GWAZA LTD

PRIVACY POLICY

Effective Date: 12 May 2026

Replaces version dated 12 February 2025

Updated to reflect the Data (Use and Access) Act 2025 (in force 5 February 2026)

1. Important Information and Who We Are

This Privacy Policy explains how Gwaza Ltd. (“Gwaza,” “we,” “us,” or “our”) collects, processes, and protects your personal data. It applies to users of our website (gwaza.co.uk), customers, suppliers, and other business contacts.

This website is not intended for children, and we do not knowingly collect data relating to children.

1A. Controller

Gwaza Ltd. is the controller and responsible for your personal data.

Our contact details:

Gwaza Ltd.

New House Farm

Shoothill

Shrewsbury, Shropshire

SY5 9NR, United Kingdom

Phone: +44 1743 850761

Email: creditcontrol@gwaza.co.uk

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection (www.ico.org.uk). From 19 June 2026, you also have a statutory right to complain directly to us as the controller — see Section 9B below for details of our complaints procedure. We encourage you to contact us first to resolve any concerns.

1B. Changes to the Privacy Policy and Your Duty to Inform Us of Changes

This Privacy Policy may be updated from time to time to remain compliant with applicable legislation. The latest version will always be available on our website. It is important that the personal data we hold about you is accurate and current. Please inform us of any changes to your data by emailing creditcontrol@gwaza.co.uk.

1C. Third-Party Links

Our website may contain links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We are not responsible for their privacy policies and encourage you to read their policies before providing personal data.

2. The Data We Collect About You

“Personal data” refers to any information that identifies a living individual. We collect, use, store, and transfer different categories of personal data, including:

Identity Data – Name, company name, job title.
Contact Data – Address, email address, telephone number.
Transaction Data – Purchases, payments, order history.
Technical Data – IP address, login credentials, browser type and version, operating system.
Marketing & Communication Data – Preferences for receiving marketing communications.

We do not collect special category data (e.g., health information, racial or ethnic origin, political opinions) or information about criminal convictions and offences.

2A. If You Fail to Provide Personal Data

Where we require personal data by law or to perform a contract with you and you fail to provide it, we may be unable to provide our services or products to you.

3. How We Collect Your Personal Data

We collect personal data through the following methods:

Direct interactions – When you create an account, place an order, subscribe to emails, or contact us.
Automated technologies – Cookies and analytics tools collect browsing behaviour and technical data (see Section 10).
Third-party sources – Payment processors (e.g., PayPal, Sage), analytics providers (e.g., Google Analytics).

4. How We Use Your Personal Data

We will only use your personal data where the law permits us to do so. The table below sets out our processing purposes and the corresponding legal basis under the UK GDPR (as amended by the Data (Use and Access) Act 2025).

Purpose	Legal Basis
Process orders and payments	Performance of a contract
Manage customer relationships	Legitimate interest
Send B2B marketing emails	Legitimate interest (opt-out available)
Send promotional emails to individuals	Consent (opt-in required)
Improve our website and services	Legitimate interest
Ensure website security and prevent fraud	Legitimate interest
Comply with legal and regulatory obligations (e.g., tax, accounting)	Legal obligation

We do not sell or share your data for third-party marketing purposes.

4A. Automated Decision-Making

We do not currently use any automated decision-making processes (including profiling) that produce legal or similarly significant effects on you. If this changes, we will update this policy and notify you.

4B. Marketing Communications and Your Rights

We may send B2B marketing emails to existing and prospective corporate customers under Legitimate Interest, ensuring relevance. This applies to:

Existing business customers who have purchased from us.
New corporate prospects contacted via company email addresses (e.g., info@company.com).

We do not send unsolicited marketing emails to sole traders or partnerships without their explicit opt-in consent, in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR).

You can opt out of marketing emails at any time by:

Clicking the “Unsubscribe” link in any marketing email.
Contacting us at creditcontrol@gwaza.co.uk.

5. Data Sharing and Third Parties

We may share your personal data with the following categories of third parties:

Service providers – Couriers and logistics providers, payment processors (e.g., PayPal, Sage), IT service providers, and email marketing platforms (e.g., Mailchimp).
Analytics providers – Google Analytics, for website usage analysis.
Regulatory and tax authorities – When required by law (e.g., HMRC).
Professional advisers – Lawyers, auditors, and insurers as necessary.
Business partners – In the event of a merger, acquisition, or reorganisation.

All third-party service providers are required by contract to respect the security of your personal data and to process it only in accordance with our instructions. We do not permit them to use your personal data for their own purposes.

