Privacy Notice

Customers, Website Visitors, Business Contacts, Event Attendees & Premises Visitors

At a Glance summary box added for quick reference

Who we areFox’s Burton’s Companies (FBC) UK Limited (“FBC”, “we”, “us”, “our”)
What this coversHow we use your personal information when you use our websites, buy our products, contact us, participate in a promotion, attend our events, visit our premises, or otherwise interact with us as a customer, business contact, event attendee, or visitor.
What this does NOT coverProcessing relating to job applicants/candidates and employees/workers. Please see our separate Candidate Privacy Notice and Worker/Employee Privacy Notice.
Data Protection OfficerEmail: dpo@fbc-uk.com
Postal addressSt Paul’s House, 8-12 Warwick Avenue, London, EC4M 7BP
Last updatedMarch 2026

1. Who is the controller?

Fox’s Burton’s Companies (FBC) UK Limited is the data controller for the personal information described in this notice. This means we decide how and why your personal information is used. We are registered with the Information Commissioner’s Office (ICO) as a data controller.

For ease, we refer to Fox’s Burton’s Companies (FBC) UK Limited as “FBC”, “we”, “us”, or “our” throughout this notice.

2. Our Data Protection Officer (DPO)


We have appointed a Data Protection Officer. If you have any questions about this notice, wish to exercise your data protection rights, or have a concern about how we use your personal information, please contact our DPO:

  • Email: dpo@fbc-uk.com
  • Post: St Paul’s House, 8-12 Warwick Avenue, London, EC4M 7BP

3. What we mean by “personal information”

Personal information (also called “personal data”) is any information that identifies you, or from which you could reasonably be identified. This includes obvious things like your name and contact details, and less obvious things like online identifiers such as your IP address, cookie identifiers, or device information. When we say “processing”, we mean anything we do with your personal information — collecting, storing, using, sharing, or deleting it.

4. If you do not provide information we need

Sometimes we need certain personal information from you to fulfil your request or provide a product or service. For example:

  •  We need your delivery address to ship products to you.
  • We need payment details to take payment.
  • We need your contact information to respond to an enquiry or register you for a promotion. If you choose not to provide information that is required for a particular purpose, we may not be able to proceed with that request or provide the product or service you want. We will always tell you which information is required and which is optional.

5. How we collect your personal information

Directly from you
We collect information directly from you when you:

  • Contact us with an enquiry, request, or complaint.
  • Order products or services from us.
  • Register for or attend one of our events or promotions.
  • Participate in a competition or prize draw.
  • Visit our offices or premises.
  • Communicate with our Consumer Careline.
  • Provide your business card or other contact details.

Automatically — from our websites and digital services

When you visit our websites, apps, or digital services, we may collect technical and usage information automatically, such as your device type, browser, IP address, and how you navigate our site. We do this using cookies and similar technologies.

Optional cookies and tracking technologies are only used if you choose to accept them. Please see section 21 (Cookies) for full details and how to manage your preferences.


From other sources
We may occasionally receive information about you from third parties, including:

  • Publicly available sources — for example, public registers, Companies House, LinkedIn and similar professional networks.
  • Lead generation providers and data brokers — who may supply us with business contact
    details (for example, your name, job title, company name, and business email address) to support our business-to-business (B2B) relationship management activities. We use this information on the basis of our legitimate interests in developing and maintaining business relationships. You have the right to object to this use at any time — see section 16 (Your rights)
  • Referees or emergency contacts — where someone else has provided your details for use as a reference or in an emergency.

If you provide us with information about someone else (for example, a colleague’s details), please make sure you have their permission to share it with us or that you are otherwise lawfully permitted to do so.

6. The categories of personal information we use

Depending on how you interact with us, we may process the following types of personal information:

  •  Identity data — name, title, and similar identifiers.
  • Contact data — business or personal contact details, including email address, postal address,
    and telephone number.
  • Transaction and financial data — orders, invoices, payments, and related records.
  • Communications data — emails, messages, call notes, call recordings (where applicable via our Consumer Careline), and your communication preferences.
  • Technical and usage data — device and browser information, IP address, and information
    about how you use our websites (see also section 21 (Cookies)).
  • Images and CCTV footage — where CCTV operates at our premises or where photos or
    videos are taken at events.
  • Event accessibility and dietary information — only where you choose to provide it. This is special category data and requires your explicit consent before we collect or use it.

7. Photos and filming at events and on our premises

From time to time, we may take photos or video at our premises or events (including third-party venues) for internal records and, where appropriate, for communications purposes such as internal news, our websites, or social media.

  • Where we rely on consent — for individual spotlight shots or close-up photography intended for promotional use, we will ask for your consent before taking the photograph.
  • Where we rely on legitimate interests — for general crowd or group shots at events, we rely on our legitimate interests in communicating our activities to a wider audience. We ensure this is proportionate and respectful. Additionally, where visitor passes are issued (including via the Eptura visitor management system), data collected is processed on the basis of legitimate interests for site security and health and safety purposes.

If you would prefer not to be photographed or filmed, please tell the event organiser or email dpo@fbc-uk.com. We will take reasonable steps to accommodate your preference.

Event photography and imagery is typically retained for up to three years, or until it is no longer relevant to our communications.

8. Our lawful bases for processing

We only use your personal information where we have a valid lawful basis under UK data protection law. The basis we use depends on the purpose and type of processing involved.

  • Contract — to perform a contract with you, or to take steps you ask us to take before entering into a contract.
  • Legal obligation — to comply with a legal requirement, for example accounting rules, tax law, product safety obligations, or lawful regulatory requests.
  • Legitimate interests — to run and improve our business, maintain relationships, keep people safe, and manage our operations, where those interests are not overridden by your rights and interests. Where we rely on legitimate interests, we carry out a balancing assessment. You have the right to object — see section 16. If you would like more detail about the balancing assessment for any specific use, please contact our DPO.
  • Consent — for optional cookies and similar technologies, for special category data at events (such as dietary or access needs), and for certain marketing activities where required by law. Where we rely on consent, you can withdraw it at any time — see section 16.

9.  What we use your information for

The table below summarises the main purposes for which we use your information and the lawful bases we rely on. We may rely on more than one lawful basis depending on the specific context. If you need more detail about the lawful basis we rely on for a particular activity, please contact our DPO.

Purpose

Main categories of personal information used

Lawful basis

Register and manage customer accounts and enquiries

Identity, Contact, Communications

Contract; Legitimate interests (keeping accurate records)

Process and deliver orders, manage payments and provide customer service

Identity, Contact, Transaction, Financial, Communications

Contract; Legitimate interests (fraud prevention, debt recovery)

Manage business relationships with suppliers, partners, and contacts

Identity, Contact, Communications

Legitimate interests; Legal obligation (where applicable)

Send service and transactional messages (e.g. order updates, event confirmations)

Contact, Transaction, Communications

Contract; Legal obligation

Send marketing communications (where permitted)

Contact, Identity, Usage, Communications

Legitimate interests and/or Consent (see section 10)

Run competitions and prize draws

Identity, Contact, Communications

Contract; Consent (where required)

Administer and improve our websites and maintain IT security

Technical, Usage, Contact (limited)

Legitimate interests; Consent (for non-essential cookies)

Organise and manage events, webinars and premises visits

Identity, Contact, Communications; Event accessibility/dietary data (special category)

Contract/Legitimate interests; Explicit Consent (for special category data)

Business improvement, analytics and service development

Technical, Usage, Transaction (aggregated where possible)

Legitimate interests

Safety and security of premises, staff and visitors

Images/CCTV footage; Identity/Contact (visitor logs)

Legitimate interests

Comply with legal obligations

Identity, Contact, Transaction, Financial, Communications, Technical

Legal obligation

10.  Marketing

We may contact customers and business contacts with news, updates, and information about our products, services, and activities where we are permitted to do so under applicable law, including the Privacy and Electronic Communications Regulations (PECR).

Where we send marketing emails:

  • You can opt out of marketing communications at any time by using the unsubscribe link in any of our messages.
  • You can also contact us at dpo@fbc-uk.com to opt out.
  • We maintain a suppression list of people who have opted out, so that we do not contact them in error.

We do not sell your personal information to third parties for their own marketing purposes, and we do not make your details available to third parties for their marketing without your agreement.

11.  Who we share your personal information with

We share your personal information only where necessary and with appropriate safeguards in place. The categories of recipients with whom we may share your information include:

  • Our employees and group companies — where relevant to their role or function.
  • IT, hosting, and digital service providers — for example, those helping us run our website, store data, deliver emails, and provide analytics.
  • Payment and financial service providers — to process payments securely.
  • Visitor management service providers — for example, Eptura, which manages visitor registration and access to our premises.
  • Customer care and fulfilment partners — to handle enquiries, consumer careline calls, returns, and product deliveries.
  • Marketing and communications partners — where we carry out lawful marketing activities.
  • Competition fulfilment partners — to administer prize draws and competitions.
  • Professional advisers — including lawyers, auditors, and insurers.
  • Regulators, law enforcement, courts, and government authorities — where we are required or permitted by law. We only share what is required and challenge requests where appropriate.
  • Third parties in connection with corporate transactions — for example, if FBC is involved in a merger, acquisition, or restructuring. Any such sharing is subject to appropriate confidentiality protections, and we will take steps to ensure that the recipient protects your data to equivalent standards.

We will only share your personal information on the basis of a clear lawful purpose and with appropriate safeguards in place. We never sell your personal information.
 

12.  Our key suppliers and processors

Where we use third-party suppliers who process personal information on our behalf (known as “data processors”), we put written contracts in place to ensure they:

  • Keep your information secure and confidential.
  • Use it only on our documented instructions.
  • Apply equivalent protections to any sub-processors they engage.
  • Delete or return data when our relationship with them ends.

The key suppliers relevant to our website, customer, and visitor interactions are listed below. This list is not exhaustive and may change from time to time. Suppliers supporting internal business operations only (such as payroll and HR systems) are listed in our Worker/Employee Privacy Notice.

Supplier

What they do for us (relevant to this notice)

Where based / transfer safeguard

Pixel Fridge

Website development and maintenance

UK

Parade

Customer care engagement (consumer careline)

UK

Microsoft

Productivity tools, email, and data storage (including contact form email delivery)

Global – UK/EU data centres; UK-US Data Bridge / IDTA as applicable

SAP

Enterprise resource planning (including customer order management)

Global – IDTA/UK Addendum as applicable

Oracle

Business reporting and analytics (may include customer data)

UK/Global – IDTA/UK Addendum as applicable

Accenture Management Support

IT support services

Philippines, India and other locations – IDTA/UK Addendum

For further information about our supplier arrangements, or to request details about a specific processor, please contact our DPO.
 

13.  International transfers

Some of our suppliers may store or access personal information outside the UK. Where your personal information is transferred outside the UK, we ensure appropriate safeguards are in place before any transfer takes place.

The safeguards we use include:

  • Adequacy decisions — transfers to countries that the UK has recognised as providing an adequate level of data protection (for example, countries in the EU/EEA).
  • UK International Data Transfer Agreement (IDTA) — a contractual mechanism approved by the ICO for transfers to countries without an adequacy decision.
  • UK Addendum to EU Standard Contractual Clauses — an alternative contractual safeguard for international transfers.
  • UK–US Data Bridge — where a supplier is certified under the UK–US Data Bridge, we may rely on that certification for transfers to that specific supplier. For US suppliers not certified under the Data Bridge, we use the IDTA or UK Addendum.

Where a supplier processes data in multiple countries, we ensure the appropriate safeguard applies to each transfer location. If you would like more information about the safeguards used for a particular supplier or transfer, please contact our DPO.

14.  How long we keep your personal information

We keep personal information only for as long as is necessary for the purpose(s) for which it was collected, or as required by law. We periodically review what we hold and delete or anonymise information when it is no longer needed.

When deciding how long to keep information, we consider:

  • The amount, nature, and sensitivity of the information.
  • The potential risk of harm from unauthorised use or disclosure.
  • The purposes for which we collected it, and whether we can achieve those purposes through other means.
  • Any applicable legal, regulatory, or contractual requirements.

