Privacy policy

Privacy Policy

Last updated: October 2025

Next review due: October 2026

Wray Brothers Ltd (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data transparently and securely in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable UK ePrivacy (cookie) laws.

This Privacy Policy explains how we collect, use, disclose, store, retain, transfer, and protect your personal data when you use our website wraybros.co.uk or otherwise interact with us (email, phone, in person). It also describes your rights and how to exercise them.

1) Who we are & Data Controller

Controller: Wray Brothers Ltd, registered in England (Company No. 4452061).

Registered address: Unit 4, Glacier Buildings, Harrington Road, Brunswick Business Park, Liverpool, L3 4BH.

ICO registration: ZA563320.

Contact (privacy/data protection): sales@wraybros.co.uk or post to “Operations Manager” at the address above.

2) What data we collect & how we collect it

We collect personal data when you interact with us (e.g., place an order, create an account, submit a form, contact support, subscribe to marketing) and automatically via our website (e.g., cookies/analytics, security logs). The categories include (non-exhaustive):

  • Identity & Business Data: name, job title, company name, VAT number (where applicable).
  • Contact Data: email address, telephone number, billing/shipping/postal addresses.
  • Account & Authentication Data: account details, role/permissions (for B2B/wholesale where relevant).
  • Order & Transaction Data: products/services purchased, order history, payment confirmations (note: full card details are handled by payment providers, not by us).
  • Preferences & Communications: marketing preferences (email/SMS), subscription status, correspondence with our team.
  • Technical & Usage Data: IP address, device/browser info, pages viewed, session IDs, error logs; collected via cookies and similar technologies for security, performance, and analytics.
  • Social/Public Data: if you interact with us via social platforms or allow a connection (subject to your platform settings).

Indirect data sources: We may receive business contact data from reputable UK GDPR-compliant data providers for B2B marketing. These providers must follow ICO principles of transparency, accuracy, and security. You can opt out of such marketing at any time.

3) Lawful bases for processing & purposes

We rely on the following lawful bases under Article 6 UK GDPR:

Purpose/Activity Lawful Basis
Process & deliver orders; provide requested services; customer support Contract performance / steps prior to contract
Accounting, taxation, regulatory compliance Legal obligation
Website security, fraud prevention, service reliability Legitimate interests
Analytics, site improvement, internal reporting Legitimate interests (with minimisation/aggregation where possible)
Email and SMS marketing; optional features requiring consent Consent (you can withdraw at any time)

Where we rely on legitimate interests, we balance our interests against your rights and expectations and limit processing to what is necessary and proportionate.

4) Platforms, integrations & service providers

We operate on a secure ecommerce platform and use a range of trusted third-party service providers and integrations that help us manage our online store, communications, and operations. These providers only process personal data on our instructions and under written contracts that ensure compliance with the UK GDPR.

  • Ecommerce platform: Our online store is hosted by a leading global ecommerce provider that supplies website hosting, checkout, payment processing, and analytics tools.
  • Apps & integrations: We use a limited number of verified applications to support functions such as order management, form submissions, customer accounts, access control, automation, analytics, and marketing communications. These tools operate within our ecommerce platform and comply with applicable privacy standards.
  • Communications & marketing: We use professional email and SMS platforms to send transactional and marketing messages, only where consent or another lawful basis exists.
  • Internal business tools: We use secure business management and productivity software for internal processing, accounting, and customer service.

Some of these service providers may process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place—such as the UK International Data Transfer Agreement or standard contractual clauses approved by the Information Commissioner’s Office (ICO)—to maintain equivalent protection of your personal information.

Some providers may process data outside the UK. Where international transfers occur, we use appropriate safeguards such as the UK International Data Transfer Agreement and/or Standard Contractual Clauses approved by the ICO.

5) Cookies, tracking & consent

We and our partners use cookies and similar technologies (e.g., pixels, local storage) to operate our site (strictly necessary cookies), measure performance (analytics), and deliver advertising/remarketing (marketing cookies).

  • Consent banner: Non-essential cookies (analytics/marketing) will only run if you give consent via our cookie banner/settings. You can change or withdraw consent at any time.
  • Shopify Customer Privacy: We use Shopify’s privacy settings (or a compliant consent management platform) so scripts respect your choices.
  • Analytics & Remarketing: We use tools such as Google Analytics and Google Ads remarketing. If you opt out, these won’t run.

Disabling certain cookies may affect site functionality. For more information (including cookie types and lifetimes), see our Cookie Settings link in the site footer or banner.

6) Sharing & disclosures

We do not sell your personal data. We may share it with:

  • Service providers/processors (Shopify, listed apps, hosting, payment, analytics, communications, security) under contract.
  • Professional advisers (legal/accounting) under confidentiality.
  • Authorities where required by law or to protect rights, safety, or prevent fraud.
  • Business transfers (e.g., merger or acquisition) under confidentiality safeguards.
  • Anonymised/aggregated data that does not identify individuals.

7) Data retention

We keep your personal data only as long as necessary for the purposes described in this policy (including legal/accounting/reporting obligations). Examples:

  • Orders & financial records: typically at least 6 years to meet HMRC requirements.
  • Marketing data: while consent is active; we retain minimal data to record and respect opt-outs.
  • Security/operational logs: retained for a reasonable period for security and auditing, then deleted or anonymised.

8) Your rights

Under UK GDPR you may have the following rights (subject to legal limits):

  1. Access – request a copy of your personal data.
  2. Rectification – correct inaccurate or incomplete data.
  3. Erasure – request deletion (“right to be forgotten”).
  4. Restriction – limit how we use your data.
  5. Portability – obtain your data in a machine-readable format and have it transferred to another controller.
  6. Object – object to processing based on legitimate interests or to direct marketing.
  7. Withdraw consent – at any time, where we rely on consent.
  8. Automated decisions/profiling – not to be subject to solely automated decisions with legal or similarly significant effects.

To exercise your rights, email sales@wraybros.co.uk or write to us. We may need to verify your identity. We aim to respond within one month (extendable for complex requests, with notice).

If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

9) Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls/2FA for admin access, role-based permissions, staff training and confidentiality, secure backups and recovery, and logging/monitoring. No system is 100% secure; if a personal data breach occurs, we will follow ICO requirements and notify affected individuals and the ICO where required.

10) Children

Our services are not directed to minors under 16. We do not knowingly collect personal data from minors without appropriate consent. If you believe we have collected such data, please contact us and we will delete it promptly.

11) Links to other websites

Our site may contain links to third-party sites. We are not responsible for their privacy practices. You should review the privacy policy of each website you visit.

12) International transfers

Some service providers may process data outside the UK. Where this occurs, we implement appropriate safeguards (e.g., the UK International Data Transfer Agreement and/or ICO-approved Standard Contractual Clauses) to protect your information.

13) Marketing communications

If you opt in to receive marketing from us (email and/or SMS), we will send you information about products, services, and offers. You can unsubscribe at any time via the link in our emails/SMS or by contacting us at sales@wraybros.co.uk. We do not use pre-ticked boxes for consent.

14) Changes to this policy

We may update this Privacy Policy from time to time (for example, if we add or change apps or processing activities). When we do, we will update the “Last updated” date above and, where appropriate, provide prominent notice (e.g., on-site banner or email).

15) Contact us

If you have questions about this policy or how we handle your data, please contact:

Email: sales@wraybros.co.uk
Post: Operations Manager, Wray Bros, Unit 4, Glacier Buildings, Harrington Road, Brunswick Business Park, Liverpool, L3 4BH