GDPR Compliance Policy & Analytics Policy

Effective Date: May 2025

Introduction and Scope

ArmstrongCheshire (formerly Armstrong Supplies) is a UK-based e-commerce retailer committed to protecting customer personal data and complying with the UK GDPR and Data Protection Act 2018. This policy covers all personal data processed through our Shopify website, third-party marketplaces (B&Q via Mirakl, OnBuy, The Range, Amazon, eBay), and order management systems (Zenstores, Mintsoft, Veeqo). We only sell to UK customers and process data in accordance with GDPR principles.

Lawful Bases for Processing

• Contractual Necessity: Processing required to perform our sales contract (order fulfillment, delivery, customer service).
• Consent: Freely given opt-in consent for marketing communications, which can be withdrawn at any time.
• Legitimate Interests: Internal analytics, improving services, fraud prevention, balanced against customer rights.
• Legal Obligation: Compliance with statutory requirements (e.g., tax and accounting record-keeping).

Data Collection, Minimisation and Purpose Limitation

Data We Collect

• Identity & Contact: Name, email, postal address, phone number.
• Transactional: Order history, payment confirmation details.
• Technical: IP address, browser/device information.
• Usage: Pages visited, referral source, session data.

Data Minimisation & Purpose

We collect only the data necessary for order processing, customer support, and optional marketing (with consent). We do not collect or store payment card details. Data is used solely for the purposes communicated at collection and not for profiling or resale.

Data Retention

Personal data is retained only as long as required: order records for statutory periods (e.g., 6 years for tax), marketing data until unsubscribed or invalid, and analytics data as per our internal schedule.

Third-Party Processors and Data Sharing

• E-commerce Platform (Shopify): Hosts and processes customer data under our instructions.
• Marketplaces: Receive data for order fulfillment only; no marketing imports without separate consent.
• Order Management (Zenstores, Mintsoft, Veeqo): Process data to manage inventory, shipping and tracking.
• Payment Processors: Independent controllers handling card payments; we receive only payment status and transaction IDs.
• Email Services: Send marketing communications to opted-in subscribers; GDPR-compliant processors under DPA.
• Analytics Tools: Aggregate usage data with IP anonymisation; consent obtained for non-essential cookies.

Data Subject Rights

Individuals may exercise these rights by contacting us at enquiries@armstrongcheshire.co.uk:

• Right to be informed about data collection and use.
• Right of access to personal data we hold.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (subject to legal retention requirements).
• Right to restrict or object to processing.
• Right to data portability.
• Right to withdraw consent at any time.

Data Security Measures

• HTTPS/TLS encryption on all pages collecting personal data.
• Access controls and least-privilege access for staff.
• Encrypted storage of sensitive information; payment data handled by PCI DSS–compliant providers.
• Regular security updates, monitoring, and backups.
• Incident response plan with GDPR breach notification procedures.

Accountability and Record-Keeping

• Maintained records of processing activities, purposes, and retention schedules.
• Data Protection by Design and Default for new systems or features.
• Due diligence and DPAs with all processors.
• Periodic audits and policy reviews at least annually.

GDPR Risks & Mitigation

• Data Fragmentation: Centralised record-keeping and integration for consistent data handling.
• Third-Party Breaches: Vetting, DPAs, and minimum data sharing with processors.
• Marketplace Data Use: Strict purpose limitation to order fulfillment only.
• Cross-Border Transfers: Adequacy decisions, Standard Contractual Clauses, and regional hosting when available.
• Data Retention: Defined retention periods and scheduled data purges.
• Formal DPIA: Planned DPIA for multi-platform processing to identify and mitigate risks.
• DPO Appointment: Privacy lead in senior management; evaluating voluntary DPO appointment.

Data Protection Impact Assessment (DPIA)

We will conduct a DPIA for our e-commerce processes to map data flows, assess risks, and implement controls. DPIAs will be performed for major changes and new processing activities.

Data Protection Officer (DPO)

Although not legally required, we have assigned a senior privacy lead and are considering a voluntary DPO appointment to ensure dedicated oversight of GDPR compliance.

Contact our privacy lead at enquiries@armstrongcheshire.co.uk.

Policy Review and Updates

This policy is reviewed at least annually and updated as needed. Any material changes will be published on our website with the new effective date.

For questions or to exercise your data rights, contact:
ArmstrongCheshire
Suite 3, Bailey Court, Macclesfield, SK10 1JQ
Email: contact@armstrongcheshire.co.uk

Analytics Policy

ArmstrongCheshire (“we” or “us”) is committed to respecting your privacy. This Analytics Policy explains how we use cookies and analytics tools on our website to collect and process information about your use of our site. It details what tools we use, what data is collected, the purposes for collecting it, the lawful basis for processing, how you can opt out or manage your cookie preferences, how long the data is retained, and clarifies that we do not engage in profiling or automated decision-making with this data. This policy is intended to complement our broader Privacy Policy and Cookie Policy.

Analytics Tools We Use

We use the following analytics services to gather aggregated information about how visitors use our website:

• Google Analytics: A web analytics service provided by Google LLC. Google Analytics uses cookies and similar technologies to collect data on website usage (such as pages visited, time on site, and referring websites) and provides us with reports and insights. Google Analytics may collect certain technical data (described below) and process it on Google’s servers to generate these analytics reports for us.
• Shopify Analytics: Built-in reporting tools provided by our e-commerce platform (Shopify). Shopify automatically collects usage data related to our online store (for example, overall visitor numbers, product views, and sales conversion rates) and presents this to us in an aggregated dashboard format.

We use these tools with their default configurations. They help us understand general website performance and user trends without revealing any personally identifying information. All data collected via these services is used in an anonymized, aggregate form – we do not see individual personal details through these analytics.

What Data We Collect via Analytics

When analytics tracking is enabled (with your consent), the tools above may collect certain information about your visit. This information includes:

• Usage Information: Details of how you use our site – for example, the pages you visit, the time spent on each page, the links or products you click on, and the order in which you navigate through our site.
• Device and Browser Details: Information about the device and software you use to access our site. This can include your device type (e.g. desktop, tablet, or mobile), operating system (e.g. Windows or iOS), browser type and version (e.g. Chrome, Safari), and screen resolution.
• Technical Network Information: Your IP address and network provider. The IP address is a numerical label assigned to your device by your internet service provider. We use this for analytics to determine approximate location (see geolocation below) and to detect site abuse. **Note:** Google Analytics 4 anonymizes IP addresses by default for EU/UK traffic, meaning the last digits of your IP are masked and the full IP is not stored.
• Geolocation (Approximate): An approximate geographic location derived from your IP address (such as country, region, or city). This is used to understand where our site visitors are generally coming from. It is not precise location tracking (we do **not** collect GPS data or exact addresses).
• Referring and Exit Information: The website or source that referred you to our site (for example, a search engine or another site that linked to us), and the page you visit just before leaving our site.

This data is collected via cookies and similar tracking technologies placed on your browser. Importantly, the information collected is **not** used to identify you as a named individual. We do not collect personal details like your name, email, address, or payment information through analytics. The analytics data is typically associated with a randomly generated identifier (e.g. a cookie ID) and is analyzed in aggregate. While certain technical data (like an IP address or device ID) could be considered personal data under data protection laws, we only view and use this information in an aggregated and anonymized manner for statistical purposes.

