.
To develop and maintain our relationship with you or your company, including by sending you marketing communications, personalized offers and invitations, and customer service.
To process your requests, purchases, transactions, payments, authenticate your identity, and prevent transactional fraud.
To provide you with support and to respond to your inquiries. We may use the information you provide to investigate and address your concerns and monitor and improve our responses.
To personalize your Website experience and deliver content relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
To better understand your interests and those of our customers generally, to design products, Services and programs that appeal to our customers, and to identify prospective customers.
To perform finance, tax, and compliance functions, and for audit purposes.
To help maintain the safety, security, and integrity of our Website, products and Services, databases and other technology assets, stores, and offices.
For testing, training, research, analysis, quality control, and product development, including developing and improving our Website, products, and Services.
For analytics, risk management, internal governance, and corporate ethics purposes.
To exercise our legal rights or defend legal claims.
To validate your company’s qualifications for our supplier diversity programs.
To respond to law enforcement requests, inquiries from regulators, and as required or permitted by applicable laws, court orders, or regulations.
As described to you in any Notice provided in accordance with the California Consumer Privacy Act (“CCPA”) or other consumer data privacy laws.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our customers is among the assets transferred.
For other uses as may be permitted or required by applicable law.

Disclosure of Personal Information

We may disclose your Personal Information to:

Affiliates
Service providers, suppliers, subcontractors, and third parties who perform functions in support of our Services, such as:
- Order processing and fulfillment
- Payment processing and collections
- Data and platform hosting, research and analytics
- Security, breach and fraud detection, prevention, and response
- Consulting
- Marketing and advertising, including social media advertising
- Temporary staffing
- Warranty
- Website and Services development
Other people, such as when you direct an authorized representative to submit a privacy rights request on your behalf, subject to verification, or when you refer someone to our Services.
Governmental entities or regulators, such as when the U.S. Consumer Product Safety Commission (CPSC) requests Personal Information regarding a potential product recall.
Mandatory recipients or recipients who need access to Personal Information for safety, security and legal purposes, such as law enforcement agencies or recipients engaged in legal processes.
Companies that you direct us to interact with, such as payment card providers.
Third parties to market their products or services to you if you have consented to or not opted out of such disclosures. For more information, see Your Privacy Choices and How to Exercise Them.
For any other purposes of which we provide notice when collecting your information.
With your consent.

We may also disclose your Personal Information:

If we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or assets.
To a buyer or other successor in the event of merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, where one of the transferred assets is the Personal Information we hold.
To comply with any court order, law, or legal process, including responding to any government or regulatory request.
To enforce or apply our terms of use or terms and conditions of supply and other agreements.
To protect the rights, property, or safety of our business, our employees, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of cybersecurity, fraud protection, and credit risk reduction.

Your Privacy Choices and How to Exercise Them

We provide all customers with the following choices for management of their information. The section further below titled Notice to California Residents & Additional State-Specific Information applies additionally to customers who reside in U.S. states where comprehensive consumer data privacy legislation is effective.

Managing Promotional Emails

You can opt-out of marketing communications sent via email by replying to any promotional email we send you or clicking the unsubscribe link that is included at the end of each marketing email.

Mailing Opt-Out

You may request that we stop sending you postal mail by submitting a request to data.privacy@whsmith.co.uk.

Notice to California Residents & Additional State-Specific Information

This section of the Policy is provided in connection with the California Consumer Privacy Act (“CCPA”) and other comprehensive state laws regarding consumer data privacy.

