Privacy Policy
1. Introduction
Bamford Bus Company ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Statement explains how we collect, use, store, and share your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025 (DUAA) and other applicable UK data protection laws.
This statement applies to all personal data we process as a data controller in connection with our manufacturing operations, including information about customers, suppliers, employees, contractors, website visitors, and other individuals with whom we interact.
2. Data Controller Information
Company Name: Bamford Bus Company Limited
Registered Office: North Bailey House, 12 New Inn Hall Street, Oxford OX1 2RP
Company Registration Number: 12214576
ICO Registration Number: ZB458594
Contact Email: [email protected]
Contact Phone: 02825641212
Data Protection Officer: Richard Solomon
DPO Contact Email: [email protected]
DPO Contact Phone: 02825641212
3. Categories of Personal Data We Collect
We may collect and process the following categories of personal data:
- Identity Data: name, title, date of birth, gender
- Contact Data: billing address, delivery address, email address, telephone numbers
- Financial Data: bank account details, payment card details, credit history
- Transaction Data: details about payments, orders, products and services purchased
- Technical Data: IP address, browser type, device information, operating system, time zone settings
- Usage Data: information about how you use our website, products and services
- Marketing Data: preferences for receiving marketing communications
- Employment Data: (for employees and contractors) employment history, qualifications, performance records, right to work documentation
- Health and Safety Data: information necessary for workplace health and safety compliance
- CCTV Images: recordings from security cameras at our manufacturing facilities
4. How We Collect Personal Data
We collect personal data through various methods:
- Direct interactions: when you place orders, request quotations, sign contracts, apply for employment, register on our website, subscribe to our newsletter, or communicate with us
- Automated technologies: through cookies and similar tracking technologies when you visit our website (see Section 11)
- Third parties: from business partners, suppliers, credit reference agencies, recruitment agencies, and publicly available sources
- Workplace monitoring: through CCTV systems, access control systems, and IT systems monitoring
5.Legal Basis for Processing
Under UK GDPR as amended by the DUAA, we process your personal data only where we have a lawful basis to do so[1]. We rely on the following legal grounds:
- Contract: processing is necessary to perform a contract with you or to take steps at your request before entering into a contract
- Legal obligation: processing is necessary to comply with legal requirements, such as employment law, health and safety regulations, tax obligations, or regulatory reporting
- Recognised legitimate interests: we have a legitimate business interest in processing your data that does not override your fundamental rights[2]. This includes:
- Operating and managing our manufacturing business efficiently
- Fraud prevention and security
- Network and information security
- Marketing our products and services to existing customers
- Improving our products, services and customer experience
- Managing supplier and customer relationships
- Consent: where you have given clear, informed consent for us to process your data for specific purposes (you may withdraw consent at any time)
- Vital interests: where processing is necessary to protect someone's life
- Public interest: where processing is necessary for the performance of a task carried out in the public interest
6. Purposes of Processing
We use your personal data for the following purposes:
Purpose | Description | Legal Basis |
Order fulfilment | Processing and delivering orders, managing payments and collections | Contract, Legal obligation |
Customer service | Responding to enquiries, providing technical support, handling complaints | Contract, Legitimate interests |
Quality control | Ensuring product quality and safety compliance | Legal obligation, Legitimate interests |
Supplier management | Managing relationships with suppliers and subcontractors | Contract, Legitimate interests |
Employment | Recruitment, payroll, performance management, health and safety | Contract, Legal obligation |
Marketing | Sending promotional materials about our products and services | Consent, Legitimate interests |
Website operation | Managing user accounts, improving website functionality | Contract, Legitimate interests |
Security | Protecting our premises, assets, employees and visitors through CCTV and access controls | Legitimate interests, Legal obligation |
Compliance | Meeting legal and regulatory obligations including tax, accounting, and industry standards | Legal obligation |
Business analytics | Analysing business performance and market trends | Legitimate interests |
Table 1: Processing purposes and legal bases
7. Sharing Your Personal Data
We may share your personal data with the following categories of recipients:
- Service providers: IT service providers, cloud storage providers, payment processors, logistics companies, professional advisors (accountants, lawyers, auditors)
- Business partners: distributors, agents, and joint venture partners where necessary to fulfil contracts
- Regulatory authorities: HMRC, Health and Safety Executive, Environment Agency, and other government bodies as required by law
- Financial institutions: banks and payment service providers for transaction processing
- Credit reference agencies: for credit checks and fraud prevention
- Emergency services: where necessary to protect vital interests
- Third parties in business transactions: in connection with mergers, acquisitions, or asset sales
We require all third parties to respect the security of your personal data and process it in accordance with UK data protection laws. We only permit third parties to process your data for specified purposes and in accordance with our instructions.
