Privacy Policy
Last updated: May 2025
Who We Are
BWC Merchants (“we”, “us”, “our”) operates the website bwcmerchants.co.uk. We are the data controller responsible for your personal data. You can contact us at info@bwcmerchants.co.uk.
This policy explains how we collect, use, store, and share your personal data, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What Data We Collect
We may collect and process the following categories of personal data:
- Identity data: name, username or similar identifier.
- Contact data: billing address, delivery address, email address, and telephone number.
- Transaction data: details about payments to and from you, and other details of products you have purchased from us.
- Technical data: internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
- Usage data: information about how you use our website and products.
- Communications data: messages and enquiries you send us via email or our contact form.
We do not collect or store payment card details. All card payments are processed securely by Stripe, who act as an independent data controller for payment processing purposes.
How We Collect Your Data
- When you create an account or place an order on our website.
- When you contact us by email, phone, or via our contact form.
- When you browse our website (automatically via cookies and analytics tools).
- When you subscribe to any communications from us.
- When you visit or make a purchase at our physical store (Unit 15, Leyton Business Centre, London).
- Via CCTV systems operated at our premises for security and crime prevention purposes.
How We Use Your Data
We use your personal data for the following purposes, relying on the legal bases indicated:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Process and fulfil your orders | Performance of a contract (Art. 6(1)(b)) |
| Manage your account and provide customer support | Performance of a contract (Art. 6(1)(b)) |
| Process payments via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Send order confirmations and delivery updates | Performance of a contract (Art. 6(1)(b)) |
| Comply with legal and regulatory obligations (e.g. tax, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
| Improve our website and services through analytics | Legitimate interests (Art. 6(1)(f)) |
| CCTV monitoring of our physical premises for security and crime prevention | Legitimate interests (Art. 6(1)(f)) |
| Process in-store transactions and maintain sales records | Performance of a contract (Art. 6(1)(b)) |
| Send marketing communications (where you have opted in) | Consent (Art. 6(1)(a)) |
You can withdraw consent for marketing communications at any time by contacting us or using the unsubscribe link in any marketing email.
Cookies and Analytics
We use cookies and similar tracking technologies to improve your browsing experience and analyse site usage. This includes Google Analytics (via Google Tag Manager), which may transfer data outside the UK. Google Analytics data is anonymised where possible and subject to Google's own privacy policy.
You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the website.
CCTV and Physical Premises
CCTV cameras operate at our store premises at Unit 15, Leyton Business Centre, Etloe Road, Leyton, E10 7BT, London. CCTV is used for the security of our premises, staff, and customers, and for the prevention and detection of crime.
The legal basis for this processing is our legitimate interests (UK GDPR Art. 6(1)(f)) in maintaining a safe and secure environment. CCTV footage is retained for up to 31 days and is then automatically overwritten, unless it is required for an ongoing investigation or legal matter.
CCTV footage may be shared with law enforcement or relevant authorities where required by law or in connection with a crime or incident. Notices are displayed at the entrance to our premises informing visitors that CCTV is in operation.
Who We Share Your Data With
We may share your personal data with the following third parties:
- Stripe — payment processing. Stripe is an independent data controller. View their privacy policy at stripe.com/gb/privacy.
- Courier and logistics providers — to fulfil and deliver your order (e.g. your name, address, and contact number).
- Google — analytics and advertising services (anonymised usage data).
- Email service providers — to send transactional emails (order confirmations, password resets, etc.).
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
We may also disclose your personal data to comply with a legal obligation, enforce our terms, or protect the rights and safety of us or others.
International Transfers
Some of our third-party service providers (e.g. Google) may process data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or adequacy decisions recognised under UK law, in accordance with UK GDPR requirements.
How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes it was collected:
- Order and transaction records — retained for 7 years to comply with HMRC tax and accounting obligations.
- Account data — retained for as long as your account is active, plus a reasonable period thereafter in case of disputes.
- Marketing consent records — retained until you withdraw consent.
- Technical/analytics data — retained in accordance with the retention settings of our analytics tools (typically up to 26 months).
Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your data where there is no compelling reason for its continued processing (“right to be forgotten”).
- Right to restrict processing — request that we limit how we use your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making — we do not use solely automated decision-making that produces legal or similarly significant effects on you.
To exercise any of these rights, please contact us at info@bwcmerchants.co.uk. We will respond within one calendar month as required by UK GDPR. There is no charge for most requests.
How We Protect Your Data
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include encrypted connections (HTTPS), secure authentication, and access controls limiting who within our organisation can access your data.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay, in accordance with UK GDPR.
Right to Complain
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK's data protection authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
We would, however, appreciate the chance to address your concerns before you contact the ICO.
Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will update the date at the top of this page. We encourage you to review this policy periodically.
Contact Us
For any privacy-related questions or to exercise your rights, please contact us:
BWC Merchants
Email: info@bwcmerchants.co.uk
Website: bwcmerchants.co.uk
