Data Privacy Policy (EU GDPR and UK GDPR)

For Our Website Users, Customers and Other Business Contacts

Effective Date: 1 Jan 2020

Last Revision: 23 May 2024

Click on one of the links below to jump to listed sections:

  1. Who is responsible for processing your data? How can you contact us?
  2. What personal data do we collect and why?
  3. Who do we share your personal data with?
  4. Transfers of personal data outside the UK/European Economic Area
  5. Transfers of personal data outside the United Kingdom
  6. Your Privacy Rights
  7. Retention Period
  8. Annex 1 – List of DNOW's EU Affiliates

Who is responsible for processing your data? How can you contact us?

This Notice describes the actions DNOW L.P. and its EU and UK affiliates (together "DNOW", "Company", "we" or "us") take to protect the personal data that we process about our customers and other business-related personal data. DNOW is committed to the protection of the personal data that we process about you in accordance with the data protection principles set out in the European Union General Data Protection Regulation ("GDPR") and the version of the GDPR retained under UK domestic law ("UK GDPR").

If you are an individual associated with one of our customers or vendors, the relevant data controller is likely to be the DNOW EU or UK affiliate with which the company you are associated with does business. A list of each of DNOW's EU and UK affiliates and the relevant contact details for each are provided in Annex 1 to this Privacy Policy.

If you are a website user, a website customer, or are associated with a prospective customer or vendor, the data controller is MacLean International Group Limited, acting as European and UK representative of DNOW L.P., and can be contacted at privacy@dnow.com.

What personal data do we collect and why?

We may source, use and otherwise process your personal data in different ways. In all cases, we are committed to protecting the personal data of our website users and business contacts.

The types of personal data that we may collect and further process are included in the following table:

Data Category Types of Data
Identity Data salutation, first name, last name and signature (where applicable)
Contact Data residential address, delivery address (where different to residential address) private email address and telephone number
Business Contact Data business address, business email address, business telephone number, and job title and location
Marketing and Communications Data information contained in enquiries and any other communications with us, and any contact preferences specified;
Profile Data details of your business profile, including information about you on your company’s website, history of any business interactions and records of any other dealings you have had with us, and details of products/services that are likely to be of interest to you or that you may be able to provide to us
Transaction Data website account information (including login credentials) and, where you are an individual that is purchasing products through the website, details of orders placed including item(s) purchased, time of order and delivery details, purchase price and information relating to product returns including any refunds or exchanges
Financial Data where you are an individual that is purchasing products through the website, details of your method of payment, financial institution and relevant account information
Technical Data information about your device and browser including where such information, such as your IP address
Usage Data information collected in relation to how you use and interact with the website, including where such information is collected through the use of website cookies and other tracking technologies, such as the length of time spent on each page
Facility Data information regarding your attendance at any of our facilities, including the time and date of attendance, the nature and purposes of your visit, details of the individual(s) you are meeting with, any other information you input when registering your arrival and any imagery/videography captured through the operation of on-site CCTV recording

In each of the sections listed below, we describe how we obtain your personal data and how we will treat it.

  • Section 2.1: Representatives of Our Existing or Prospective Customers and Vendors
  • Section 2.2: Visitors to Our Premises
  • Section 2.3: Website Visitors

2.1 Representatives of Our Existing or Prospective Customers and Vendors

A - Sources of personal data

We may obtain your personal data from the following sources:

  1. from you directly;
  2. from a company that employs you, if you are an employee of our customer, vendor, supplier, or another type of business contact;
  3. from DNOW affiliates;
  4. during networking events that we have either hosted, sponsored, or attended; and/or
  5. from publicly available sources (for example, your company website and/or social media).
B - Why do we collect your personal data? What do we collect and what are our lawful bases for it?
Representatives of our Existing or Prospective Business Customers or Vendors
Purpose/Activity Type of Data Lawful Basis for Processing, Including Basis of Legitimate Interest
To provide you products or services that are requested from us, or to receive services from you
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data
Legitimate interests (to advance our respective business interests in enabling the provision and receipt of services)
Managing, operating and giving and receiving instructions in respect of the customer account you hold with us or our affiliates
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data
Legitimate interests (to administer and manage customer accounts, including communicating in relation to accounts held and orders placed on those accounts)
To enable us to organise on-site visits between prospective customers and establish commercial relationships with customers
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4.  Marketing and Communications Data
Necessary for our legitimate interests (to keep our records updated and to provide customer service to customers)
  • Develop and improve our services to you and other customers;
  • Learn from the way you use and manage your customer account(s);
  • Operational and administrative purposes.
  1. Identity Data
  2. Contact Data
  3. Marketing and Communications Data
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services; understand the market in which we operate; make improvements to our products/services and the way we communicate with customers, and for management reporting (including at an intra-group level)
The exercise or defence of legal claims
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data
Necessary for our legitimate interests (to exercise or defend legal rights and claims)
To inform you of products, services and events that may be of interest to you, to issue surveys and to obtain reviews, including by letter, telephone, messages, e-mail and other electronic methods
  1. Identity Data
  2. Contact Data
  3. Technical Data
  4. Usage Data
  5. Profile Data
Necessary for our legitimate interests (to develop our products/services and grow our business; promote our goods or services; and for management reporting (including at an intra-group level)
Establish and manage our relationship with our customers and vendors
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data
Necessary for our legitimate interests (To fulfil our contractual and legal obligations; Account Management; Understand the market in which we operate; and for management reporting (including at an intra-group level)
Security
  1. Identity Data
  2. Contact Data
  3. Technical Data
  4. Usage Data
Necessary for our legitimate interests (managing security, risk and crime prevention; management reporting (including at an intra-group level)
To manage our relationship with you which will include notifying you about changes to our terms or privacy policy
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data

Legal obligation

Necessary for our legitimate interests (to keep you informed about changes in our policy; to manage our relationship with you)


If you object to us using your contact details for these purposes, including direct marketing, please contact us at privacy@dnow.com.

Where we use your email to communicate marketing information to you, we will seek your prior consent where required to do so by law.


2.2 Visitors to Our Premises

A - Sources of personal data

We may obtain your personal data from you directly and from our systems’ records. When you are an employee of a customer, vendor, supplier, or of another type of business contact, then we may also collect your personal data from your employer.

B - Why do we collect your personal data and what are our lawful bases for it?
Visitors to Our Premises
Purpose/Activity Type of Data Lawful Basis for Processing, Including Basis of Legitimate Interest
Security
  1. Identity Data
  2. Contact Data
  3. Facility Data
Necessary for our legitimate interests (Managing security, risk and crime prevention)
Maintain records of visitors to our premises
  1. Identity Data
  2. Contact Data
  3. Marketing and Communications Data
  4. Facilities Data
Necessary for our legitimate interests (Business administration and management reporting)

If you object to us using your contact details for these purposes, please contact us at privacy@dnow.com.


2.3 Website Visitors

A - Sources of personal data

We may obtain your personal data from the following sources:

  1. from you directly (for example, if you contact us via the website or otherwise and when you subscribe to any services offered on our website[s], including but not limited to email mailing lists, interactive services, posting material or requesting further goods or services); and/or
  2. indirectly from your device or browser.
B - Why do we collect your personal data and what are our lawful bases for it?
Website Visitors
Purpose/Activity Type of Data Lawful Basis for Processing, Including Basis of Legitimate Interest
To register you as a new customer
  1. Identity Data
  2. Contact Data

Performance of a contract with you

Legitimate interests (improving the functionality of the website and the efficiency of our ordering process)

To process and deliver your order including managing payments, fees and charges, arranging delivery, and recovering any amounts due.
  1. Identity Data
  2. Contact Data
  3. Marketing and Communications Data
Business customers: legitimate interests (taking and processing orders for our business customers, for operational purposes and to enable product delivery, and to advance and protect the interests of the business)
  1. Identity Data
  2. Contact Data
  3. Financial Data
  4. Transaction Data
  5. Marketing and Communications Data
Individual customers: performance of a contract with you and legitimate interests (improving our customer experience by issuing order and shipping updates)
Contacting you for marketing purposes, including sending you news, updates and other content that we think might interest you, or asking you to leave a review, take a survey, to partake in a prize draw, competition or other promotion, and processing the results of your responses.
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Marketing and Communications Data

Consent (where required)

Necessary for our legitimate interests (to promote our business and our products/services, to keep our records updated, to study how customers use our products/services and how we can make improvements to our products/services)

Notifying you about changes to our legal terms and/or legal not
  1. Identity Data
  2. Contact Data

Necessary for our legitimate interests (to keep you informed about changes to our terms of business)

Legal obligations

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  1. Identity Data
  2. Contact Data
  3. Technical Data
  4. Usage Data
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, and to prevent fraud and other illegal conduct)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  1. Identity Data
  2. Usage Data
  3. Marketing and Communications Data

Consent (where required)

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
  1. Technical Data
  2. Usage Data

Consent (where required)

Necessary for our legitimate interests (to help define the target market and customer base for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)


If you object to us using your contact details for these purposes, including direct marketing, please contact us at privacy@dnow.com.

Where we use cookies or similar technologies to fulfil these purposes, we will seek your prior consent where required to do so by law.

Where we use your email to communicate marketing information to you, we will seek your prior consent where required to do so by law.

Who do we share your personal data with?

We do not sell your personal data to third parties.

DNOW EU and UK Affiliates

We may share your personal data with other DNOW EU and UK affiliated entities (see the list in Annex 1).

Our Service Providers

We may disclose information about you to organisations that provide a service to us, on the understanding that they will keep the information confidential and will comply with the GDPR and other relevant data protection laws.

We may share your information with the following types of service providers:

  1. technical support providers who assist with our website and IT infrastructure;
  2. third party software providers, including 'software as a service' solution providers, where the provider hosts the relevant personal data on our behalf;
  3. logistics partners and other third parties involved in the delivery of our products, including providers of postal and shipping services;
  4. professional advisers such as solicitors, accountants, tax advisors, auditors and insurance brokers;
  5. providers that help us generate and collate reviews in relation to our goods and services;
  6. our advertising and promotional agencies and consultants and those organisations selected by us to carry out marketing campaigns on our behalf; and/or
  7. providers that help us store, collate and organise information effectively and securely, both electronically and in hard copy format, and for marketing purposes.