- International Transfers
Where we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place, including:
- Transferring to countries deemed to provide adequate protection by the UK government
- Using standard contractual clauses approved by the ICO
- Relying on binding corporate rules or certification schemes
- Obtaining your explicit consent where appropriate
We will provide further information about specific transfers and safeguards upon request.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal, accounting, or reporting requirements[3].
Data Category | Retention Period |
Customer order data | 7 years from end of financial year (for tax purposes) |
Marketing data | Until consent is withdrawn or 3 years of inactivity |
Employee records | 6 years after employment ends (longer for certain records such as accident records) |
CCTV footage | 30 days unless required for investigation or legal proceedings |
Supplier contracts | 7 years from contract termination |
Website analytics | 26 months |
Complaint records | 3 years from complaint resolution |
Table 2: Standard retention periods
After the retention period expires, we securely delete or anonymise personal data.
10. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: request copies of your personal data (subject access request)
- Right to rectification: request correction of inaccurate or incomplete data
- Right to erasure: request deletion of your data in certain circumstances
- Right to restriction: request that we limit processing in certain circumstances
- Right to data portability: receive your data in a structured, machine-readable format and transmit it to another controller
- Right to object: object to processing based on legitimate interests or for direct marketing purposes
- Rights related to automated decision-making: not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where appropriate safeguards are in place[4]
- Right to withdraw consent: withdraw consent at any time where processing is based on consent
- Right to complain: lodge a formal complaint about our data processing practices (see Section 12)
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 2. We may require proof of identity before processing your request.
We will respond to subject access requests within one month, though this may be extended by two months for complex requests. We will not charge a fee unless your request is manifestly unfounded or excessive[5].
11. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyse website performance.
What are cookies?
Cookies are small text files placed on your device when you visit a website. They help websites recognise your device and remember information about your visit.
Types of cookies we use:
- Strictly necessary cookies: essential for website operation and security
- Performance cookies: collect information about how visitors use our website
- Functionality cookies: remember your preferences and settings
- Marketing cookies: track your browsing habits to deliver targeted advertising
Under amendments to the Privacy and Electronic Communications Regulations (PECR) implemented through the DUAA, certain cookies may be used without prior consent where they serve legitimate purposes and do not significantly impact privacy[6]. However, we will always seek your consent for non-essential cookies.
You can control cookie settings through your browser preferences. For more information, please see our detailed Cookie Policy available at [insert link].
12. How to Make a Complaint
We take your privacy concerns seriously. If you have a complaint about how we handle your personal data, please contact us using the details in Section 2.
Under the DUAA, from 19 June 2026, we are required to:
- Acknowledge receipt of your complaint within 30 days
- Investigate your complaint without undue delay
- Provide a full response explaining our findings and any action taken[7]
Our complaints process:
- Submit your complaint in writing to our Data Protection Officer
- We will acknowledge receipt within 30 days
- We will investigate thoroughly and keep you informed of progress
- We will provide a full written response
- If you remain dissatisfied, you may escalate to senior management
Right to complain to the ICO:
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
Information Commissioner's Office Wycliffe House
Water Lane Wilmslow Cheshire SK9 5AF
Helpline: 0303 123 1113 Website: www.ico.org.uk
13. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage[8]. These measures include:
- Encryption of data in transit and at rest
- Access controls and authentication systems
- Regular security assessments and penetration testing
- Employee training on data protection and security
- Secure backup and disaster recovery procedures
- Physical security measures at our manufacturing facilities
- Regular review and updating of security policies
- Incident response and breach notification procedures
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach and will inform affected individuals without undue delay where required by law.
14. Automated Decision-Making
We may use automated decision-making in certain circumstances, including:
- Credit assessments for new customers
- Fraud detection systems
- Automated quality control systems in manufacturing
Where automated decisions produce legal or similarly significant effects, we implement appropriate safeguards including:
- The right to obtain human intervention
- The right to express your point of view
- The right to contest the decision
- Regular review of decision-making algorithms for fairness and accuracy
We do not make automated decisions based on special category data (such as health information) without explicit consent or another lawful exception[9].
15. Children’s Privacy
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.
16. Changes to This Privacy Statement
We may update this Privacy Statement from time to time to reflect changes in our practices, legal requirements, or operational needs. We will notify you of any material changes by:
- Posting the updated statement on our website with a new "Last Updated" date
- Sending email notifications to registered users where appropriate
- Displaying prominent notices on our website
We encourage you to review this statement periodically to stay informed about how we protect your data.
17. Third-Party Links
Our website may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these
third parties. We recommend reviewing their privacy policies before providing any personal data.
18. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Statement or our data processing practices, please contact us:
Data Protection Officer
Richard Solomon
201 Galgorm Road, Ballymena BT42 1SA
Email: [email protected]
Phone: 028256412412
We aim to respond to all enquiries within 5 working days.
19. Governing Law
This Privacy Statement and all matters relating to your personal data are governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.