Why We Use Analytics Data (Purpose of Processing)

We collect and use analytics data strictly for the following purposes:

• Improving Website Performance: To monitor our website’s functionality and speed. Analytics helps us identify technical issues (like broken pages or slow load times) so we can fix them and ensure the site works smoothly for all users.
• Understanding Usage Patterns: To learn how visitors engage with our site. For example, we look at which pages or products are most popular, how users navigate between pages, and where users might drop off in the buying process. These insights let us improve the design and content of our website to better meet our customers’ needs.
• Measuring Overall Traffic & Trends: To gather aggregated statistics such as total number of visitors, page views, and other trend data over time. This helps us gauge the effectiveness of our marketing efforts (e.g. seeing if more visitors come after a promotion) and plan business decisions (like staffing or inventory) based on general demand patterns.
• User Experience Improvements: By analyzing broad user behavior, we can make informed decisions on how to enhance your experience. For instance, if analytics shows users often search for a particular item, we might make that item easier to find. If many users from a certain region visit our site, we ensure our content or shipping options serve that region well.

All the analytics information we use is aggregated and anonymized. We look at trends and patterns among many users rather than focusing on any one individual’s behavior. Our aim is to improve our website’s content, layout, and services for the benefit of visitors and customers overall. We do not use analytics data to track you as an individual or to make decisions about you personally.

Example: Analytics might tell us that “500 people visited our Product A page this week and 5% of them added it to cart,” which helps us gauge interest in that product. However, we do not know who those individuals are, and we do not combine that information with any customer records we might have from orders. The data remains statistical.

Lawful Basis for Processing Analytics Data

Under the UK General Data Protection Regulation (UK GDPR) and related laws, we need a valid legal basis to collect and use personal data. For our analytics activities, the lawful basis we rely on is consent.

This means we will only use Google Analytics, Shopify analytics, or any non-essential tracking cookies if you have given your consent. When you first visit our website, you will see a cookie consent banner. This banner allows you to either accept or decline non-essential cookies (which include analytics cookies). We do not deploy analytics cookies until you have explicitly consented by opting in via this banner (or other cookie preference settings on our site).

If you choose to accept analytics cookies, you are giving us permission to process the data described in this policy for the purposes we’ve outlined. If you choose to decline, we fully respect that choice – in that case, our site will either not load the analytics tools at all, or will disable their data collection, meaning your visit will not be tracked by Google Analytics or Shopify’s analytics beyond the basic functionality needed for the site to operate.

You can withdraw your consent at any time (see **Your Choices: Opting Out of Analytics** below for how to do this). Note that any analytics data already collected while consent was active will still be used as described, but we will stop collecting new analytics data from you once you opt out.

Why not “Legitimate Interests”? Some organizations may consider tracking website analytics under the lawful basis of legitimate interests (i.e., the company’s interest in understanding and improving its website balanced against the user’s privacy rights). However, current ePrivacy regulations in the UK and EU require user consent for non-essential cookies like analytics cookies. Therefore, ArmstrongCheshire opts to use consent to ensure compliance and give you full control over analytics tracking.

Your Choices: Opting Out of Analytics Cookies

We want you to have full control over the data collected about your visit. Here are the ways you can manage or opt out of our analytics tracking:

• Cookie Consent Banner: When you first visit our site, you’ll encounter a cookie consent banner. To refuse analytics cookies, simply select the option to decline or opt out of non-essential cookies. If you only accept “necessary” cookies and reject analytics cookies, Google Analytics and similar tools will not run.
• Cookie Settings: Even after your initial choice, you can change your cookie preferences at any time. We provide a cookie settings link (often found in the footer of the site or within the privacy/cookie policy page) where you can revisit your preferences. From there, you can disable or enable analytics cookies as you wish. Once you update your preference to opt out, our site will stop collecting analytics data from your device on future visits.
• Browser Settings: You can also manage cookies through your web browser settings. Most browsers allow you to block third-party cookies or even all cookies. You can delete cookies that have already been set, including the Google Analytics cookies (_ga, _gid, etc.). Please be aware that if you clear all cookies, this may also remove your saved preferences (including any “opt-out” choice you made on our cookie banner), so the consent banner might appear again on your next visit.
• Google Analytics Opt-Out Plugin: Google offers an official Google Analytics Opt-out Browser Add-on. Installing this add-on in your browser will prevent Google Analytics from collecting data on any website, not just ours. This is a more global solution if you want to completely opt out of Google Analytics tracking across all sites that use it.

Keep in mind that our use of analytics is designed to be unobtrusive. If you opt out of analytics cookies, you should experience no loss of functionality on our website; the site will continue to work normally. The only difference is that your visit will not be included in our anonymized statistics.

Note: If you have previously consented to analytics and then opt out, Google Analytics will stop collecting data from that point forward. It does not retroactively delete prior data already collected. However, as explained in the Data Retention section, that data will eventually be deleted according to our retention policy.

Data Retention: How Long We Keep Analytics Data

We retain analytics data only for as long as necessary to fulfill the purposes described in this policy. Our aim is to balance obtaining useful insights with respecting your privacy and data minimization principles.

Within Google Analytics and Shopify: We have configured our Google Analytics account to retain user-level data (such as associated with cookies and device identifiers) for a maximum of 14 months. This means that any granular data about your site usage is automatically deleted from Google’s servers after 14 months. In many cases, we may only retain detailed data for a shorter period (e.g., Google Analytics 4’s default retention for certain data is 2 months unless extended). Shopify’s analytics data retention follows Shopify’s platform policies; generally, Shopify retains store visit and order analytics for the duration of our store’s operation, but this data remains aggregated in our reports.

Aggregated Reports and Internal Use: We primarily use aggregated data for trend analysis (for example, monthly or yearly traffic reports). These aggregate summaries do not contain personal identifiers. We may download or export such summary reports periodically (e.g., to analyze year-over-year performance). Such exports might be stored in our internal systems like Microsoft Office 365 (Excel spreadsheets) or Google Sheets for collaboration among our team. We treat any exported data confidentially and store it securely. These reports are typically kept as long as needed for business analysis and then archived or deleted. Since they contain only high-level numbers (and no direct personal data), retaining them does not pose a risk to individual privacy.

Deletion and Anonymization: After the retention period elapses, user-level and event-level data in Google Analytics is deleted automatically on a rolling basis. For example, data older than 14 months is purged each month so only recent 14 months are available. In Shopify’s case, data is continuously overwritten or aggregated over time. We do not independently keep any personal analytics identifiers beyond these systems. In summary, we do not keep analytics data indefinitely, nor do we store it in a form that can identify individuals beyond the stated retention limits.

If you request deletion of your personal data or exercise your data protection rights (as applicable), we will also endeavor to delete any analytics data related to your device to the extent that we can identify it (which is often not possible without cookies). Generally, because our analytics data is anonymized and aggregated, it cannot be easily linked back to you personally.

No Profiling or Automated Decision-Making

ArmstrongCheshire does not use analytics data for profiling you or making any automated decisions about you. “Profiling” means analyzing personal data to evaluate or predict certain personal aspects, often to target advertising or personalize content to an individual. We explicitly do not do this with our analytics data.

Any information collected through Google Analytics or Shopify’s analytics is used at an aggregate level for the purposes described above (site improvement, performance monitoring, etc.). We do not create individual user profiles or behavioral records outside of these general statistics. For example, we do not keep a history of an individual’s page visits or purchases tied to their identity for marketing segmentation – analytics data is never merged with your customer account or order history.

Furthermore, we perform no automated decision-making that could affect you based on analytics data. “Automated decision-making” refers to decisions made by algorithms without human intervention that have a legal or similarly significant effect on individuals. Our use of analytics has no such impact – it does not result in decisions like credit checks, hiring, pricing, or anything that affects you personally. All decisions about website improvements or content changes based on analytics are made looking at broad user trends, and involve human judgment aimed at benefitting the user experience for all visitors.

In practice, this means:

• We do not conduct any kind of A/B testing on our website that would target specific users without their knowledge or consent. (A/B testing is a method where two versions of a page are shown to different groups to compare performance. We are not running such tests on our site using analytics data.)
• We do not use analytics data to create marketing audiences or personalize advertising to you. For instance, we are not using Google Analytics Advertising Features like remarketing or demographic segmentation. You will not suddenly see ads from us across the web based on your visits to our site, because we are not utilizing analytics for advertising or cross-site tracking.
• We do not combine analytics information with any other databases containing personal information (such as our customer purchase records). Analytics data stays separate and is only reviewed in aggregate. If you make a purchase on our site, the details of that order are stored securely in our order system, but those details are not linked to your website browsing analytics.

The absence of profiling and automated decisions means that all users can expect the same fair and privacy-respecting treatment. Your analytics data is simply one anonymous data point among many that helps us improve our services overall, and nothing more.

Sharing of Analytics Data and Third Parties

Your analytics information is used internally by ArmstrongCheshire and is not sold or shared for independent use by any third parties. We consider analytics data confidential. However, we do work with service providers (under strict agreements) to process analytics data on our behalf. Those service providers are:

• Google (Google Analytics): When you allow analytics, Google Analytics will collect data as described above and process it to generate reports for us. This means Google will act as a data processor for us – Google only uses the data to provide the analytics service and is bound by Google’s terms and data protection commitments. The information generated by the Google Analytics cookies (including possibly a truncated IP address and usage data) is transmitted to Google’s servers. These servers may be located outside the UK/EEA (for example, in the United States or other countries). Google is certified under appropriate data transfer safeguards and we have a Data Processing Addendum in place with Google (which incorporates Standard Contractual Clauses as needed to comply with GDPR for international data transfers). In plain terms, this means Google is contractually obligated to protect your data and use it only for providing analytics to us, not for their own purposes.
• Shopify: Shopify Inc. (our website platform provider) also collects analytics data through the functioning of our online store. Shopify provides us with an analytics dashboard about site traffic and sales. In this role, Shopify is likewise a data processor acting on our behalf. Shopify may process analytics-related data on its servers which could be outside the UK (Shopify’s infrastructure is global, with major operations in Canada, the United States, and other regions). Shopify is committed to GDPR compliance and, through its services agreement with us, ensures any personal data is handled lawfully and securely. They will not use our store’s analytics data for their own unrelated purposes. (For more details, you can refer to Shopify’s Privacy Policy available on their website.)

Aside from the above processors, we do not share your analytics-derived information with any other third parties. Within ArmstrongCheshire, access to analytics data (even in aggregated form) is restricted to team members who need to use this information for the purposes described (for instance, our website administrators or marketing team analyzing site usage). All such personnel are trained to handle data responsibly and are bound by confidentiality.

We also want to reassure you that we do not share or sell any kind of analytics data to advertisers or other companies. The data is only used to improve our own website and services. In cases where we might use a consultant or an agency to help with website improvements, they may be given access to our analytics reports under our supervision, but they would also be bound by confidentiality and data protection obligations to not reuse or disclose that information.

Contact Us and Further Information

If you have any questions about this Analytics Policy or how we handle your data in relation to analytics, please do not hesitate to contact us. You can reach our data protection team at contact@armstrongcheshire.co.uk (example email) or via the contact form on our website. We will be happy to assist with any inquiries or requests.

For additional details on how we process personal data more generally (beyond analytics) and about your rights under privacy laws (such as the right to access or delete your data), please see our main Privacy Policy. That policy includes information about how to exercise your data subject rights, definitions of terms, and other relevant data protection practices we follow.

Last updated: [DATE]. We may update this Analytics Policy from time to time to reflect changes in our use of analytics or to ensure compliance with legal requirements. Any updates will be posted on this page with a new “last updated” date. We encourage you to review this policy periodically for any changes. By continuing to use our website, you acknowledge the terms of the current version of this Analytics Policy.