1. Who we are
Wynnstay Group Plc (“we”, “us”, “our”) is committed to protecting your personal information and respecting your privacy.
We are the data controller responsible for the personal data collected through this website and any connected services.
Registered office: Eagle House, Llansantffraid, Powys, SY22 6AQ, United Kingdom
For any privacy-related query, please contact:
Email: [email protected]
Post: Wynnstay Group Plc, Eagle House, Llansantffraid, Powys, SY22 6AQ
If we appoint a Data Protection Officer, those details will also appear here.
2. What data we collect
We collect and process personal data depending on how you interact with us. This may include:
- Contact details (name, address, telephone number, email address).
- Account details (customer number, order history, delivery address, billing information).
- Online identifiers (IP address, browser type, device ID, cookies).
- Employment or application information (if you apply for a role with us).
- Supplier information (contact details, bank details for payment, business references).
- Preference data (marketing choices and consents).
We may also obtain limited information from third parties (e.g. credit-reference agencies or public sources) for due-diligence or account-management purposes.
We do not normally collect special-category data (such as health or ethnicity). If we ever need to, we will explain why and ask for explicit consent or rely on another lawful basis as per Article 9 UK GDPR.
3. Why we use your data and our lawful bases
| Purpose | Lawful basis (UK GDPR Article 6) | Legitimate interest (if applicable) |
| To fulfil orders and deliver goods or services. | Performance of a contract (Art 6(1)(b)) | – |
| To respond to enquiries and provide customer support. | Legitimate interests (Art 6(1)(f)) | Delivering good service and improving customer experience. |
| To improve products, services and our website. | Legitimate interests | Developing and enhancing business operations. |
| To send marketing communications (see Section 5). | Consent or legitimate interests (B2B only) | Promoting our business responsibly. |
| To carry out credit checks and manage accounts. | Contract / legitimate interests | Managing financial risk. |
| To comply with legal and regulatory obligations. | Legal obligation (Art 6(1)(c)) | – |
| To protect our business and prevent fraud or misuse of our systems. | Legitimate interests | Maintaining network and information security. |
Where we rely on consent, you may withdraw it at any time (see Section 10).
Where we rely on legitimate interests, you have the right to object.
4. Children’s data
Our online services are aimed at adults. We do not knowingly collect personal data from children under 13.
If a child under 13 has provided us with data without parental consent, please contact [email protected] and we will delete it securely.
We design our digital services with the ICO Children’s Code in mind.
5. Marketing and your preferences
We may send you information about Wynnstay products and services:
Customers (B2C): only with your consent or under the soft opt-in rule for similar products (PECR Reg 22).
Business contacts (B2B): where it is reasonable to do so under legitimate interests, with an opt-out in every message.
You can opt out at any time by clicking unsubscribe in emails or emailing [email protected]. We will still send essential service emails (e.g. order updates).
6. Cookies and tracking
Our website uses cookies and similar technologies to make the site work and to help us understand how it is used.
For details see our Cookie Notice. Our cookie banner allows you to Accept all, Reject all, or Manage settings. We only set non-essential cookies if you consent.
7. Sharing your data
We share personal data only where necessary and always under a written agreement that meets Article 28 UK GDPR requirements.
Typical recipients include:
- Group companies within Wynnstay Group Plc.
- IT hosting and support providers, payment processors and delivery carriers.
- Professional advisers (e.g. accountants, lawyers, auditors).
- Regulatory and law-enforcement bodies where legally required.
We never sell personal data to third parties for their own marketing.
8. International transferss
If we transfer personal data outside the UK, we ensure appropriate safeguards are in place – for example:
- Countries with UK adequacy regulations;
- The UK-US Data Bridge (for certified US organisations, effective 12 October 2023); or
- Approved contracts (IDTA or UK Addendum to EU SCCs).
You can request a copy of the transfer safeguards by contacting [email protected].
9. How long we keep your data
We keep personal data only for as long as necessary for the purpose collected and to meet legal obligations (for example, tax and audit requirements).
Our Retention Schedule sets specific periods – for example:
Customer account records: 7 years after last transaction.
Supplier records: 7 years after contract end.
For more detail, contact [email protected].
10. Your rights
You have the following rights under UK data-protection law:
- Access: to a copy of the data we hold about you.
- Rectification: to correct inaccurate data.
- Erasure: to ask us to delete data in certain circumstances.
- Restriction: to limit how we use your data.
- Portability: to receive your data in a machine-readable format.
- Objection: to processing based on legitimate interests or for direct marketing.
- Withdraw consent: at any time where processing relies on consent.
- Automated decisions: to request human review of automated decisions.
To exercise your rights, email [email protected] or write to us at the address above.
We will respond within one month (and may extend to two months for complex cases).
If you are unhappy with our response, you can complain to the Information Commissioner’s Office (www.ico.org.uk / 0303 123 1113).
11. Security
We apply appropriate technical and organisational measures to protect personal data against loss, misuse or unauthorised access.
Access is role-based and restricted to staff who need it.
If a personal data breach occurs that is likely to risk individual rights, we will notify the ICO within 72 hours and affected individuals where legally required
12. CCTV and monitoring
Wynnstay operates CCTV systems at certain sites for the protection of people, property, livestock, and vehicles, and to maintain a safe working environment.
We do not use CCTV for continuous monitoring of colleagues or productivity tracking.
Purpose:
- To ensure the safety and security of colleagues, visitors, vehicles, and premises.
- To deter, detect and investigate crime, anti-social behaviour, or theft.
- To support the investigation of incidents, accidents, or disciplinary matters where appropriate.
Lawful basis:
We process CCTV images under our legitimate interests (Article 6(1)(f) UK GDPR) in maintaining security and safety.
In certain cases, we may rely on legal obligation (for example, when providing footage to law-enforcement or regulatory authorities).
Retention:
Footage is typically retained for 30 days, unless longer retention is required for an active investigation or legal claim, after which it is automatically deleted or securely overwritten.
Access and sharing:
Access is restricted to authorised Wynnstay personnel only.
Recordings may be shared with law-enforcement agencies, insurers, or regulators where lawful and necessary.
All third parties must protect the data in line with Article 28 UK GDPR requirements.
CCTV data is stored securely within the UK and is not transferred overseas.
Signage and transparency:
Signs are displayed wherever CCTV is in operation, stating that recording is taking place and directing individuals to this Privacy Notice for more information.
Your rights:
If you wish to request access to footage containing your image, email [email protected].
Requests are subject to identification checks and may be restricted where others are identifiable.
If you are dissatisfied with our response, you can contact the Information Commissioner’s Office (ico.org.uk | 0303 123 1113).
13. Changes to this notice
We review this notice regularly to reflect legal and operational changes.
Some changes introduced by the Data (Use and Access) Act 2025 will take effect between June 2025 and June 2026; we will update this notice as ICO guidance is finalised.
14. Document details
Owner: CRM Systems Manager
Final approver: Chief Financial Officer
Next review: November 2027