Data protection policy

Last updated: May 2026

1. Introduction

West End Bed Company Limited (company no. 08426920) is committed to handling personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are registered with the Information Commissioner's Office (ICO) under registration number ZA793480.

Data protection contact: Brent Cooper

Email: enquiries@westendbedcompany.com

This policy sets out how we collect, use, store, and protect the personal data of our customers, website visitors, and enquirers.

2. What personal data we collect

In the course of our business, we may collect and process the following personal data:

• Full name
• Email address
• Phone number
• Delivery and billing address
• Order history and transaction references

We do not collect or store payment card details. All card transactions are handled by our secure third-party payment gateway.

3. Why we collect personal data

We process personal data under the following legal bases:

• Consent: When you sign up to our email marketing, you give explicit consent. You may withdraw this at any time.
• Contract: When you place an order, we need your personal data to fulfil that order, arrange delivery, and provide after-sales support.
• Legal obligation: We are required by HMRC to retain financial records (including associated personal data) for a minimum of six years.
• Legitimate interest: We use anonymised analytics data to improve our website and may retain contact details briefly to respond to enquiries. We ensure our legitimate interests do not override your rights and freedoms.

4. How long we keep personal data

We retain personal data only for as long as necessary:

• Enquiries not resulting in a purchase: 30 days from last contact, then securely deleted.
• Order records: 6 years from the date of transaction, as required by HMRC for tax and accounting purposes.
• Email marketing subscribers: Until you unsubscribe or withdraw consent, at which point your data is removed from our marketing lists.

5. Third parties

We share personal data with the following categories of third party, strictly for the purposes described in this policy:

• Payment gateway: To process card payments securely. They operate under their own data protection obligations.
• Email marketing platform ([email marketing platform]): To deliver marketing communications you have opted into.
• Google Analytics: To collect anonymised website usage statistics. No personally identifiable information is shared.

We do not sell, rent, or trade personal data with any third party.

6. Physical data security

Where personal data is held in physical form (for example, printed order records or delivery notes in our showroom), we ensure:

• Documents containing personal information are stored securely and accessed only by authorised staff.
• Paper documents are shredded when no longer required.
• Card payment terminal slips are handled securely and disposed of in accordance with PCI DSS guidelines.

7. Digital data security

We implement appropriate technical and organisational measures to protect digital personal data, including:

• SSL/TLS encryption on all website pages
• Secure, access-controlled hosting infrastructure
• Regular software and security updates
• Staff access limited to only the data necessary for their role

8. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure: Ask us to delete your personal data where there is no lawful reason for us to continue holding it.
• Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
• Right to data portability: Request your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interest, or to direct marketing, at any time.

9. How to exercise your rights

To make a request regarding your personal data, please email enquiries@westendbedcompany.com with the subject line "Data protection request". We will respond within one month of receiving your request. If your request is complex, we may extend this by a further two months, but we will inform you within the initial one-month period.

We may ask you to verify your identity before processing your request, to ensure we do not disclose personal data to the wrong person.

10. Complaints

If you believe we have not handled your personal data appropriately, please contact us first so we can resolve the issue. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

• Website: ico.org.uk/make-a-complaint
• Phone: 0303 123 1113

11. Changes to this policy

We review this policy regularly and will update it when necessary. Any changes will be posted on this page with the "last updated" date revised accordingly. We recommend checking this page periodically.