     

  • Type of personal information

    Typical retention period

    Customer or supplier records (orders, transactions, account data)

    Up to 5 years after the relationship ends or our last contact, unless a longer statutory period applies

    Business contact records

    Up to 3 years after the business relationship ends

    Competition and prize draw records

    18 months after the competition closes

    CCTV footage

    Up to 30 days, unless required for an incident investigation or legal proceedings

    Visitor Wi-Fi connection logs

    Up to 30 days (for security and network management)

    Eptura visitor management records

    3 months following the last connection or visit

    Event attendance and registration records

    Up to 2 years, or as required by applicable law

Further details are set out in our internal Retention Policy. If you would like a copy, please contact our DPO.

15.  CCTV

We operate closed-circuit television (CCTV) at some of our premises for the safety and security of staff, visitors, contractors, and property. Where CCTV is in use, we display signage at the entrance and within the relevant areas to let you know.

The lawful basis we rely on for CCTV processing is legitimate interests (Article 6(1)(f) of the UK GDPR) — specifically, our interest in keeping people and property safe. We have assessed that this interest is proportionate and does not override individuals’ privacy rights, particularly given that signage is clearly displayed.

CCTV footage is typically retained for up to 30 days, unless it is needed in connection with an incident, investigation, complaint, or legal proceedings, in which case it may be retained for longer. 

16.  Your data protection rights

Under UK data protection law, you have the following rights. Whether and how they apply in any particular case will depend on the circumstances and the lawful basis we rely on.
 

Your right

What it means

Right of access

You can ask for a copy of the personal information we hold about you (a Subject Access Request or SAR). We will verify your identity before responding, and we aim to respond within one month. For complex or multiple requests, we may extend this by up to two further months and will tell you why.

Right to rectification

You can ask us to correct information that is inaccurate or to complete information that is incomplete.

Right to erasure (“right to be forgotten”)

You can ask us to delete your personal information in certain circumstances, for example where we no longer need it and no legal obligation requires us to keep it.

Right to restriction of processing

You can ask us to pause the use of your information in certain circumstances, for example while we are checking the accuracy of information you have disputed.

Right to object

You can object to processing where we rely on legitimate interests or public task. We will stop unless we have compelling legitimate grounds that override your interests, or we need the information for legal claims.

Right to data portability

Where we process your information based on consent or contract, and by automated means, you can ask us to provide it to you in a portable format or to transfer it to another organisation.

Right to withdraw consent

Where we rely on consent, you can withdraw it at any time without affecting any processing already carried out. To withdraw cookie consent, use the cookie settings link on our website. For other consent, contact dpo@fbc-uk.com.

You do not normally have to pay a fee to exercise these rights. We aim to respond within one month. To make a request, please contact our DPO at dpo@fbc-uk.com.
 

17.  Security

We use appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, alteration, or misuse. These include access controls and role-based permissions, encryption of data in transit and at rest where appropriate, and regular review of our security practices.

No method of transmission over the internet is completely secure. However, we take all reasonable precautions to protect the personal information we hold, and we maintain an information security programme aligned to industry standards.

18.  Artificial Intelligence (AI) tools

We use AI-enabled tools to support internal productivity. Our current AI tools include Microsoft Copilot, which we use for tasks such as drafting and summarising documents, generating ideas, and supporting internal communications.

Important points about how we use AI:

  • No automated decisions about you — we do not use AI to make automated decisions that have a legal or similarly significant effect on you as an individual.
  • Minimisation — we seek to minimise the amount of personal information used in AI tools and instruct staff to avoid inputting unnecessary personal data.
  • Access controls — access to AI tools is controlled and restricted to authorised users.
  • Review process — AI-generated content is reviewed by a person before it is used externally or in any formal context.
  • Compliance — we use AI tools in compliance with applicable data protection law and current ICO guidance.
  • We keep our AI tool usage under review and will update this section if our practices change materially.
     

19.  Visitor Wi-Fi

We provide Wi-Fi for visitors at some of our premises. If you connect to our visitor network, we will process limited technical data to provide the service, maintain network security, and prevent misuse. This may include:

  • Your device’s MAC address / device identifier.
  • An automatically allocated IP address.
  • Basic connection logs, including sites visited, connection duration, and data sent and received.
  • The lawful basis we rely on is legitimate interests (Article 6(1)(f) of the UK GDPR) — specifically, our interest in providing a secure, functional network and preventing misuse.
  • We retain visitor Wi-Fi connection logs for up to 30 days. We do not routinely monitor the content of your communications over the Wi-Fi network, but we may review logs if necessary for security purposes, technical troubleshooting, or investigations.

19A.  Eptura Visitor Management System

We use Eptura, a third-party visitor management platform, to manage visitor access to our premises. When you visit one of our sites, you may be asked to register using the Eptura system, which may collect the following personal information:

  • Your name, email address, and contact telephone number.
  • The name of your organisation or the person you are visiting.
  • Date, time, and purpose of your visit.
  • Photographic identification (where required for security purposes).
  • Vehicle registration number (where applicable).

We process this information on the basis of legitimate interests (Article 6(1)(f) of the UK GDPR) — specifically, our interest in maintaining site security, managing visitor access, and complying with health and safety obligations.

Data collected through Eptura will be retained for a period of three months following the last connection or visit. After this period, your visitor record will be securely deleted unless retention is required for an ongoing incident investigation, legal proceedings, or regulatory compliance.

Eptura processes your personal data as our data processor, in accordance with our instructions and subject to appropriate contractual safeguards. For more information about Eptura’s data handling practices, please refer to their privacy notice at www.eptura.com/privacy.
 

20.  Attending one of our events or promotions


If you register for or attend one of our events or promotions, we will ask you to provide contact information (including your organisation’s name) and, if relevant, details of any dietary requirements or access needs.

We use this information to manage your registration, communicate event details, and provide an appropriate service on the day.

The lawful basis we rely on will depend on the event:

  • Free events and promotions — legitimate interests (managing our business relationships and promoting our activities)
  • Paid events — contract (to process your registration and manage your attendance).
  • Dietary or access requirements — this is special category personal data (health information). We will only collect this with your explicit consent, which you may withdraw at any time. Please note that withdrawing consent may affect our ability to make appropriate arrangements for you.

If there is a charge to attend an event, we may also collect payment information, which we process on the basis of contract.
 

21.  Cookies and similar technologies

We use cookies and similar technologies on our website for different purposes.
 

Strictly necessary cookies
Some cookies are essential for our website to work properly and cannot be switched off. These include cookies that:

  • Maintain session security (for example, preventing unauthorised access).
  • Enable core site functionality such as load balancing and page navigation.
  • Remember your cookie preferences.

These cookies do not require your consent. They do not track you across other websites or collect information for advertising purposes.
 

Optional cookies
All other cookies — for example, analytics cookies or cookies that personalise your experience — are optional. We will only use these if you choose to accept them.
You can change your cookie preferences at any time by clicking the “Cookie Settings” link on our website. You can also manage or delete cookies through your browser settings.
Our Cookie Policy
 

For a full list of the cookies we use, what they do, who sets them, and how long they last, please see our Cookie Policy at www.fbc-uk.com/cookie-policy. This list is kept up to date as our cookie usage changes.

22.  Children

Our websites and services are not directed at children under the age of 18 and we do not knowingly collect personal information from children.

If you believe a child has provided us with personal information without appropriate parental consent, please contact us at dpo@fbc-uk.com and we will take steps to delete it promptly.

23.  Links to other websites

Our websites may contain links to websites operated by other organisations. This privacy notice does not apply to those websites. We are not responsible for the privacy practices of other organisations, and we encourage you to read the privacy notice on any website you visit.

24.  Your right to complain

We are committed to handling your personal information responsibly and to the highest standards. If you have a concern about how we are using your information, please contact us first so that we can try to resolve it quickly:

Email: dpo@fbc-uk.com
Post: St Paul’s House, 8-12 Warwick Avenue, London, EC4M 7BP

If you are not satisfied with our response, you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK data protection regulator:

  • Website: www.ico.org.uk
  • Make a complaint: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

25.  Updates to this notice

We may update this notice from time to time to reflect changes in how we use personal information or in applicable law. We will update the “Last updated” date at the top of this notice whenever we make any changes.

We encourage you to check this notice periodically. Where we make significant changes, we will take reasonable steps to bring them to your attention.

This Privacy Notice was last updated on March 2026.