Privacy Policy

1. Purpose

This policy is designed to provide you with information about how we use the personal data and information that you provide to us during your use of the fonehouse.co.uk, metrofone.co.uk and/or fonehouseservices.co.uk websites or mobile apps (as applicable) (the “Sites”) when you purchase from us in any physical store and any communication (for example telephone) made between us relating to or resulting from such use.

It is important that you read this privacy policy together with any other terms & conditions, privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

This policy explains how we use your personal data. Where we rely on consent (for example for marketing or non-essential cookies), you may withdraw it at any time.

We may change our privacy policy from time to time. This policy was last updated on 25^th February 2026 and is version 2.0.

2. Who We Are

KTM Online Limited, and it’s group of companies including Fonehouse Services Limited, KTM Device Protection Service Limited, Go Mobile Limited and Go Mobile Retail Limited, (“KTM Online”, “we”, “us”, “our”) is a UK company providing network connectivity, mobile phones, SIM-only contracts, accessories, and related products and services to UK consumers.  We are part of the LURI Limited group of companies and some processing activities may involve other LURI Group companies acting as processors or joint controllers.

We trade under the names:

• Fonehouse
• Metrofone
• Fonehouse Services

Company details:
KTM Online Limited
Company Number: 10781202
Registered Address: 7 Treadaway Tech Centre Treadaway Hill, Loudwater, High Wycombe, Bucks, United Kingdom, HP10 9RS
Email: [email protected]

3. The Personal Data We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Our services are not intended for children under 18 and we do not knowingly collect children’s data.

Depending on the products and services you subscribe, we may collect and process the following categories of personal data:

• Identity & Contact Data – your name (first name, last name), title, billing address, delivery address, telephone number, date of birth, email address and in some circumstances proof of identity.
• Call and Voice Data – recordings of telephone calls, metadate (such as date, time, and duration), and any information disclosed during recorded calls.
• CCTV and Image Data – images captured by CCTV systems operating in our retail stores and premises for security, crime prevention, and safety purposes.
• Financial Data - your debit or credit card information, information about your bank account number, sort code, and other banking information, and in some circumstances other information required to validate your identity. We do not store full payment card details and use PCI-DSS compliant payment processing providers.
• Profile Data - your account information, including your username and password (not visible to Us), your preferences and interests both when you tell us what they are or when we deduce them from what we know about you, your demographic information (which we may acquire from third parties).  We may process limited information where required for accessibility needs or where you provide it voluntarily.
• Transaction Data - such as how you purchased or signed up to our products and services, the products, and services you use, order history, refunds, contract details, and anything else relating your transaction with Us.
• Technical Data - includes internet protocol (IP) address, access times, any websites you linked from, pages you visit, the links you use, the ad banners and other content you view, your login data, browser type and version, information about your device, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Usage Data – includes information about how you use our website, products, and services.

• Marketing and Communications Data - includes your preferences in receiving marketing from us, consent records, customer service interactions, information you provide to us when entering prize draws or competitions or participate in surveys or consumer panels.

KTM Online also collects, uses, and shares Aggregated Data such as statistical or demographic data for any purpose. Demographic data may be obtained from a third party and then added to the personal data we already hold about you to give us a better understanding of what products and offers may be of interest to you.

Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

4. How We Collect Personal Data

We use different methods to collect data from and about you including through:

• Direct interactions - You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email, visiting store or otherwise. This includes personal data you provide when you:
• Place an order or purchase our products or services on a website or in store.
• create an account on our Sites.
• agree that marketing can be sent to you.
• enter a competition, promotion, or survey.
• interact with us on social media or contact customer support; or
• give us feedback or contact us.
• Automated technologies or interactions - As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. We do not use automated decision making or profiling tools to make decisions on the outcome of any interactions with us.

Please see our cookie policy, for further details.

• Third parties or publicly available sources - We will receive personal data about you from various third parties and public sources as set out below and we may append this data to data you provide to enrich your profile:
• Technical Data from the following parties:
• analytics providers,
• advertising networks; and
• search information providers.
• Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
• Identity and Contact Data from publicly available sources such as CreditSafe.

We are not responsible for third-party privacy policies.

5. Lawful Basis for Processing

For KTM Online to be allowed to process your personal data, we must have a legal basis for the processing. The data protection legislation sets out what these bases are. We have described below the different bases that we process your personal data under.

• Performance of Contract - processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. For example, when you buy a product or service on any of our Sites, it creates a contract between us. We need to process your personal data that you provide in the order to fulfil our part of the contract and deliver the products to you. If you do not provide your details, we will not be able to complete your order.
• Comply with a legal obligation - processing your personal data where it is necessary for compliance with a legal obligation to which we are subject. For example, if you buy a product which is an age restricted item (such as a mobile phone network contract) or if there is a product recall.
• Legitimate Interest - the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We have conducted a Legitimate Interests Assessment to ensure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. If you do not want us to process any of the personal data we have listed as being processed for legitimate interests, you have the right to object. For more information see the section below entitled Your Rights. Please note that if you object, we may continue to process your personal data in certain circumstances. Please also remember that if we cannot process your personal data for these purposes your customer experience may not be as enjoyable.
• Consent - processing your personal data where you have explicitly told us that you will allow us to do so. In some cases, we will ask whether you would like us to process your personal data. For example, when an item is out of stock and you provide your telephone number for us to call to discuss available alternatives or notify you when the out-of-stock item becomes available. If you provide us with consent, you may withdraw it at any time by contacting us.

6. Using Your Personal Data

We will only use your personal data when the law allows us to. We only collect, keep, use, or share your information for genuine business purposes in our legitimate interests, when you have approved us to do so or when we are legally obliged to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract, we are about to enter into or have entered into with you (for example when you buy a mobile phone or mobile phone network contract).
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.
• In limited circumstances, we may request your consent to process your personal data.

We use your personal data for the following purposes:

• to verify your identity and make credit decisions about you, which may include carrying out a network credit check on you, should you take out a network agreement with us.
• to confirm that your orders have been received and to process them, to validate you as a registered customer when using our services and calling our customer services.
• for providing the relevant products and services to you, for administration of your account with us and customer services.
• to send you certain communications (including by email and SMS) such as service announcements and administrative messages and other communications relating to our services. Please note that you will not be able to opt out of receiving these essential service communications.
• we operate CCTV systems in our physical stores and premises for the purposes of crime prevention, staff and customer safety, and protection of property. CCTV footage is monitored and may be disclosed to law enforcement where required.
• for our internal purposes such as management, research, analytics, corporate reporting, and to improve business efficiencies.
• we may monitor and record telephone calls for training, quality assurance, fraud prevention, dispute resolution, and regulatory compliance purposes. Call recordings may be retained for a defined period in line with our retention schedule.
• to trace nuisance or malicious calls.
• to help the emergency services.
• to prevent and detect criminal activity, fraud, and misuse of or damage to our services, and to prosecute those responsible, to trace and recover debts, to defend our rights or property and to protect the rights and interests of our customers and users.
• to comply with applicable laws, regulations, court orders, government, and law enforcement agencies' requests, to operate our systems properly and to protect ourselves, our users, and customers and to solve any customer disputes.
• to market and advertise our products and services that may be of interest to you including third party offers, promotions, advertisements, competitions, or commercial communications by telephone (mobile and landline when available), post, electronic messaging (including SMS and MMS), email or online or via applications. You may be contacted by our wider LURI Group companies for these purposes. We will only share your details with other LURI Group companies for their own marketing purposes where you have consented or where permitted under applicable law.
• to provide you with personalised services and communications as well as targeted advertising from our website and selected other partner websites. This may involve the use of cookies and other similar technologies. Please see our Cookies policy for further information.
• to enable third parties to tailor adverts which are more relevant and useful to you when you are browsing the internet or are using mobile applications. This may involve the use of cookies and other similar technologies. Please see our Cookies policy for further information.
• In some circumstances we may use your personal information along with information from credit reference agencies or fraud prevention agencies to help us manage our credit risk and prevent fraud and money laundering. We may also use these organisations to confirm your identity to process your order. This may cause a ‘footprint’ on your credit file. We do this because it is in ours, our partners,’ and our customers’ legitimate interest to prevent fraud and money laundering, to check identities, and protect our business to work within the laws that are given to us. Please visit https://www.transunion.co.uk/legal-information/bureau-privacy-notice for more information.

We and selected third-party partners use cookies and similar technologies to show you relevant advertising based on your browsing behaviour. You can manage your preferences at any time through our Cookie Settings or by visiting www.youronlinechoices.com/uk. Opting out will not remove adverts, but they will no longer be tailored to your interests.

7. Marketing Communications

We would love to keep you informed about our latest products, services, offers, and promotions that we think may be of interest to you. We are constantly updating our range and negotiating exclusive deals, and we believe keeping you in the loop helps you get the most value from your relationship with us.

We may contact you by email, SMS, post, or telephone with marketing communications, but we will only do so where we have your permission to do so, or where we have a legitimate reason to believe our communications are relevant to you as an existing customer.

We respect that your inbox and your time are valuable. We aim to make our marketing communications relevant, timely, and genuinely useful — not intrusive. You are always in control of what you hear from us and how, and you can update your preferences or opt out at any time.

Where we work with trusted third-party partners to deliver offers or promotions, we will always ensure those partners meet our standards for data protection and that any sharing of your information is done lawfully and transparently, as set out in this policy.

We will never sell your personal data to third parties for their own marketing purposes.

We may send marketing communications where:

• You have explicitly opted in; or
• We have a legitimate interest, and you have not opted out (soft opt-in)

You can opt out of receiving email and, text messages from us at any time by:

• Clicking “unsubscribe” in emails.
• Updating your account preferences
• Contacting us directly

Marketing Unsubscribe

Another method of opting out of telephone calls or postal marketing is to contact us. To do this you can email us at [email protected] or call our contact centre, you will find our contact details on our website.

If you opt out of any marketing, it may take a couple of days for all our systems to update, so bear with us whilst we process your request.

Service Communications (Non-Marketing)

Certain communications we send are necessary to provide you with our services and are not marketing in nature. These may include:

• contract end and renewal notifications.
• upgrade eligibility notifications.
• tariff or pricing change notices.
• service-related reminders.
• order confirmations and account updates.
• regulatory or compliance notices

These communications are sent to you as part of performing our contract with you or to comply with legal obligations. You cannot opt out of receiving these essential service communications.

Where upgrade communications include promotional content or special offers, these will be treated as marketing communications and will only be sent where permitted under applicable law.

8. Cookies and Tracking Technologies

Our websites use cookies and similar technologies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

For more information about cookies on our Sites, see our Cookie Policy.

9. Sharing Your Personal Data

We may share your personal information with:

• other internal third parties within the wider LURI Group of companies or our Franchisees, and external third parties, such as mobile networks or HM Revenue & Customs, where you have given your consent to the disclosure (either to us or the third party).
• our service providers including for the provision, distribution, delivery and marketing of our products and services, for advertising and payment services purposes.

These service providers must follow our express instructions in respect of the use of your personal information, and they must comply with appropriate security measures to protect your personal information.

• Identity checking reference agencies and fraud prevention agencies.
• debt collection or debt tracing agencies.
• insurance providers if you have purchased an insurance policy through us.
• law enforcement agencies, regulators, courts and public authorities, and emergency services.
• our prospective or actual purchasers, sellers or partners and their advisers if we decide to sell, buy, merge or otherwise re-organise our business.

We do not sell your personal data.

10. International Transfers

Some of the third parties we work with — such as technology providers, payment processors, and analytics services — may process your personal data outside the United Kingdom.

Where this happens, we take steps to ensure your data receives the same level of protection it would have in the UK. We do this by only transferring data to countries that the UK Government has confirmed provide an adequate level of protection, or by putting in place appropriate safeguards such as the International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses, both approved by the UK Information Commissioner's Office.

If you would like more information about the specific safeguards in place for any international transfer, you can contact us at [email protected].

11. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

As a guide, here is how long we typically keep different types of information:

Your account and purchase history is kept for up to 6 years after your last transaction with us. This allows us to manage any queries, warranty claims, or disputes that may arise, and to meet our legal obligations under tax and consumer protection law.

Customer service records, including call recordings and correspondence, are kept for up to 3 years.

Marketing preferences and consent records are kept for as long as you remain opted in, plus a reasonable period afterwards. If you opt out of marketing, we keep a record of that suppression indefinitely to make sure we do not contact you again.

Insurance-related records, where you have purchased an insurance product through us, are kept for up to 7 years in line with Financial Conduct Authority requirements.

CCTV footage from our stores is retained for 31 days in the ordinary course of business, and up to 90 days where an incident has occurred.

In some circumstances we may need to keep your data for longer than the periods above — for example if there is an ongoing legal dispute or a regulatory investigation. In those cases, we will retain only what is necessary and for only as long as required.

If you would like to know more details about how long we keep a specific type of data, or to request deletion of your data, please contact us at [email protected].

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

12. Data Security

We maintain the highest standards of data privacy and security to protect your personal details and other information about your account because we want you to feel completely confident about using our services. We regularly review our processes and procedures to protect your personal information from unauthorised access and use, accidental loss, and/or destruction.

We may monitor or record any conversations between you and our staff for authentication, security, quality, and training purposes.

Sometimes we use other organisations to process your personal information on our behalf. We do not allow them to use this information for their own commercial purposes, and they must follow our strict instructions and comply with appropriate security measures. We assess the security measures in these organisations when we bring them on board, and we continue to monitor their compliance while they process your personal information.

We store all your account details and other such information on secure servers, adhering to all relevant UK legislation. We use encrypted transmission links whenever we can.

We are constantly monitoring and testing our IT systems and using the latest technology to identify potential vulnerabilities and attacks to provide a safe and secure shopping environment.

We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do.

Secure Payment Processing

We take payment security seriously. All payment transactions are processed using secure systems and encrypted connections. Where card payments are processed, we use PCI-DSS compliant payment processing providers. We do not store full payment card numbers on our systems.

Payment data is transmitted using secure encryption protocols and is handled in accordance with industry security standards.

Access Controls

Access to personal data is restricted to authorised employees, contractors and service providers who require access for legitimate business purposes. Access is role-based and subject to authentication controls. We regularly review access permissions and remove access when no longer required.

Staff Training and Awareness

All relevant staff receive data protection and information security training appropriate to their role. We maintain internal policies and procedures to ensure personal data is handled securely and lawfully.

Additional training may be provided to teams handling payment processing, fraud prevention, or customer data.

Incident Response

We maintain internal procedures to identify, assess, and respond to suspected personal data breaches. Where required under data protection law, we will notify affected individuals and the Information Commissioner’s Office (ICO) without undue delay.

Security Vulnerability Reporting

If you believe you have identified a security vulnerability in our website or systems, please contact us at [email protected]. We will investigate reports responsibly and in good faith.

13. Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

You have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful, but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us at [email protected].

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

14. Contact Us

Contact details

We are always looking for new ways to improve your shopping experience with us, that is why we love hearing from you. If you have any questions about how we use your personal data or if you would like to amend or stop us from processing your data (for marketing purposes), please contact us.

You can get in touch by giving our friendly contact centre a call on 0333 900 1133 for any purchases from KTM or in any physical store or email: [email protected]. Opening hours of our contact centre are Mon - Thurs: 09:00-18:00, Friday: 10:00-18:00, Saturday: 09:00-17:00 (Live Chat):  Sunday: Closed. Alternatively, you can write to us at our operating office address – KTM Online Limited, Unit 5 E-Centre, Easthampstead Road, Bracknell, RG12 1NF.

If you have any questions about this privacy policy or our privacy practices, we have appointed a Data Protection Lead (DPL). You may contact the DPL by writing to us at the registered office address set out above or by emailing [email protected].

Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). KTM Online Ltd is the controller of your personal data and is registered as a data controller with the Information Commissioner's Office (registration number ZA299181). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you fail to provide personal data

Where We need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.