Please note that while some of these service providers process your personal data as data processors on our behalf, others act as data controllers and have separate obligations under data privacy laws.

Company Mergers and Takeovers

We may transfer your personal data to potential purchasers and their advisors, subject to appropriate confidentiality obligations, in the event we decide to dispose of all or part of our business. We may also transfer your personal data to entities which we acquire, subject to appropriate confidentiality obligations, in the event that we incorporate a new entity into DNOW.

Other Third Parties

We may also share your personal data with regulatory or supervisory authorities, government agencies, courts and law enforcement where necessary to comply with our legal obligations and/or to take appropriate steps to protect our website, business and/or reputation.

Transfers of personal data outside the UK/European Economic Area

We may transfer your personal data to recipients located outside of the UK and European Economic Area (“EEA”), including DNOW affiliates. If and when transferring your personal data outside the UK/EEA, we will only do so using one of the following safeguards:

  1. the transfer is to a non-UK/EEA country which has had an adequacy decision rendered for that country by the relevant supervisory authority (including the Secretary of State in the UK and the EU Commission for purposes of the EEA);
  2. the transfer is covered by a contractual agreement which covers applicable requirements under the UK GDPR/EU GDPR relating to transfers to countries outside the UK/EEA, including the EU Standard Contractual Clauses and the UK Data Transfer Agreement/UK Data Transfer Addendum to the EU Standard Contractual Clauses (as applicable); or
  3. in other cases where appropriate taking into account the circumstances, based on transfer derogations permitted under applicable legislation.

We may also transfer your data to third-party vendors outside the EU, such as our customer relationship management (CRM) systems providers. Where we do so, the Standard Contractual Clauses or other safeguards approved by the European Commission are in place to safeguard that personal data.

Please note that we may adjust the mechanism used to conduct international transfers of personal data, in order to comply with changes to applicable legal requirements and/or the lawful transfer instruments available.

For further information on how we transfer data internationally, including to request a copy of the contractual safeguards in place, please contact us at privacy@dnow.com.

Transfers of personal data outside the United Kingdom

If and when transferring your personal data outside the United Kingdom, we will only do so using one of the following safeguards:

  1. the transfer is to the to a country which has had an adequacy decision rendered for it by the UK ICO;
  2. the transfer is covered by a contractual agreement, which covers the UK GDPR requirements relating to transfers to countries outside the UK; or
  3. the transfer is to an organisation which has Binding Corporate Rules approved by the UK ICO.

International transfers within DNOW are governed by UK ICO-approved Standard Contractual Clauses
Controllers and, where relevant, for Processors.

We may also transfer your data to third-party vendors outside the UK, such as our customer relationship management (CRM) systems providers. Where we do so, the Standard Contractual Clauses or other safeguards approved by the European Commission are in place to safeguard that personal data.

You may request a copy of these agreements by contacting us at privacy@dnow.com.

Your Privacy Rights

The EU GDPR and the UK GDPR provide you with certain rights in relation to the processing of your personal data, including to:

  • Request access to personal data about you (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it.
  • Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request personal data provided by you to be transferred in machine-readable format ("data portability").
  • Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).
  • Object to the processing of your personal data in certain circumstances. This right may apply where the processing of your personal data is based on the legitimate interests of Company, as explained above, or where decisions about you are based solely on automated processing, including profiling.
  • Complain to the relevant supervisory authority in your jurisdiction. In the UK, the relevant supervisory authority is the Information Commissioner's Office. For the EU, the relevant supervisory authority will be the lead supervisory authority in the relevant EU Member State.

These rights are not absolute and are subject to various conditions under:

  • protection under pending or potential litigation and applicable preservation as allowed under law;
  • applicable data protection and privacy legislation; and
  • the laws and regulations to which we are subject.

Where processing of your personal data is based on consent, you may withdraw your consent at any time. However, please note that a revocation of consent will not affect the lawfulness of any processing that has already validly occurred based on that consent.

You may also refuse to provide information when requested. However, where you fail to provide certain personal data in circumstances where it is necessary to enabling us to comply with our contractual or legal obligations, then this could prevent us from being able to comply with those obligations, including limiting our ability to provide you with goods/services.

If at any time you decide that you do not want to be contacted for any purpose or if you would like to exercise any of your rights as set out above, you can contact us at privacy@dnow.com.

Retention Period

We will keep and Process your Personal Data only for as long as is necessary for the purposes for which it was collected in connection with your relationship with us, unless we have a legal right or obligation to retain the data for a longer period, or the data is necessary for the establishment, exercise or defence of legal claims.

Please note that in some cases we may anonymize personal data so that it can no longer be used to identify you. In such cases, the information retained will no longer constitute your personal data and may be retained for a longer period.

Annex 1 – List of DNOW's EU Affiliates

Company Name Country
NOW Netherlands B.V. Netherlands
NOW Norway AS Norway
MacLean International Group Limited United Kingdom

Please contact privacy@dnow.com for any data privacy issues or questions.