Why are Screwfix injecting covert tracking in emails?
So back in March 2025, I “Clicked and Collected” some spotlights for my Aunt’s kitchen. Went into the store, and the order was ready for me, happy days!!
Few days later, while the spotlights were being installed, it was discovered one of the boxes had been opened. The light fitting I’d ordered had been removed and replaced with a manky old fitting someone had obviously taken down from somewhere else.
I contacted Screwfix via their telephone line and they wanted me to go back to the store to get it replaced, something I was unable and unwilling to do, as it would be an hour drive just to replace something that shouldn’t have happened. The Customer Service representative then suggested that I be shipped the replacement item instead, which I agreed to.
For some reason, this process of them sending a replacement item generated three separate emails from Screwfix, a refund invoice, a confirmation of order and your order has been shipped. Eager to know when the item would arrive I tried to open the email “Your order has been shipped” and when I tapped it on my email app, I was displayed a warning saying dangerous content/phishing attempt and not to open it.
I later opened the email in plain text mode/safe mode on my computer and was able to track the item via Parcel Farce. I reported the fact my email app was blocking Screwfix emails via a complaint I’d opened with Screwfix, as I was rather annoyed about Screwfix selling me a returned item which has not been checked!
Screwfix Customer Service fobbed me off, trying to convince me that it was the ParcelForce tracking link that was causing my email app to display the dangerous content warning. I then launched an investigation into why the email app might be blocking access to that email and found the following:
- The email was sent from a7-41.smtp-out.eu-west-1.amazonses.com ([54.240.7.41])
- Every link in the email was embedded in a tracking URL, for example the link which appeared to be to Screwfix Terms and Conditions was really linking to http://m2982w2y.r.eu-west-1.awstrack.me/L0/http:%2F%2Fwww.screwfix.com%2Ftermsandconditions/1/01020195f7513403-49a99133-fdc3-43c9-85cb-26cb01a94de0-000000/KNRql3SGBag5E4PuCVNuTIpJZiA=420
- There was an embedded tracking pixel, 1px embedded as an image
All of these techniques are designed to track when a particular email has been opened, time and date, IP address of the device the email was opened on and system details such as Operating System, browser, screen size, software and versions which can be used to “fingerprint” users. The code on all the hyper links is also collecting this information and also where the user ended up, be it Screwfix website, Parcel Force, Instagram, Youtube etc).
As I made a Click and Collect order on the Screwfix website, I was shocked and stunned when a family member, whilst shopping for summer clothes, started to get adverts for spotlights on her Amazon account. She was not involved in picking or ordering the lights! That was discussed on WhatsApp and the Click and Collect order placed on Screwfix website. This has really freak me out. Why are Screwfix allowing Amazon Web Services to inject tracking code into emails they are sending to customers? What are Amazon doing with my personal data? I have never and will never consent to Screwfix passing my personal data to Amazon, indirectly (by using Amazon Services and them scraping the contents of emails sent to me) or directly (selling my data to them)!
For four months I have been engaged in back and forth emails with Screwfix Customer Service, Data Protection Team and named DPO person on the ICO database and have got absolutely no-where. I have asked for a Subject Access Request, but there is NO mention of data they are passing on to Amazon. I wrote to the CEO of Screwfix directly, but that email was intercepted by a person who claims to be the head of Customer Service, the same person who has fobbed me off, knowingly told me lies (or is so incompetent at their job they just can’t be bothered asking someone else) and refused to handle my concerns internally, making me have to contact the ICO and open a case with them, wasting hours of my time trying to get factual answers from this person.
So the reason I am writing this? If you are a Screwfix Customer and have noticed Amazon displaying adverts/items for sale, based on what your purchases via Screwfix, please get in touch.
Scanning through my emails, Screwfix seems to have introduced this covert tracking technology between August and October 2023. The emails I received were copies of purchases I made in store, so I already had a physical invoice and never bothered opening them. Until the one on 2nd April 2025 when I was trying to get my ParcelFarce tracking information.
