Privacy policy

Maintaining your privacy and your trust is very important. We strive to be especially clear on how we use your personal information if and when we collect it, and on the ways in which we can work together to protect your privacy.

This document is for compliance with the Data Protection & Privacy legislation.

This Privacy Policy explains the:

Identity and contact information of the data controller
Legitimate interests of the data controller or third party (if applicable)
Purpose of the processing and the lawful basis for the processing
Categories of personal data to be processed
Details of whether personal data came from direct or indirect sources
Recipients or categories of recipients of the personal data
Details of data transfers to a third country and safeguards
Length of time personal data is processed and any criteria used to establish the length of time the data is processed
Data Subject’s Rights (Your rights)
Right to complain to the supervisory authority/regulator
Details of any part of a statutory or contractual requirement and possible consequences of failing to provide the personal data
The existence of any automated decision making, including profiling and information about how decisions are made
What products and services are covered by this policy?

This Privacy Policy applies to the information that we may obtain from you through your use of our website(s) or personally when visiting our premises; collectively called the “Services”. If you have any questions or need more information about these Services, please contact us at the email address in the Contacting Us section below.

Data Controller

For the purposes of the data protection & privacy legislation the Data Controller is:

BROWBARUK LTD (“I”,”we,” “us”, “our”)
Legal Status: Limited Company, 11781754
Contacting Us

If you have any questions about our Site or this Privacy Notice, please contact us:

by email at
by telephone on +44 (0)2920 726727
or by post at Brow Bar, 148 Penarth Road, Grange Town, Cardiff, CF11 6NJ, Wales, UK.
Data Protection (Charges and Information) Regulations 2018

We are/NOT registered with the supervisory authority under registration reference: XXX.

Purpose and legitimate interest.

How do we use the information we collect?

We may use the information we collect for a variety of purposes, including to:

provide you with the services or information that you have asked for;
keep a record of your relationship with us
send you correspondence and communicate with you in relation to our services;
meet our legal obligations;
protect your vital interests;
respond to or fulfil any requests, complaints or queries that you may have;
understand how we can improve our services or information;
generate reports on our work and service; and
safeguard our staff, customers, suppliers, visitors and contractors.
Lawful Basis of Processing:

General Personal Data:

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The data subject has given consent to the processing of his or her personal data for one or more specific purposes. Consent may be withdrawn at any time. XX?
Special Category Personal Data

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of the conditions and safeguards referred to in paragraph 2.
Categories of personal data and Sources

What information do we collect from you, and how is it used?


You can visit our premises and/or website without telling us who you are and without revealing any personal information about yourself. To provide full service however and if contacting us directly by other means, we will most often need to collect some personal information. For instance, we collect information about you when you complete and online form, register for an account and when you create or modify your personal data for one of our Services. The types of Information we collect may include:

Purposes of processing Categories of individuals Categories of personal data
Staff administration Employees Contact details
Financial details
Health details
Emergency contacts Contact details
Sales and Purchase Order processing Customers Contact details
Financial details
Suppliers Contact details
Financial details

We do not facilitate processing personal data of data subjects under the age of consent (children (13)).


We do not operate CCTV and other surveillance systems in (and around) our premises which capture images of you.

From CCTV: see above.

From cookies: We may also collect “cookie” information that we may save to your computer or electronic device. If you do not accept cookies, you may not be able to use all functionality of our on-line Services.

For specific information on cookies, please read our cookie policy.

Logs: We may record certain information and store it in log files when you interact with our Services. This information may include Internet protocol (IP) or other device addresses or ID numbers as well as browser type, Internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, your mobile carrier, and system configuration information.

Analytics: We and our analytics providers also collect and store analytics information when you use our Services to help us improve our Services. We make sure this data is anonymous by not connecting any analytics data to personally identifiable data such as a name, email address, physical address, or phone number.

Social Media: There may be instances where our website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms. You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page. You can find further information about some social media privacy and usage policies in the data transfers, data processor information section below.

Public sources: Personal data may be obtained from public registers (such as Companies House), news articles, sanctions lists, and Internet searches.

How might we share information?

We are not in the business of selling your personal information. We consider this information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your personal information with third party data processors, as set forth below:

With your consent: We will not share your personal information with companies, organisations, or individuals who are not associated with us unless we have your consent to do so.

Email Mailing List & Marketing Messages: We operate an email mailing list program, used to inform subscribers about products, services and/or news we supply/publish.

Users can subscribe through an online automated process where they have given their consent. Subscriber personal details are collected, processed, managed and stored in accordance with the data protection & privacy legislation.

Subscribers can unsubscribe at any time through an automated online service, or if not available, other means as detailed in the footer of sent marketing messages (or unsubscribe from all Mailchimp lists). The type and content of marketing messages subscribers receive, and if it may contain third party content, is clearly outlined at the point of subscription.

Email marketing messages may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of subscriber data relating to engagement, geographic, demographics and already stored subscriber data.

Payment Processing: We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use billing information except for the sole purpose of credit card processing.

Where we are required to do so under statutory obligation: HMRC, Accountants and other professional service organisations

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights: We may disclose your information (including your personal information) to a third party if:

We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request
To protect the security or integrity of our products and services
To protect our property, rights, and safety and that of our customers or the public from harm or illegal activities
To respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person; or
To investigate and defend ourselves against any third-party claims or allegations.
Business Transfers:

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of such a change in ownership or transfer of assets by posting a notice on our website.

Data Transfers

We store your data on secure servers located in the UK when you interact directly with us or by visiting our website. We take appropriate organisational and technical measures to protect your personal information that we hold. We limit access to personal information to those who we believe reasonably need to come into contact with that information in order to carry out their day-to-day activities.

All data processors acting on behalf of the data controller have appropriate safeguards in place.

Data Processor Information

The following third-party service providers are used by us and only process data in accordance with the instructions from the data controller:

Organisation Purpose of Processing Country
TBC Website Hosting UK
Facebook Ireland Limited Social Media Business Page Ireland
Amazon Marketplace (AWS) Online Marketplace USA

How long will we keep the personal data?

Retaining some data may be subject to a statutory retention period and this must be adhered to, (to keep certain data for a minimum period of time). This may include personal data (name, address, contact details), but on expiry of such statutory requirement, such data will be destroyed securely. Where possible any personally identifiable data will be anonymised or pseudonymised.

Your information we use for direct marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. Our backup routine keeps data for a rolling 30-day period after which time the data is removed from all systems. 

Statutory or other requirements

The data controller may process personal data as part of a statutory requirement, and/or as part of any contractual agreement. Not supplying the required personal data may affect the provision of the controller’s services; for example, an email to furnish with updates information etc. or an address to fulfil an order.

Profiling and Automated Decision Making

No profiling or automatic decision-making processes are undertaken by the data controller in respect of any personal data processing activities.

Your rights

Your fundamental rights as a Data Subject are:

The right to be informed
The right of access
The right of rectification
The right of erasure (often known as the right to be forgotten)
The right to prevent processing
The right to data portability
The right to object
Rights in relation to automatic decision making and profiling
Under the right of access (2), you have the right to have:

– confirmation that your data is being processed;

– access to your personal data; and

– other supplementary information

So that you are aware of and can verify the lawfulness of the processing.

Your right to access can be exercised by contacting the data controller as above.

Not all fundamental rights are absolute.

Your right to complain to the Commissioner

You have the right to complain about organisations processing your personal data. You can exercise this right by contacting the Commissioner as follows:

Head office

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number