Privacy Policy

1. Who We Are

This Privacy Policy explains how HopStarBrewery processes personal data when you visit or interact with our website at hopstarbrewery.co.uk, make an enquiry, subscribe to updates, place an order, or otherwise engage with us online. For the purposes of UK data protection law, HopStarBrewery is the “controller” of the personal data processed through this website.

You can contact us about privacy matters using the contact form available on our website. Please include “Privacy” in your message so it is directed to the right team.

We have not appointed a Data Protection Officer because we are not required to do so under UK GDPR; however, our Privacy Lead will handle privacy enquiries. To contact the Privacy Lead, please use the website contact form as described above.

2. Scope of this Policy

This policy covers personal data collected through our website and related online services (for example, contact forms, newsletter sign‑ups, account registration, and online purchasing where offered). It does not cover personal data collected offline, at our premises or events, or via third‑party websites and services that we do not control.

3. The Data We Collect

We may collect and process the following categories of personal data:

  • Identity and contact details: name, email address, telephone number, postal address.
  • Account and profile data: username, password, preferences, purchase history.
  • Order and transaction data: items ordered, delivery details, billing details, and payment status. Payment card details are processed by our payment service provider; we do not store full card numbers.
  • Communications: enquiries, feedback, support requests, and correspondence with us.
  • Marketing preferences: your choices about receiving news, offers, and event updates.
  • Technical and usage data: IP address, device identifiers, browser type, operating system, pages viewed, links clicked, referring/exit pages, time and date of visits, and approximate location derived from IP address. This may be collected via cookies and similar technologies.
  • User-generated content: reviews, comments, or other content you submit.
  • Recruitment data (if you apply for a role): CV/resume, cover letter, eligibility to work, and interview notes.

We obtain data directly from you, automatically through your use of the website, and from service providers that support our website (for example, hosting, analytics, payments, and delivery partners).

4. Purposes and Legal Bases for Processing

We process personal data only when we have a lawful basis under the UK GDPR. Depending on the context, we rely on the following legal bases:

  • Contract: to enter into and perform a contract with you (for example, to process orders, deliver products, provide account features, or respond to pre‑contract enquiries).
  • Consent: where you have actively given consent (for example, to send you marketing emails or to place non‑essential cookies). You can withdraw consent at any time.
  • Legitimate interests: to operate, protect, and improve our website and business (for example, security, fraud prevention, analytics, service improvements, and responding to your messages), provided these interests are not overridden by your rights and freedoms.
  • Legal obligation: to comply with laws (for example, tax and accounting rules, consumer protection, or responding to lawful requests from authorities).

Typical purposes linked to these legal bases include:

  • Providing the website and its functionality, and enabling your orders or bookings (Contract; Legitimate interests).
  • Customer service and communications, including responding to enquiries (Contract; Legitimate interests).
  • Managing accounts and preferences (Contract; Legitimate interests).
  • Processing payments via our payment processor and arranging deliveries (Contract; Legal obligation).
  • Sending marketing communications when you opt in, and measuring their effectiveness (Consent; Legitimate interests for service messages).
  • