Privacy Policy

This privacy policy of stichd sportmerchandising B.V. provides you with information about what happens to any personal data that you provide to us, or any personal data that we may collect about you when you visit the Manchester City Official Online Store (the “website”) and / or when you purchase items on the website, why we collect this and what your rights are when we process your personal data. Should you have any questions or if you need any more information, please contact us via privacy@stichd.com.  

This privacy policy was updated on the 6th of July 2021.  

1. SCOPE, DATA CONTROLLER AND DEFINITIONS

1.1. Scope of this privacy policy

This privacy policy applies only to personal data processed by or on behalf of stichd sportmerchandising B.V (hereinafter referred to as “stichd” or “we” or “us”). We share some of your information with Manchester City Football Club Limited (hereinafter referred to as “Manchester City”), who in that case shall be the controller of the personal data we share with Manchester City (see also article 2.3 hereunder). Manchester City’s privacy policy sets out the ways in which they process your personal data and your rights in relation to that processing.

1.2.The controller of your personal data

Unless otherwise indicated in this privacy policy, stichd is the controller for the processing of your personal data when visiting and / or purchasing items on the website. Please find our contact details below.

stichd sportmerchandising B.V.

  • De Waterman 2
  • 5215 MX ’s-Hertogenbosch
  • The Netherlands
  • Tel: +44 20 3608 4403
  • E-mail: shop@mancity.com

Please note that in order to exercise your rights regarding data processing you can contact us via privacy@stichd.com.


1.3. Definitions

This privacy policy is based on the following terms from the EU General Data Protection Regulation, which we have defined for ease of understanding.  

  • GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the European Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and to the UK GDPR.
  • UK GDPR: GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
  • The recipient is a natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular enquiry, in accordance with Union or Member State law, shall not be regarded as recipients; the processing of such data by public authorities shall comply with the applicable rules on data protection and the purposes of the processing; Examples of possible recipients: banks/payment service providers, logistics and shipping service providers and IT service providers; for more information see Article 4).
  • Personal data refers to any information relating to an identified or identifiable natural person ("data subject's personal data"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of personal data: name, contact details, bank or credit card details.
  • The data controller is the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the controller or the specific criteria for its nomination may be determined by Union law or Member State law. For the data processing activities described in this privacy policy, stichd is the data controller unless otherwise specified (see Article 1.2.).  
  • Processing refers to any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  • The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller

2. PURPOSES, LEGAL GROUNDS AND RETENTION PERIODS FOR OUR PROCESSING OF YOUR PERSONAL DATA

We may only process personal data for a reason specified in the GDPR and only as long as and to the extent that it is necessary for purposes specified in this section of the privacy policy or based on legal requirements. In the following, we indicate per processing purpose on which legal basis we process, for which purposes and for how long we (must) store your personal data.

2.1. Processing of your data when you visit the website

If you visit the website, we process your personal data to learn more about our products and services (regardless of when registered with a customer account), in order to fulfil your order placed with us in the web shop, when you are actively transferring information to us (for information purposes only), when you contact us via our means of communication or otherwise interact with us. We also receive information from Manchester City. In the light of the above, we process your personal data for the following purposes and on the following legal bases:

2.1.1. Provision of website and IT security

We process your personal data that is technically necessary to enable us to make the website available and to ensure stability and security when you visit them. This includes the following personal data:

  • IP address
  • Type and version of the browser
  • Operating system and platform
  • The full Uniform Resource Locator (URL)

For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days. This data processing is technically necessary to enable you to use the website (legal basis: Article 6(1)(b) GDPR) and for our legitimate interest in ensuring IT security (legal basis: Article 6(1)(f) GDPR). 

2.1.2. Provision of localised website

We also process your personal data that is technically necessary to enable us to provide you with a localised version of the website, in particular with regard to language. This data processing is necessary for our legitimate interest in adapting the website to your needs (legal basis: Article 6(1)(f) GDPR). For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days.

2.1.3. Website analysis

In order to continuously optimise our service, we use Google Analytics which statistically evaluates the website. Google Analytics a website analysis service of Google Inc. ("Google"). Google Analytics uses analytical cookies (that enable an analysis of the use of the website. The information generated by the cookie when using the website is usually transferred to a Google server in the USA, where it is stored. However, as we use Google Analytics with the addition "anonymizeIP", Google will in advance limit the IP address of the website visitor within the member states of the European Union (EU) or in other states that are part of the Agreement on the European Economic Area (EEA), thus excluding any direct association with you. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. On behalf of stichd, Google will use this information to evaluate the use of the website, to compile reports on website activity, to analyse the results, to improve the adaptation of our digital ads and to provide further services to stichd in connection with the use of the website and the internet. The IP address transmitted from the user's browser in connection with Google Analytics will not be merged by Google with any other data. More information on Google's terms of use and data protection can be found at:

This data processing is necessary for our legitimate interest to carry out analyses to improve the website and products, and to advertise our products on the internet in an appropriate and effective manner (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 26 months, or shorter in case the Analytics Data Retention setting is set to anything shorter than 26 months, or until a decision to unsubscribe is made as described below.

Unsubscribe from Google Analytics:

You can generally prevent your personal data (including your IP address) from being processed by Google Analytics by downloading and installing the browser add-on available at the following link:

You can also prevent Google Analytics from collecting your usage data on the website by clicking on the following link:

In this case, a permanent opt-out cookie (name: "ga-disable-UA-[...]") is set in the browser you are currently using, which prevents your data from being recorded when you visit the website with this specific browser in the future. If you use a different browser, Google Analytics is in principle enabled, unless the opt-out cookie is also set in this browser. Please note that Google Analytics will be re-enabled if you delete the above opt-out cookie from your browser.

2.1.4. Individual recommendations on the website

When you visit the web pages on our website, we use Google AdWords to process data on your user behaviour, such as products viewed and contents of your shopping cart, in order to show you individual recommendations on the website based on this data. For further information on data processing by Google AdWords, please consult the Google privacy policy under the following link:

This data processing is necessary for our legitimate interest in creating a better user experience by providing customised recommendations (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 26 months or until a decision to unsubscribe is made as described below. Unsubscribe from individual recommendations: You can object to this data processing by clicking on the following unsubscribe link:


2.1.5. Links to third party websites

The website can contain links to third party websites. When you click on one of those links, you will visit another website or internet resource. stichd has no responsibility or liability whatsoever for, or control over, those websites or internet resources and their personal data collection, use and disclosure. We advise you to carefully read the privacy policy and terms of use of each such website.


2.1.6. Display of advertisements/retargeting on third party websites

When you visit the website, tags and cookies are set by our retargeting service provider(s) to track which products you have viewed or purchased on the website. Using this information, we can then show you individual offers of Manchester City products on third party website through our retargeting service provider(s) and analyse the results to further improve our advertising. For more information on the data processing by our retargeting service provider(s) for retargeting purposes, please consult the relevant privacy policy below and unsubscribe via the following links:

This data processing is necessary for our legitimate interest to advertise our products on the internet in an appropriate and efficient manner (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.

Unsubscribe from retargeting: You can object to this data processing by clicking on the following link(s) for unsubscribing from the respective service provider(s) for retargeting:

2.1.7. Use of cookies

We use cookies on the website, as more fully described in our cookie settings . Cookies are small text files that are stored in the browsers of your end devices when you visit the website. Cookies allow your actions and settings on the website to be tracked, saved and recognised for the duration of the browser session or even beyond. In addition, cookies and their respective cookie identifiers ensure that your browser is recognised. After leaving the website, you can, for example, restore the contents of your shopping basket or see the last viewed products. For more information on the use of cookies on the website, the cookie categories and for individual settings, please see our cookie settings. 

2.1.8. Customer service

Depending on the subject of your request, we rely on your personal data stored in our systems in the context of other data processing activities (e.g., data that you have provided during a purchase or when addressing our customer service (including live chat) for any reason). We will also collect data from external sources if and to the extent necessary to fulfil your request, such as logistics service providers for the tracking of your shipment or a shipment request. Within the scope of the requests regarding a (pre-)contractual relationship with you, this data processing is necessary for the performance of a contract (provision of customer service) with you (legal basis: Article 6(1)(b) GDPR). If you want to exercise your rights against us, the corresponding data processing is necessary in order to comply with a legal obligation (legal basis: Art. 6(1)(c) GDPR). If you wish to receive information or make a complaint about our products and services, the respective data processing is necessary for our legitimate interest in responding to your information request/complaint (legal basis: Article 6(1)(f) GDPR). 

2.1.9 Product ratings and reviews

We offer you the opportunity to rate any (purchased) products on the website where we work with Trustpilot as a third-party processor. Your feedback helps other customers to make the right purchase decision and enables us to continuously improve our products. If you would like to submit a review for one of our products, you will receive an invitation from Trustpilot and the following data will be processed: your email address, the name under which the review will be submitted and also the content of your review (e.g., the product being reviewed, the star rating, title and text of the review, recommendation). Your e-mail address is processed to verify and establish your identity. If you have given your consent to Trustpilot before submitting your review, you agree to Trustpilot's terms and conditions and an account will be created. In this case, Trustpilot is the data controller for the personal data you provide. Trustpilot will use your personal data in accordance with their privacy policy and you can contact them directly with any questions. As your (star) rating and the content of your rating may be published with your consent alongside your given name, please ensure that you do not include any personal information that you do not wish to be made public. This data processing in providing this opportunity for feedback is necessary for our legitimate interest in providing customer service and recommendation marketing (Article 6(1)(f) GDPR). These data will be kept until the consent is withdrawn.

2.2. Data processing in the case of orders in the online shop

In addition, we process your personal data in connection with the purchase of items in our online shop.

2.2.1. Purchase and payment of goods in the online shop

We process your personal data (such as contact details, shipping and payment information) when you purchase items from the online shop at the website. If you purchase items for another person (a third party), we will process the third party's personal data (name and contact details) for the purpose of shipping the items to that third party you indicated. Make sure you are authorised to provide such personal data. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.

2.2.2. Emails about an abandoned shopping cart

If you have placed items in your basket but not completed the order process, we may send you a single abandoned cart e-mail to the e-mail address stored in your customer account. This data processing is necessary for our legitimate interest to remind you of any purchasing processes you have not yet completed (legal basis: Article 6(1)(f) GDPR). You can object to this type of processing and unsubscribe from our abandoned cart e-mailing at any time by clicking on the unsubscribe link that is placed at the bottom of the abandoned cart e-mailing 

2.2.3. Fraud and credit check

We check, based on your device and predefined rules, whether the order should be categorised as suspicious with regard to fraud. If fraud is suspected, we will additionally carry out an individual check of the order. The result of this manual fraud check may be positive, which would lead to the order being approved. However, if the suspicion of fraud persists, we may decide to cancel the order, depending on the specific case. This data processing is necessary for our legitimate interest in preventing and minimizing the risk of payment defaults, false details being used and fraud (legal basis: Article 6(1)(f) GDPR). This data will be kept for the period that is required under Dutch law for 7 years compliance with the applicable legislation and Scheme Rules compliance purposes (fraud prevention and fraud investigation).  

2.2.4. Cancellation of purchase

In all cases of cancellation of the purchase (e.g., withdrawal from the contract), we will process your personal data for the return of the items and the refund of the purchase price. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR) and/or to comply with a legal obligation (legal basis: Article 6(1)(c) GDPR). According to the Dutch law, we must retain the data related to contractual relationships for 7 years.

2.3. Share information with Manchester City

We will share certain personal data of you with Manchester City which is necessary for our legitimate interest (Article 6(1)(f) GDPR). This means that although we control the website and sell the items that you purchase directly to you (including managing all aspects of fulfilment), we are doing this as part of a contractual relationship between us and Manchester City. As a part of that relationship, we share details of customers and website visitors of Manchester City products. Manchester city acts as a controller for the personal data shared by us with them. Manchester City will use your personal data in accordance with their privacy policy and you can contact them directly with any questions by emailing the relevant contact set out in there. The following personal data types are shared: contact information (e.g., name, E-mail address and telephone number), preference information that we observed based on your website visits (see also our Cookie settings), transaction information (e.g., purchase details, payment details and delivery details) and voluntary information (e.g., date of birth, gender, favourite football player).

2.4. Other processing

2.4.1. Performing internal audits

Your personal data may be processed in the context of audits conducted in relation to the organisation of stichd or Manchester City. During this process, depending on the case, we also rely on data from other sources (e.g., credit bureaus). Your data may also be processed appropriately under certain circumstances in order to identify and correct misconduct within the company and to implement compliance programs and measures. This data processing is necessary in order to comply with our legal obligations (legal basis: Article 6(1)(c) GDPR) and/or for our legitimate interest for us to operate efficiently, deal with any issues which may arise and to protect ourselves against misconduct and fraud cases, to protect ourselves and others against fraudulent transactions, and to enforce and/or defend our rights and to find out about possible criminal offences (legal basis: Article 6(1)(f) GDPR).  

2.4.2. Performing analyses

Based on your data, which we process in accordance with the meaning of Article 2 of this privacy policy, we can perform analyses. These serve as a basis for our business decisions, to improve our products and services, to adapt to the needs of our customers and to carry out marketing activities. The analyses made on this basis are no longer personal, so it is no longer possible to trace them back to you. This data processing is necessary for our legitimate interest to improve our products and services and to conduct marketing activities (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months, or until you, where consented, withdraw your consent.

2.5 Protecting Your Data

We secure our website and other systems against loss, destruction, unauthorized access, modification or distribution of your data by unauthorized persons by implementing the appropriate technical and organizational measures. Furthermore, your personal data is transmitted to us in encrypted format. This applies to your order and when you log in as a customer. We use the SSL (Secure Socket Layer) coding system.


3. RETENTION AND DELETION OF YOUR PERSONAL DATA

We will only store your personal data for as long and as far as is necessary for the purposes mentioned in this privacy policy or as long and as far as we have a legal requirement to do so. By law, different retention periods apply to different types of records and data, whereas legal storage periods can be up to 10 years in some cases. The longest we will normally hold any personal data is up to 7 years from the date of your last transaction, for taxation, accounting and business purposes. This can be longer if we are required to keep personal data longer because of the applicable law or when necessary for our legitimate business interest, including legal investigations or disputes. If we need to keep any personal data longer for our legitimate business interest and protecting our legal rights, we will keep the necessary information for this purpose until the relevant claim(s) have been settled. 

4. TRANSFER OF PERSONAL DATA AND CATEGORIES OF RECIPIENTS

Your personal data can be transferred/disclosed to the following categories of recipients:

1. Manchester City, for the provision of the operating services by stichd of the website and the items sold on it. 

2. IT service providers, marketing services providers and other service providers who, among other things, prepare the platforms, databases and tools for our products and services (e.g., the website, sell items, sending informative e-mails), analyse user habits on the website, and process your personal data on our behalf during the purchase process.

3. Data analytics providers. In connection with the use of Google Analytics and Google AdWords, including tags and cookies, your personal data may be transferred to the USA. Google LLC is subject to the EU-U.S. Privacy Shield. This means that appropriate protection of your personal data is guaranteed. 

4. In order to provide you with a localised version of the website, we transfer your personal data to a third-party service provider in the USA. The external service provider is subject to the EU-U.S. Privacy Shield. This means that appropriate protection of your personal data is guaranteed. 

5. For the delivery of your purchased items on the website (including notifications about the delivery status of orders), we transfer your personal data to our contracted providers for handling and shipping (e.g., DHL, UPS, TNT etc.). The transfer of your personal data is based on the performance of a contract with you (legal basis: Article 6(1)(b) GDPR).

6. In addition, we transfer your personal data if we are legally obliged to do so (for example, to the authorities in the context of a criminal investigation or to the appropriate data protection supervisory authorities. This transfer of personal data is necessary in order to comply with a legal obligation (legal basis: Article 6(1)(c) GDPR) or where we reasonably conclude that its necessary for defending, exercising or establishing our legal rights for our legitimate interest (legal basis: Article 6(1)(f) GDRP).

5. RIGHT TO OBJECT TO DATA PROCESSING ON THE BASIS OF LEGITIMATE INTERESTS

We process your personal data within the meaning of Article 2, based on our legitimate interest to ensure IT security on the website, to adapt the website to your needs, to perform analyses, to inform you about our product reviews, to remind you about purchases that have not yet been completed, to prevent fraud and abuse, to prevent non-payment, to take care of our customers, to secure, strengthen and improve our legitimate interest (including in court if necessary) and to carry out our international management and cooperation. Please contact privacy@stichd.com for information on the balancing of interests by stichd. Notwithstanding the specific possibilities to object to the processing of data described in Article 2 (e.g. the links to unsubscribe), you have the right to object at any time to the processing of your personal data on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR for reasons relating to your particular situation by sending an e-mail to privacy@stichd.com. We will then no longer process your data for these purposes, unless our legitimate interests for processing outweigh them or the processing is for the establishment, exercise, or substantiation of legal claims. If you object to the processing of your data, we will process the personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR).

 6. RIGHT TO WITHDRAW CONSENT

If you have given us permission to process your personal data, you can withdraw this permission at any time. The withdrawal of your consent is effective for the future and does not affect the lawfulness of processing based on consent before the withdrawal. Unless specifically provided for in Article 2, please send your withdrawal of consent to privacy@stichd.com.

If you withdraw your consent, we will process your personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR). 

7. YOUR OTHER DATA PROTECTION RIGHTS

In accordance with the GDPR, you have the following rights to exercise and to request from us that we:

  • Provide you with information on your personal data that we process (Article 15 GDPR)
  • Rectify your personal data stored on our systems (Article 16 GDPR)
  • Delete your data (Article 17 GDPR)
  • Restrict your data (Article 18 GDPR)
  • Export your data (Article 20 GDPR)

You may exercise any of the rights outlined above by emailing us at privacy@stichd.com or in writing to stichd sportmerchandising B.V., de Waterman 2, 5215 MX 's-Hertogenbosch, the Netherlands. If you exercise these rights against us, we will process your personal data to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) under GDPR). 

Regardless of your rights mentioned above, you may lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data us is in breach of the GDPR (Article 77 GDPR).

 8. CHANGES TO THIS PRIVACY POLICY

The provisions of this privacy policy, including the information on cookies referred to apply to the version in force at the time the website is used. We reserve the right to supplement and amend the content of this privacy policy. The updated privacy policy shall apply from the time it is published on the website. In the event of substantial or material changes to the privacy policy, in particular changes that affect the processing of your personal data already collected by us, we will inform you in advance (e.g., by e-mail or via the website).