6. International Data Transfers

Some of your personal data may be transferred to, stored in, or processed in countries outside the United Kingdom. In particular:

Mailchimp (Intuit Inc., USA) – Used for email marketing. Transfers are protected under the UK-US Data Bridge and Mailchimp’s data processing addendum.
Microsoft 365 (Microsoft Corporation, USA) – Used for email, file storage, and productivity. Microsoft operates under Standard Contractual Clauses and the UK International Data Transfer Agreement, with data residency options within the UK and EEA.
Google Analytics (Google LLC, USA) – Used for website analytics. Transfers are covered by Google’s data processing terms and the UK-US Data Bridge.

We ensure that all international transfers meet the requirements of UK data protection law, including the UK GDPR and the transfer risk assessment framework introduced by the Data (Use and Access) Act 2025, with appropriate safeguards in place.

7. Data Security

We have implemented appropriate technical and organisational measures to prevent unauthorised access to, accidental loss of, or destruction of your personal data. These include:

Access to personal data is restricted to authorised personnel who require it for legitimate business purposes.
Our systems are protected by industry-standard security controls, including encryption, firewalls, and access logging.
We regularly review our security procedures and technologies to maintain the integrity of your data.

We have procedures in place to deal with any suspected personal data breach and will notify you and the ICO where we are legally required to do so.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are:

Customer and transaction records: 6 years from the end of the relevant financial year, in accordance with HMRC requirements and the Limitation Act 1980.
Marketing data: Until you opt out, withdraw consent, or we determine the data is no longer needed. We review our marketing lists at least annually.
Website analytics data: Retained in anonymised/aggregated form for as long as needed for trend analysis. Individual-level data is deleted in accordance with our analytics provider’s retention settings.
Supplier and business contact records: 6 years from the end of the business relationship.

9. Your Legal Rights

Under UK data protection law (the UK GDPR and Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025), you have the following rights in relation to your personal data:

Right of access – You can request a copy of the personal data we hold about you.
Right to rectification – You can request correction of inaccurate or incomplete data.
Right to erasure – You can request deletion of your data in certain circumstances (this does not apply where we are legally required to retain it).
Right to object – You can object to processing based on legitimate interest, or to direct marketing at any time.
Right to restrict processing – You can ask us to suspend processing in certain circumstances.
Right to data portability – You can request transfer of your data to another provider in a structured, machine-readable format.
Right to withdraw consent – Where processing is based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
Right to complain – You have the right to complain directly to us about how we handle your personal data (see Section 9B below), and to the ICO if you remain dissatisfied.

To exercise any of these rights, please email creditcontrol@gwaza.co.uk.

9A. Response Time

We will respond to all data subject requests within one calendar month of receipt. If a request is particularly complex or we receive a high volume of requests, we may extend this period by up to two further months. We will notify you within one month if an extension is required and explain the reasons.

We will carry out reasonable and proportionate searches to respond to your request, as required by law.

9B. Data Protection Complaints Procedure

In accordance with the Data (Use and Access) Act 2025, which introduces Section 164A of the Data Protection Act 2018, you have a statutory right to complain directly to us if you believe we have handled your personal data in a way that infringes UK data protection law.

How to make a complaint:

You may submit a data protection complaint to us by any of the following means:

Email: creditcontrol@gwaza.co.uk (subject line: “Data Protection Complaint”)
Post: Data Protection Complaints, Gwaza Ltd., New House Farm, Shoothill, Shrewsbury, Shropshire, SY5 9NR

What to expect:

We will acknowledge receipt of your complaint within 30 days.
We will investigate your complaint without undue delay, making appropriate enquiries and keeping you informed of progress.
We will inform you of the outcome of your complaint as soon as reasonably practicable, with a clear explanation of how we reached our conclusion.
If you are not satisfied with the outcome, you have the right to escalate your complaint to the ICO at www.ico.org.uk or by calling 0303 123 1113.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to improve functionality, analyse usage, and enhance your experience. A cookie is a small text file placed on your device when you visit our website.

We use the following categories of cookies:

Category	Purpose	Legal Basis
Strictly Necessary	Essential for the website to function (e.g., session management, login, security).	Exempt from consent (PECR Regulation 6).
Analytics	Help us understand how visitors use our website (e.g., Google Analytics via Google Tag Manager). Data is collected in anonymised or aggregated form.	Consent, or exempt under PECR where cookies are limited to service-improvement analytics (as amended by DUAA 2025).
Functionality	Remember your preferences such as language or region.	Consent, or exempt under PECR where cookies are strictly for appearance or user preference.

We use Google Tag Manager to manage the deployment of cookies and tracking scripts on our website.

Managing cookies:

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect the functionality of our website. You can also manage your preferences through our cookie consent banner when you first visit the site.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legislation, our business practices, or the technologies we use. The latest version will always be available on our website. Where changes are significant, we will take reasonable steps to draw them to your attention.

12. Contact Us

For any privacy-related questions, to exercise your data subject rights, or to make a data protection complaint, please contact us: