Legal

Privacy Policy

How Westgarth Wines — a trading name of Winecap Limited — collects, uses and protects your personal data.

1. Important Information and Who We Are

1a. Purpose of This Privacy Notice

Westgarth Wines is a trading name of Winecap Limited. We respect your privacy and are committed to protecting your personal data. This privacy notice explains how we collect and process your personal data in all circumstances where we interact with you — including when you browse or purchase from our website at www.uk.westgarthwines.com, place an order by telephone or email, visit our premises, sign up to our newsletter, take part in a promotion, or otherwise engage with us as a customer or prospective customer.

This website is not intended for use by children under the age of 18 and we do not knowingly collect personal data from anyone under that age. If you believe we have inadvertently collected data from a child, please contact us immediately using the details in section 1b.

Please read this privacy notice carefully alongside any other fair processing notices we provide on specific occasions when we are collecting or processing your personal data. This notice is intended to supplement those notices, not to override them.

1b. Data Controller

The data controller responsible for your personal data is Winecap Limited, a company incorporated and registered in England and Wales under company number 08480079, whose registered office is at Salisbury House, London, EC2M 5SQ, trading as Westgarth Wines.

We are registered with the Information Commissioner's Office (ICO). Our data protection contact can be reached at wine@westgarthwines.com.

You have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection matters (www.ico.org.uk). We would, however, welcome the opportunity to address your concerns before you contact the ICO, so please contact us in the first instance.

1c. Changes to This Privacy Notice

This privacy notice was last updated in June 2026. We may update it from time to time to reflect changes in our practices, technologies or legal obligations. When we make material changes, we will update the version date at the top of this notice and, where appropriate, notify you by email or a prominent notice on our website.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

1d. Third-Party Links

Our website may contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and are not responsible for their privacy practices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2. The Data We Collect About You

Personal data means any information about an individual from which that person can be identified. It does not include data from which the identity has been permanently removed (anonymous data).

We collect, use, store and transfer different categories of personal data about you. We have grouped these as follows:

"Identity Data" first name, last name, title, username or similar identifier, date of birth and gender.

"Contact Data" billing and delivery address, email address and telephone numbers.

"Financial Data" payment card details processed securely through our payment provider. We do not store full card numbers.

"Transaction Data" details of Goods purchased from us, order history, payments made, and any delivery or returns history.

"Age Verification Data" information provided or recorded for the purpose of verifying that you are aged 18 or over, including any proof of age document details (held only as long as necessary for compliance purposes).

"Technical Data" internet protocol (IP) address, login data, browser type and version, time zone and location, browser plug-in types and versions, operating system and platform, and other technology identifiers from the devices you use to access our website.

"Profile Data" your purchases, order history, interests, preferences, feedback and survey responses.

"Usage Data" information about how you use our website and services, including page views, session duration and click behaviour.

"Marketing and Communications Data" your preferences regarding receiving marketing from us and your communication preferences.

We also collect, use and share Aggregated Data (such as statistical or demographic data) for any purpose. Aggregated Data is derived from personal data but does not itself identify any individual. If we combine Aggregated Data with personal data such that it could directly or indirectly identify you, we treat the combined data as personal data and handle it in accordance with this notice.

We do not intentionally collect any Special Categories of Personal Data (including data about race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, health data, genetic data or biometric data) or data about criminal convictions or offences.

2a. If You Fail to Provide Personal Data

Where we need to collect certain personal data by law or under the terms of a contract with you, and you do not provide it when requested, we may not be able to fulfil your order or perform the contract. In such cases we will notify you at the time.

3. How Is Your Personal Data Collected?

We collect personal data through the following means:

Direct interactions

You provide Identity, Contact, Financial and other data directly when you:

  • place an order through our website, by telephone or email, or in person;

  • create or update a customer account on our website;

  • sign up to our newsletter or marketing communications;

  • enter a competition, promotion or survey;

  • contact us with a query or complaint; or

  • request information about our products or services.

Automated technologies and interactions

As you interact with our website, we automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this data using cookies, server logs and similar technologies. You can review the cookie categories we use and change your choices at any time through the cookie preferences menu, available from the button in the bottom-left corner of every page.

Third parties and publicly available sources

We may receive personal data about you from the following sources:

  • analytics and advertising technology providers (Technical and Usage Data);

  • payment service providers (Financial and Transaction Data);

  • delivery and logistics partners (Contact and Transaction Data);

  • fraud prevention and identity verification services (Identity and Contact Data); and

  • publicly available sources where relevant for trade customer due diligence (Identity and Contact Data).

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to do so. The legal bases we rely on under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are:

  • Performance of a contract — where processing is necessary to fulfil an order or other contract with you, or to take steps at your request before entering into a contract.

  • Legal obligation — where processing is necessary to comply with a legal or regulatory obligation to which we are subject, including obligations under the Licensing Act 2003, HMRC requirements and the Consumer Rights Act 2015.

  • Legitimate interests — where processing is necessary for our legitimate business interests (or those of a third party) and those interests are not overridden by your rights and interests.

  • Consent — where you have given clear consent for us to process your personal data for a specific purpose (principally email and SMS marketing). You may withdraw consent at any time.

4a. Purposes for Which We Use Your Personal Data

The table below sets out the purposes for which we process your personal data, the categories of data involved, and the lawful basis we rely on.

Purpose / ActivityType of DataLawful Basis
To register you as a new customerIdentity ContactPerformance of a contract with you
To process and deliver your order, including: managing payments and charges arranging delivery or collection collecting debts owed to us complying with licensing and alcohol sale obligationsIdentity Contact Financial Transaction Marketing and CommunicationsPerformance of a contract with you Legal obligation (Licensing Act 2003; HMRC requirements) Legitimate interests (debt recovery)
To manage our relationship with you, including: notifying you of changes to our terms or this notice asking you to leave a review or complete a survey resolving complaints or queriesIdentity Contact Profile Marketing and CommunicationsPerformance of a contract with you Legal obligation Legitimate interests (keeping records accurate; understanding our customers)
To verify age at the point of sale or deliveryIdentity ContactLegal obligation (Licensing Act 2003) Legitimate interests (preventing illegal sales)
To administer and protect our business and this website, including: troubleshooting, data analysis, testing and system maintenance fraud prevention and network securityIdentity Contact TechnicalLegitimate interests (running our business; IT administration; fraud prevention) Legal obligation
To make suggestions and recommendations about products that may interest youIdentity Contact Technical Usage ProfileLegitimate interests (developing our products and growing our business)
To enable you to participate in a prize draw, competition or surveyIdentity Contact Profile Usage Marketing and CommunicationsPerformance of a contract with you Legitimate interests (studying how customers use our products)

4b. Marketing and Measurement

The table below sets out the purposes for which we process your personal data for marketing and measurement activities.

Purpose / ActivityType of DataLawful Basis and Third Parties
Website analytics — to improve our website, products and services, and inform our marketing strategyTechnical UsageLegitimate interests (keeping our website updated and relevant; developing our business). Third parties: Google Analytics 4.
Email marketing — to send you information about our wines, offers, events and editorial content where you have given consentIdentity Contact Marketing and CommunicationsConsent. You may opt in via our website sign-up forms. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us. Records of consent are maintained in our CRM.
Retargeting and display advertising — to show relevant advertising to users who have previously visited our websiteTechnical Usage ProfileLegitimate interests (serving relevant advertising to users interested in our products). No Identity or Contact data is used. Users can opt out by managing cookie preferences.
Session analysis — to analyse how users interact with our website in order to identify issues and improve user experienceTechnical Usage ProfileLegitimate interests (keeping our website updated and free from issues). No Contact or Identity data is recorded. Users can opt out by managing cookie preferences.
Social media interactions — to measure how users share and engage with our content on social networksTechnical Usage ProfileLegitimate interests (enabling users to share our content). Data is collected by social platforms when users use share, like and follow buttons. Users can manage this via their account settings on the relevant platforms.

4c. Promotional Offers from Us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view of what products and offers may be of interest to you. We will send you marketing communications only where we have your consent (for email and SMS) or where we are permitted to do so under the UK GDPR's legitimate interests basis (for example, postal marketing and certain business-to-business communications).

You will receive marketing from us if you have opted in, purchased from us and not opted out, or where another lawful basis applies. We will always make it easy to opt out.

4d. Third-Party Marketing

We will only share your personal data with third parties for their own marketing purposes if we have obtained your express prior consent. We do not sell personal data.

4e. Opting Out of Marketing

You can ask us to stop sending marketing communications at any time by:

  • clicking the unsubscribe link in any marketing email;

  • replying STOP to any marketing text message; or

  • contacting us at wine@westgarthwines.com.

Opting out of marketing will not affect the processing of your personal data for the purposes of fulfilling existing orders or contractual obligations.

4f. Cookies

We use cookies and similar technologies on our website. You can manage your cookie preferences through the cookie banner on our website, through the cookie preferences menu (available from the button in the bottom-left corner of every page), or through your browser settings.

4g. Change of Purpose

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis for doing so. We may process your personal data without your knowledge or consent where this is required or permitted by law.

5. Disclosures of Your Personal Data

We may share your personal data with the following categories of recipients for the purposes set out in section 4:

  • Service providers and processors who provide services to us, including payment processors, delivery and logistics partners, email marketing platforms, website hosting providers, analytics providers, fraud prevention services and IT support providers.

  • Professional advisers, including solicitors, accountants, auditors and insurers, where necessary for our business operations.

  • HM Revenue & Customs, the Home Office, the police, licensing authorities and other regulatory or law enforcement authorities where disclosure is required by law or in connection with our obligations under the Licensing Act 2003.

  • Third parties in connection with any proposed or actual sale, merger, restructuring or acquisition of our business, subject to appropriate confidentiality obligations.

We require all third parties to respect the security of your personal data and to process it only in accordance with our instructions and applicable law. We do not permit our processors to use your personal data for their own independent purposes.

6. International Transfers

Some of our third-party service providers are based or operate infrastructure outside the United Kingdom. Where we transfer personal data to countries not covered by the UK's adequacy regulations, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, which may include:

  • transfers to countries designated by the UK Secretary of State as providing an adequate level of data protection;

  • use of the International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses approved by the UK ICO, which give personal data equivalent protections to those applying in the UK; or

  • other appropriate safeguards permitted under Article 46 UK GDPR.

The Privacy Shield framework between the EU/UK and the United States is no longer a valid transfer mechanism and we do not rely on it. Where we use US-based service providers, transfers are subject to an IDTA or equivalent safeguard.

Please contact us if you wish to obtain details of the specific safeguards used in connection with any particular international transfer.

7. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration or disclosure. These measures include:

  • access controls limiting personal data access to employees, agents and contractors who have a genuine business need to process it, and who are subject to a duty of confidentiality;

  • secure transmission of payment data using industry-standard encryption (TLS/SSL);

  • PCI DSS compliant card processing through our payment provider — we do not store full card numbers on our own systems;

  • regular review of our information security policies and practices; and

  • staff training on data protection and information security.

We have procedures in place to identify and respond to suspected personal data breaches. Where we are legally required to do so, we will notify you and the ICO of a breach without undue delay.

Whilst we take reasonable precautions, no online transmission of data is entirely secure. Any transmission of personal data to our website is at your own risk; once we receive it we apply the security measures described above.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting or reporting obligations.

In determining the appropriate retention period, we take into account the volume, nature and sensitivity of the data; the potential risk of harm from unauthorised use or disclosure; the purposes for which it is processed; whether those purposes can be achieved by other means; and applicable legal requirements.

Key retention periods are as follows:

  • Customer transaction records (including Identity, Contact, Financial and Transaction Data): retained for a minimum of six years following the end of the customer relationship, in accordance with HMRC requirements and the Limitation Act 1980.

  • Age verification records: retained only for so long as necessary to demonstrate compliance with our obligations under the Licensing Act 2003, after which they are securely deleted.

  • Marketing consent records: retained for the duration of the marketing relationship and for a reasonable period thereafter to demonstrate compliance.

  • Website usage and analytics data: retained in accordance with the retention settings of the relevant analytics platform (typically 14 months for Google Analytics 4).

  • Enquiry and correspondence records: retained for up to three years from last contact, unless a contract results in which case the six-year period applies.

In some circumstances we may anonymise personal data (so it can no longer be associated with you) for research or statistical purposes, in which case we may retain and use that anonymised data without further notice.

You may request deletion of your personal data in certain circumstances — please see section 9 and the Glossary for details of your rights.

9. Your Legal Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. Full descriptions of each right are set out in the Glossary (section 10):

  • Right of access — to receive a copy of the personal data we hold about you (a 'subject access request').

  • Right to rectification — to have inaccurate or incomplete data corrected.

  • Right to erasure — to have personal data deleted in certain circumstances.

  • Right to object — to object to processing based on legitimate interests or for direct marketing purposes.

  • Right to restriction — to ask us to suspend processing in certain circumstances.

  • Right to data portability — to receive your data in a structured, machine-readable format in certain circumstances.

  • Right to withdraw consent — to withdraw consent at any time where we rely on it (without affecting the lawfulness of prior processing).

To exercise any of these rights, please contact us at wine@westgarthwines.com or by writing to Westgarth Wines, Salisbury House, London, EC2M 5SQ.

9a. No Fee Usually Required

You will not normally be charged a fee to exercise your rights. However, we may charge a reasonable fee, or decline to act, if a request is manifestly unfounded, repetitive or excessive.

9b. What We May Need from You

To protect your personal data, we may need to verify your identity before processing a rights request. We may ask you to provide identifying information and/or documentation. We may also contact you for further information to help us respond more efficiently.

9c. Time Limit to Respond

We will respond to all legitimate rights requests within one calendar month of receipt. Where a request is particularly complex or we have received a number of requests simultaneously, we may extend this period by up to a further two months, in which case we will notify you within the initial one-month period and explain the reason for the extension.

10. Glossary

10a. Lawful Bases for Processing

"Consent" you have given a clear, specific, informed and unambiguous indication that you agree to the processing of your personal data for a particular purpose. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism in any marketing communication. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

"Performance of Contract" processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.

"Legal Obligation" processing is necessary for compliance with a legal or regulatory obligation to which we are subject, including obligations under the Licensing Act 2003, the Consumer Rights Act 2015, and HMRC requirements.

"Legitimate Interests" processing is necessary for our legitimate business interests (or those of a third party), provided those interests are not overridden by your fundamental rights and interests. We carry out a legitimate interest assessment before relying on this basis. Further information is available on request.

10b. External Third Parties

External third parties with whom we may share your personal data include:

  • Service providers and data processors — companies that provide services to support our operations (including payment processors, delivery companies, email marketing platforms, analytics providers, IT support providers and website hosting services) based within or outside the United Kingdom.

  • Professional advisers — solicitors, accountants, auditors and insurers who provide professional services to us and who are subject to legal or professional obligations of confidentiality.

  • Regulatory and public authorities — HM Revenue & Customs, the ICO, licensing authorities, the Home Office, the police and other authorities who may require disclosure of personal data in certain circumstances.

10c. Your Legal Rights — Detailed Descriptions

Right of access

You have the right to request a copy of the personal data we hold about you (commonly known as a 'subject access request') and to verify that we are processing it lawfully. We will provide a copy of the data in a commonly used format, free of charge, within one month.

Right to rectification

You have the right to require us to correct any inaccurate personal data we hold about you and to complete any incomplete data, having regard to the purposes of the processing.

Right to erasure

You have the right to ask us to delete or remove personal data where: (a) it is no longer necessary for the purpose for which it was collected; (b) you withdraw consent and there is no other lawful basis for processing; (c) you successfully object to processing; (d) the data has been processed unlawfully; or (e) erasure is required to comply with a legal obligation. Note that we may not always be able to comply with a request for erasure where we have a legal obligation to retain the data, and we will notify you of this if applicable.

Right to object

Where we are processing your personal data on the basis of legitimate interests, you have the right to object to that processing if you believe your fundamental rights and freedoms override our legitimate interests. You also have an absolute right to object to processing of your personal data for direct marketing purposes, and we will stop such processing immediately upon receiving your objection.

Right to restriction of processing

You have the right to ask us to suspend processing of your personal data in the following circumstances: (a) you want us to verify the accuracy of the data; (b) the processing is unlawful but you wish us to retain rather than erase it; (c) we no longer need the data but you require it to establish, exercise or defend legal claims; or (d) you have objected to processing and we are verifying whether our legitimate grounds override yours.

Right to data portability

Where processing is carried out by automated means on the basis of consent or performance of a contract, you have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller.

Right to withdraw consent

Where we rely on consent as the lawful basis for any processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Where withdrawal of consent means we cannot provide a particular service, we will notify you.