1. The data we collect

We collect and process the following categories of personal data:

• Identity & contact: name, title, billing/delivery address, business name, email, phone, account numbers.
• Customer account & transactions: orders, invoices, quotations, credit limit and balance, payment method, returns, site deliveries, proof of delivery, communications.
• Financial: we do not store full card numbers or bank details. Payments are processed securely by our payment providers (Blink and Stripe). Bank details may be collected only if needed to issue a refund.
• Technical: IP address, device identifiers, login data, browser type, operating system, time zone, and cookies/analytics identifiers.
• Marketing preferences: your choices about receiving marketing by email/SMS/postal.
• Support & communications: enquiries, complaints, call notes, chat, and email correspondence.
• Trade account checks (if applicable): information from credit reference agencies and trade referees.
• CCTV/Visitor data (if applicable): footage in our branches/yard for safety and security.

We collect data directly from you (e.g., when opening an account, placing orders, creating an online account or speaking with us), from your device (via cookies/analytics), and from third parties (e.g., payment processors, delivery partners, credit reference agencies, marketing platforms) where lawful.

2. Purposes and lawful bases

We use your data for the purposes listed below and only where a lawful basis applies. Where we rely on legitimate interests, we balance our interests with your rights and expectations. You can object at any time (see section 7).

We do not make decisions based solely on automated processing that have legal or similarly significant effects. If this changes, we will tell you and explain the logic involved and your rights.

3. Sharing your data

We share personal data with trusted processors and partners who help us run our business, including:

• IT and cloud providers (e.g., email, hosting, backups, Microsoft 365),
• Website and app service providers (eCommerce platform, analytics),
• Payment processors (Blink and Stripe) and banks,
• Delivery and logistics partners, and
• Credit reference agencies (including Creditsafe, if you apply for a trade account).

These parties must act only on our instructions and protect your data. We only share what is necessary. If we undergo a business sale or reorganisation, your data may transfer to the new owner under the same protections.

4. International transfers

Some providers may process data outside the UK. Where this occurs, we use safeguards permitted by the UK GDPR, such as an adequacy regulation (e.g., to the EEA) or International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with additional measures where appropriate. Details of specific transfers are available on request.

5. Retention

• Customer and transaction records: generally 6 years from the end of the financial year of the transaction.
• Trade account and credit check records: 6 years after account closure.
• CCTV: 30 days unless required for investigation.
• Marketing data: until you opt‑out or your consent is withdrawn, then we keep a minimal record to honour your preference.

We may retain data longer where needed for legal claims.

6. Marketing

We may send you marketing by email/SMS/postal:

• With your consent, or
• Under legitimate interests (e.g., to existing customers) where you can opt‑out at any time.

You can change your preferences or unsubscribe using the links in our messages or by contacting us.

7. Your rights

You have the following rights under the UK GDPR:

• Access to your data,
• Rectification of inaccurate or incomplete data,
• Erasure (in certain circumstances),
• Restriction of processing,
• Portability (where processing is based on consent or contract and carried out by automated means),
• Objection to processing based on legitimate interests and to direct marketing (including related profiling), and
• Withdraw consent where we rely on consent.

To exercise these rights, contact us using the details at the top. We may need to verify your identity.

8. Cookies and similar technologies

We use cookies and similar technologies on our website/app to make it work, to measure performance (analytics), and to personalise content. We use Google Analytics for performance measurement.

Where required, we will ask for your consent before placing non‑essential cookies. You can change or withdraw consent at any time via our cookie settings tool. Your browser settings also allow you to block or delete cookies.

A detailed cookie list (name, purpose, duration, provider) is available in our cookie banner/tool.

9. Security

We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit and at rest where appropriate, employee training, secure development practices, and vendor/processor due diligence.

10. Contact and complaints

If you have questions or concerns, contact our Data Protection Lead at [email protected]. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

11. Changes to this notice

We will update this notice from time to time. The latest version will always be available on our website/app. Significant changes will be notified to you where appropriate.

Optional add‑ons (included if relevant)

• Customer analytics/segmentation: We analyse purchasing patterns to suggest relevant products and manage stock. We do not make decisions with legal or similarly significant effects without human involvement. You can object at any time.
• Open Banking/Bank verification (if used): We will seek your consent before using any Open Banking service.
• Vehicle registrations/site contact details for deliveries: Used only to fulfil deliveries and manage site access.