The chart below describes our information practices over the last 12 months:

Category of Personal Information Collected	Source(s) of Collection	Disclosed for Business Purposes?	Sold or Shared to Third Parties?
Identifiers (e.g., name and other contact details such as your email address, postal or service address, phone number, IP address or credentials to access your account with us).	Direct Interactions Our Affiliates Other People & Companies Publicly Available Sources Tracking technologies	Yes – to Service Providers and Contractors	Yes – for marketing and advertising.
Personal Information described in California’s Customer Records statute (California Civil Code § 1798.80(e)) (signature, physical characteristics or description, telephone number, bank account number, credit card number, debit card number, or any other financial information as well as the categories listed in “Identifiers” category above)	Direct Interactions Our Affiliates	Yes – to Service Providers and Contractors	Yes – for marketing and advertising.
Commercial Information (e.g., records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)	Direct Interactions Our Affiliates Other People & Companies Tracking technologies	Yes – to Service Providers and Contractors	Yes – for marketing and advertising.
Device, Internet and Network Activity Information (e.g., browsing history; search history; and information regarding a consumer’s interaction with the Website)	Direct Interactions Our Affiliates Tracking technologies	Yes – to Service Providers and Contractors	Yes -for marketing and advertising.
Geolocation Data	Direct Interactions Other People & Companies Tracking technologies	Yes – to Service Providers and Contractors	Yes – for marketing and advertising.
Audio, Electronic, Visual, or Similar Information	Direct Interactions	Yes – to Service Providers and Contractors	Yes -for marketing and advertising.
Inferences	Direct Interactions Our Affiliates Tracking technologies	Yes – to Service Providers and Contractors	Yes – for marketing and advertising.
Sensitive Personal Information, such as government-issued identifiers, financial information, racial or ethnic origin, religious or philosophical beliefs, union membership, health, sex life, or sexual orientation	Direct Interactions Our Affiliates	Yes – to confirm identity to Service Providers	Yes – for identity purposes.

We currently collect and have collected the above categories of Personal Information for the following business or commercial purposes (as defined by California law):

Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
Helping to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for these purposes.
Debugging to identify and repair errors that impair existing intended functionalities.
Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us, provided that your Personal Information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction with us.
Performing Services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing or similar services.
Facilitating our business and operational purposes in relation to the above Services.
Undertaking internal research for technological development and demonstration.
Undertaking activities to verify or maintain the quality or safety of a Service, product, or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured for, or controlled by us.
Advancing our commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
Other business purposes for which we provide notice, including:
- Legal obligations, including prosecuting people responsible for fraudulent, malicious, deceptive or illegal activities; defending claims
- Notifying of product recalls or other issues related to products
- Enforcing and notifying of our terms and conditions, privacy policy, forum guidelines, and other policies and changes to such terms and conditions, privacy policy and other policies; and
- For records retention purposes.

We do not use or disclose Sensitive Personal Information for purposes to which the right to limit applies under the CCPA.

We retain Personal Information for as long as necessary to fulfill the purposes for which we collected it, such as to provide you with the Services you have requested, to maintain our Website and/or Services, or to satisfy any legal, accounting, contractual, or reporting requirements that apply to us.

Your State Law Privacy Rights & How To Exercise Them

Depending on the applicable consumer data privacy laws and exceptions in your jurisdiction, you may have the ability to exercise certain rights with respect to your Personal Information, including:

The Right to Access/Know what Personal Information We Have Collected.
The Right to Know Third Party Disclosures.
The Right to Correct Inaccurate Information.
The Right to Request that We Delete Your Information.
The Right to Data Portability.
The Right to Non-Discrimination for the Exercise of Privacy Rights.
The Right to Opt-Out of Sale or Sharing of Personal Information for Targeted Advertising.
The Right to Opt-Out of Profiling or Opt-In to Sensitive Information Processing.
Rights related to Automated Decision-Making.

If you would like to exercise any of these rights, please do so by emailing us at data.privacy@whsmith.co.uk. To protect you and your Personal Information, depending on the type of request you make, we may ask you to provide additional information to verify your identity before processing a request. You may also have the right to submit a request to exercise your rights through an authorized agent, in which case your agent may be required to present signed written permission to act on your behalf. You may also be required to independently verify your identity with us and confirm that you have provided authorization to the agent.

Right To Appeal

You may have the right to submit an appeal if you are not satisfied with the outcome of your request. If you would like to appeal a rights request decision, please email us at data.privacy@whsmith.co.uk.

Direct Marketing Disclosures

If you are a California resident, in addition to the rights above, you have the right to request that we disclose information about any third parties to which we have disclosed personal information in the preceding calendar year for their direct marketing purposes. Specifically, you have the right to request:

A list of the categories of certain personal information we disclosed to third parties for their direct marketing purposes in the preceding calendar year;
The names and addresses of all the third parties that received certain personal information from us in the preceding calendar year.

You may send us a request by email at data.privacy@whsmith.co.uk. Please include “California Privacy Rights Request” in the subject line of your email, and include your name, street address, city, state, and ZIP code. Note that we are only required to respond to one request per customer each year.

California Online Privacy Protection Act Disclosure

Our Website does not support “Do Not Track” (“DNT”) signals. DNT is a preference you can set to inform websites that you do not want to be tracked. You can enable it by changing the settings in the Preferences or Settings page of your web browser. Our Website does honor GPC signals.

Information Security

We maintain reasonable administrative, technical, and physical information security practices to protect the confidentiality, integrity, and accessibility of Personal Information. We have implemented security measures that are proportionate to the volume and nature of the Personal Information at issue.

The transmission of information via the internet is not completely secure and we cannot guarantee the security of your Personal Information transmitted to our Website. Any transmission of Personal Information is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on the Website.

Children

We do not direct the Website to children under the age of 16 and we do not knowingly collect, use, store, or disclose the Personal Information of children under the age of 16 or minors as defined by local legal requirements. If we learn we have mistakenly or unintentionally collected or received Personal Information from a child without appropriate consent, we will delete it. If you believe we mistakenly or unintentionally collected any information from or about a child, please contact us at data.privacy@whsmith.co.uk.

Changes to this Privacy Policy

We will notify you of any material changes to our Privacy Policy by posting an updated copy on our Website. Please check our Website periodically for updates.

Communicating with Us about Our Privacy Policy

If you have questions or, concerns about this Privacy Policy or our privacy practices, you may submit a request via Your Privacy Choices in the footer or contact us using the information below:

Email:
data.privacy@whsmith.co.uk

Mailing Address:
WHSmith
Legal Data Protection Officer
6600 Bermuda Rd
Las Vegas, NV 89119
United States

If you need to access this Privacy Policy in an alternative format, please contact us at data.privacy@whsmith.co.uk.

Additional Information for EEA, Swiss and UK Residents

WHSmith is providing this supplemental privacy notice to give individuals in the European Economic Area (EEA) and the U.K. additional information required by the EU General Data Protection Regulation and the UK GDPR.

For information on our online data collection please visit: https://www.whsmithplc.co.uk/privacy-notice and for shareholder data collection please visit : https://www.whsmithplc.co.uk/investors/shareholder-centre/privacy-notice-shareholders

Information about WHSmith

WHSmith respects your privacy and is committed to protecting your personal data in your interactions with us online and in our stores. This privacy notice will inform you how we process your personal data, how you can exercise your rights, and how to register a complaint.

Data Controller Contact Details

WH Smith PLC (company registration number 5202036), WH Smith Travel Limited (company registration number 06560378), WH Smith Group Limited (company registration number 15367938) and WH Smith Hospitals Limited (company registration number 03981392).

