UK GDPR & Data Protection Act 2018
Privacy Policy
Effective: 11 May 2026 · Last updated: 11 May 2026 · Version 1.0
Legal text is binding in English. Translations are provided as non-binding overviews for convenience only.
1. Who we are
Rheinbridge Co., Ltd (“Rheinbridge”, “we”, “us” or “our”) is the data controller responsible for personal data collected through this website and our customer-facing services.
- Controller
- RHEINBRIDGE CO., LTD (Company No. 17163216)
- Registered office
- 7 Copperfield Road, Coventry, West Midlands, England, CV2 4AQ, United Kingdom
- Data protection contact
- info@rheinbridge.com
- ICO registration
- Pending — application to be filed with the Information Commissioner's Office (ICO) prior to launch.
2. Information we collect
We process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity data | Title, first and last name | Provided by you |
| Contact data | Billing address, delivery address, email, telephone | Provided by you |
| Account data | Username, hashed password, account preferences | Provided by you |
| Transaction data | Orders, deliveries, refunds, invoices | Generated through use of our services |
| Payment data | Payment-card last four digits, payment-provider reference (full card numbers are never stored on our systems) | Payment processor |
| Technical data | IP address, device, browser type, language, time zone | Automatically collected |
| Usage data | Pages visited, products viewed, basket activity, referral source | Automatically collected (with consent where required) |
| Marketing data | Preferences for receiving newsletters, consent records | Provided by you |
3. Purposes of processing and lawful basis
We process personal data under one or more of the following lawful bases set out in Article 6(1) UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Performing the contract of sale (taking and fulfilling orders, processing payments and refunds, delivery) | Performance of a contract — Article 6(1)(b) |
| Creating and operating your account | Performance of a contract — Article 6(1)(b) |
| Tax, accounting and statutory record-keeping (HMRC, Companies House) | Legal obligation — Article 6(1)(c) |
| Preventing fraud, abuse and unlawful use of the service | Legitimate interests — Article 6(1)(f) |
| Site security, diagnostic logging, performance monitoring | Legitimate interests — Article 6(1)(f) |
| Direct marketing (email newsletters) | Consent — Article 6(1)(a) (PECR Reg. 22) |
| Non-essential cookies and analytics | Consent — Article 6(1)(a) (PECR Reg. 6) |
4. Who we share data with
We share personal data only where necessary and only with the following categories of recipients:
- Payment service providers — to authorise and settle card payments.
- Couriers and logistics partners — to ship orders and arrange returns.
- IT and hosting providers — to operate the website, email and database.
- Accounting and bookkeeping partners — for statutory reporting.
- Marketplaces (e.g. Amazon, TikTok Shop) — only where you choose to purchase via those platforms; the marketplace acts as a separate controller for the personal data you provide to it.
- Regulatory, law enforcement and tax authorities — where we are legally required to disclose.
- Professional advisers — solicitors, auditors, insurers — bound by duties of confidentiality.
We do not sell personal data, and we do not share personal data for the independent marketing purposes of third parties without your consent.
5. International transfers
Some of our service providers may process personal data outside the United Kingdom. Where we transfer personal data to a country that has not been the subject of an adequacy decision by the UK Government, we put in place appropriate safeguards required by Chapter V of the UK GDPR — typically the UK International Data Transfer Agreement (IDTA) or the European Commission's Standard Contractual Clauses together with the UK Addendum, supplemented by additional technical and organisational measures where necessary.
6. How long we keep personal data
| Data | Retention |
|---|---|
| Order and invoice records | 6 years from the end of the relevant tax year (HMRC requirement, sections 386–389 Companies Act 2006) |
| Account data (inactive accounts) | 3 years from last login, then deleted or anonymised |
| Marketing consents and preferences | Until withdrawn, plus 12 months for the consent audit log |
| Website logs (IP addresses, user agents) | 30 days, rolling |
| Customer-service correspondence | 3 years from the last interaction |
7. Your rights
Under the UK GDPR and the Data Protection Act 2018 you have the following rights:
- Right of access — to obtain confirmation of, and a copy of, the personal data we hold about you.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — subject to legal retention obligations.
- Right to restrict processing — in certain circumstances.
- Right to data portability — to receive your data in a structured, commonly used and machine-readable format.
- Right to object — including to processing based on legitimate interests and to direct marketing.
- Right to withdraw consent — at any time, where processing is based on consent, without affecting prior lawful processing.
- Right not to be subject to automated decision-making — we do not currently make decisions about you based solely on automated processing that produces legal or similarly significant effects.
To exercise any of these rights, contact info@rheinbridge.com. We will respond within one month, in line with Article 12(3) UK GDPR.
8. Right to complain to the ICO
If you believe we have failed to comply with our data protection obligations, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office · Wycliffe House · Water Lane · Wilmslow · Cheshire · SK9 5AF · United Kingdom
Helpline: 0303 123 1113 · ico.org.uk/make-a-complaint
We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please consider contacting us first.
9. Cookies
This website uses cookies and similar technologies. Strictly necessary cookies are used to operate the site; all other cookies are set only with your consent. For full details — including a list of cookies, their purposes and durations — see our Cookie Policy. You can withdraw or change your cookie consent at any time via the cookie banner or by clearing your browser storage.
10. Children
This website is not intended for, and is not directed at, children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, please contact info@rheinbridge.com and we will delete it without undue delay.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by a prominent notice on the website or, where appropriate, by email. The "Last updated" date at the top of this policy shows when it was last revised.
Note: This Privacy Policy is prepared under the UK GDPR and the Data Protection Act 2018, and is informed by ICO guidance current at the date stated above. It is provided as a starting framework and is pending review by a qualified UK solicitor before formal launch.