Privacy Policy

Introduction

Beckdale Europe Ltd (trading as Beckdale Shipping/Beckdale Fulfilment) ("we", "us", "our") provides third-party logistics and order fulfilment services. We are committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and ICO guidance.

Registered address: 10 Charter Street, Leicester

Scope — who this policy applies to

This privacy policy covers:

• personal data we collect and process about customers, recipients and end-users for order fulfilment;
• personal data submitted via our website (e.g. contact forms, quotation requests, careers applications); and
• data processed on behalf of our clients when we act as a data processor or sub-processor.

Definitions

Controller

The organisation that determines the purposes and means of processing personal data. In many cases our clients (the seller/brand) are the controller for order data; we often act as a processor when we fulfil orders on their behalf.

Processor

An organisation that processes personal data on behalf of a controller (for example, a 3PL fulfilling orders). We operate as a processor in many service relationships, but may sometimes be a controller for data we collect directly (e.g. enquiries to our website).

Personal data / PII

Any information which identifies or can be used to identify a living person (name, address, phone, email, order details, IP address, cookies, etc.).

What personal data we collect

Depending on your interaction with us, we may collect:

• Order & delivery data: name, delivery and billing addresses, phone, email, order items, tracking numbers, shipment status, returns information, customs information where applicable.
• Payment & invoicing data: invoice references, payment transaction IDs (we do not store full card details unless specifically contracted and PCI compliant — typically card details are handled by payment providers).
• Website & enquiry data: contact form input, CVs/resumes, IP address, browser and device information, the pages you access, and cookies (see Cookies section).
• Security & fraud prevention: device identifiers, access logs, CCTV (where in operation in our premises), and any information necessary to detect or prevent fraud or abuse.

How we collect personal data

• Directly from customers or their customers (order forms, electronic feeds from e-commerce platforms, paper orders, phone orders).
• From website submissions (contact forms, quote requests, job applications).
• From client systems where we act as a processor (APIs, CSV files, integration feeds).
• From public sources or third-party suppliers when required for fulfilment (e.g. address validation services).

Lawful basis for processing (UK GDPR Article 6)

We will rely on one or more lawful bases depending on the processing activity:

• Contract: processing necessary to perform a contract (order fulfilment, delivery, returns processing).
• Legal obligation: processing to comply with legal and tax obligations (eg. invoicing, customs, retention for HMRC).
• Legitimate interests: fraud prevention, safety, network and information security, compliance and to maintain business records (we balance this against individuals' rights).
• Consent: where required (eg. marketing emails or cookies that are not strictly necessary). Consent can be withdrawn at any time.

How we use personal data — purposes

• To process and fulfil orders, prepare shipments and manage returns.
• To communicate with customers and recipients about orders, delivery updates and issues.
• To maintain billing, accounting and VAT records.
• To operate and improve our website, respond to enquiries and job applications.
• To prevent fraud, ensure safety and secure our premises and IT systems.
• We do not sell personal data. We do not use personal data for purposes beyond those agreed with the controller (our client) without consent or lawful basis.

When we are a processor on behalf of clients

Where we process personal data on behalf of a client (the controller), we act only on documented instructions from that client and under a written data processing agreement which sets out roles, responsibilities, security measures and sub-processors. Our processor agreements reflect UK GDPR requirements and include appropriate safeguards for international transfers where necessary.

Third-party processors and sub-processors

We may use third-party service providers to support our services (warehouse management systems, courier services, CRM providers, payment processors, cloud hosting, address validation services, background check providers for staff). We assess and contractually require such providers to implement appropriate technical and organisational measures and to only process data in accordance with our written instructions (or our client's instructions where we act as processor).

Clients may request a current list of sub-processors by contacting us.

International transfers

If personal data is transferred outside the UK (for example to cloud providers or couriers operating outside the UK), we will ensure an adequate level of protection by using:

• transfers to countries with a UK adequacy decision; or
• approved transfer mechanisms such as the UK International Data Transfer Agreement (IDTA), or contractual clauses recognised under UK data protection law; or
• other appropriate safeguards in line with UK GDPR and ICO guidance.

Details of the countries and safeguards used on a per-transfer basis can be provided on request.

Data retention / deletion

We will only keep personal data for as long as necessary for the purposes set out above, and in line with legal and contractual obligations. Typical retention periods are:

• Order, delivery and shipping records: retained for up to 6 years where required for tax, accounting or legal obligations (eg. HMRC and accounting records).
• Billing and financial records: retained for up to 6 years in line with statutory obligations.
• Website enquiries / contact form submissions: retained for up to 12 months (or deleted sooner if not required).
• Recruitment applications / CVs: kept for up to 12 months unless consent is given to retain longer or the applicant becomes an employee.
• CCTV logs / security footage: retained for a limited period (typically up to 30–90 days) unless required for an incident investigation, legal claim or insurance purpose.

If you are a controller using our services and request deletion of data, we will follow your documented instructions and delete data from our active systems within agreed timeframes, subject to any legal obligations to retain data. Where deletion cannot be immediate (backups, archival copies), we will ensure that data is not accessible and schedule secure deletion as soon as reasonably possible.

Cookies & tracking

Our website does not use cookies.

Security measures

We implement appropriate technical and organisational measures to protect personal data, including (where relevant):

• access controls and role-based permissions;
• network security (firewalls, intrusion detection);
• encryption in transit (TLS) and encryption at rest where appropriate;
• secure deletion and sanitisation processes;
• staff training, background checks and confidentiality obligations;
• physical security for premises (access controls, CCTV) and security policies for visitors and contractors.

No system can be 100% guaranteed secure; we continually review and improve our security posture.

Data breaches

In the event of a personal data breach, we will follow our incident response plan. Where required by law and ICO guidance, we will notify the Information Commissioner's Office and any affected individuals without undue delay and within statutory timeframes (eg. 72 hours where applicable), and will co-operate with controllers in breach notifications when acting as a processor.

Individuals' rights

Individuals have rights under UK GDPR, including the right to:

• access their personal data (subject access request);
• rectify inaccurate data;
• request erasure (right to be forgotten) where applicable;
• restrict or object to processing in certain circumstances;
• data portability where processing is based on consent or contract and carried out by automated means;
• withdraw consent where processing is based on consent.

To exercise any right, contact us. We will verify identity and respond within the statutory timescales (typically one month, extendable in complex cases).

Marketing communications

We do not send marketing messages to individuals.

Complaints and supervisory authority

If you have concerns about how we handle your personal data, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Changes to this policy

We may update this policy from time to time. We will publish the updated policy on our website with a revised Last updated date.