Address: Greenbridge Road, Swindon, Wiltshire, SN3 3RX
Data Protection Officer: data.privacy@whsmith.co.uk

How We Use Your Personal Data

In most instances our processing of your data will be in relation to your visits to our website and stores. We may use your personal data:

To offer our products and services on our website and in our stores
To respond to comments, enquiries, and complaints
To capture CCTV images and audio in stores for the purpose of preventing crime and prosecuting offenders
To create new customer accounts on our website
To collect your address and contact details for delivery purposes
To collect payment, facilitate reimbursements and collect debt
To request a review or participation in a survey after making a purchase or using our services
To verify your age with credit agency TransUnion (https://www.transunion.co.uk/legalinformation/bureau-privacy-notice) or through in person identity verification when purchasing age sensitive products
To send reminders if you abandon (exit the website) after a search, product view, or do not complete your order
To offer participation in prize draws and competitions
To administer and protect our business and websites (including troubleshooting, data analysis, testing, system maintenance, development, support, reporting and hosting of data)
To offer choices regarding the loading of non-essential cookies (e.g. advertising, Google Analytics)
To use data analytics to improve our website, products/services, marketing and customer experience
To make suggestions and recommendations to you about goods or services
To offer support from third party suppliers providing services to us
To share with other Group companies when required to meet legal and contractual obligations
When we sell or merge any part of our business

How We Collect Data

We use different methods to collect data from and about you including through direct interactions, automated technologies, public information and through third-party service providers. These data collection methods include:

Completion of online or in-store forms
Purchase of our products or services in store or through our website
Account creation including WHSmith Scan & Go application
Engaging with our social media accounts including competitions and complaints
Providing feedback or taking part in a survey
Engaging with external advertising on third-party sites
CCTV, body worn cameras, audio recordings and other surveillance images and footage
As you interact with our website, newsletters, or emails we may automatically collect technical data about your equipment, browsing actions and patterns
When presenting a boarding pass at point of sale for tax and compliance purposes
We may collect technical information about your journey through our site with Google Analytics

Data Collected

When you complete an online form, register or shop with us online, register or shop using the Scan & Go application, we may process different kinds of personal data about you such as your name, gender, date of birth, billing/delivery address, e-mail address and telephone number.

We may also collect and retain information about your interactions with us either in store, online, through social media, or through our contact centres so that we can process your transactions and deal with any future queries. We may use your identity, contact, technical, usage and previous purchases to form a view on which products, services and offers may be relevant for you and display them to you on the website. We also process aggregated data such as statistical or demographic data. If we combine or connect aggregated data with your personal data, we treat the combined data as personal data.

We do not ordinarily collect any special categories of data or information about criminal convictions and offences. We may collect health data if you report a store incident or if we are required to meet legal obligations in respect of the health and safety of our customers and staff.

If you do not provide the data when we need to collect personal data by law, or under the terms of a contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

Lawfulness of Processing

In most instances our legal basis for processing your personal data relates to the performance of the contract you have entered for the purchase of a product or to take steps at your request prior to entering into a contract. We also process personal data to comply with our legal obligations (e.g. fraud investigations and criminal investigations) and for our legitimate interests (or those of a third party) to operate and develop our business operations and appoint suitable service providers.

Generally, we do not rely on consent for processing your personal data, other than for our own direct marketing in some situations, non-essential online identifiers, or third-party marketing. You have the right to withdraw consent to marketing (or to object to receiving marketing where we do not rely on consent) at any time. This can be done by unsubscribing from marketing communications or sending an email to: data.privacy@whsmith.co.uk or support@whsmith.co.uk.

Data Sharing

We may share your personal data in certain circumstances, including:

For the purpose of completing your order and delivering your product through thirdparty courier services.
To process purchase payments in store and on the website through third-party payment providers.
With other WHSmith Group entities.
Trusted technical partners for the purposes of website development and improvements.
We may, from time to time, expand, reduce or sell WHSmith and this may involve the transfer of divisions or the whole business to new owners.
CCTV and other surveillance images and footage may be shared with law enforcement, regulatory authorities, and third parties for the purpose of preventing crime and prosecuting offenders. We use technology supplied by Vision R (https://visionr.com/privacy-gdpr) to study customer journeys through our stores and Auror (https://www.auror.co/) to support fraud and crime prevention in our stores. In some of our stores, staff and security support staff wear Solo Protect (https://www.soloprotect.com/uk) audio recording devices to record abusive and criminal activity when activated.
If you have opted in to receive marketing from third parties, you can opt out of these marketing communications at any time. Clicking on links to third-party websites, plug-ins and applications contained within this website, or enabling those connections, may allow third parties to collect or share data about you. When you leave our website, we encourage you to read the privacy notice of every website you visit.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

We will process your personal data for as long as necessary including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Customer data is normally retained for a period of six years, or until we are no longer required to retain copies to meet regulatory obligations. In some circumstances we may anonymise your personal data for research or statistical purposes.

We retain CCTV and other surveillance images for up to three months unless required to retain for a longer period for the purpose of supporting a law enforcement investigation, legal proceedings or meeting other regulatory obligations.

Marketing

We may send marketing communications about our own goods and services if you have opted in to receive our marketing messages, or you have previously bought or enquired about similar goods or services from us (including by placing items in your basket but not completing an order) and you have not opted out from receiving our marketing messages. You can unsubscribe from marketing at any time.

You may see WHSmith promotional messages on other websites. These messages will be displayed based on cookies placed during your recent visit to our website. Please see our Cookie Policy for more details, including how you can update your preferences.

Use of Social Media Management Platforms

From time to time, we may use a social media management platform to assist with posting content and responding to customer messages and comments on our social media channels. This helps us manage our social interactions more efficiently and provide timely responses. Any personal information shared with us via social media will continue to be handled in line with our Privacy Notice.

International Data Transfers and Data Security

Some of our third-party processors may transfer or access your data outside of the UK and EEA. Our contractual agreements with third party service suppliers include appropriate security and data transfer safeguarding mechanisms. We have appropriate technical and organisational security measures in place to meet our security obligations in respect of your personal data. If you have concerns about the security of your data, please contact the Data Protection Officer: data.privacy@whsmith.co.uk

Your Individual Rights

Under data protection law you have rightsi n respect of the processing of your data, including:

Right of Access- You can request a copy of the personal data we hold about you.
Right to Rectification – You have the right to have inaccurate personal data rectified or completed if it is incomplete. Please keep us informed if your personal data changes during your relationship with us.
Right to Erasure – Also known as the Right To Be Forgotten, you have the right to request that we delete personal data we hold about you. If it is not possible to delete the information immediately because we must meet legal or other obligations, we will inform you of the retention period.
Right to Restriction of Processing- In certain circumstances you have the right to request the restriction of the processing of your personal data.
Right to Data Portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
Right to Object – You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You can ask us or third parties to stop sending you marketing messages at any time by contacting us or by unsubscribing from marketing communications in any communication sent to you.

We do not use automated decision making. You will not have to pay a fee to exercise any of the rights.

We will respond within one month but if your request is particularly complicated and we will need more time to provide the information, we may extend the response period by another two months. We will inform you within the first month if that is the case. We may need to request specific information from you to help us confirm your identity. We may also contact you to ask you for further information or clarification to speed up our response.

We may charge a reasonable fee if your access request is manifestly unfounded, repetitive or excessive.

Cookie Notice

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. You will be presented with a choice to load non-essential cookies when first visiting the website.

Contact Us

If you have questions or complaints about the processing of your personal data, please contact the Data Protection Officer:

data.privacy@whsmith.co.uk

Data Protection Officer
WHSmith, Greenbridge Road, Swindon, SN3 3LD

Complaints

If you are not satisfied with the response you receive from us, you have the right to contact the regulator in your country.

United Kingdom
Information Commissioner’s Office
+ 44 0303 123 1113
www.ico.org.uk

EEA
Office of the Information Commissioner (OIC)
6 Earlsfort Terrace, Dublin 2, D02 W773
info@oic.ie
+353 1 639 5689

Updates

We will update this Privacy Notice from time to time, please note the update date.

Last Updated: October 2025 V3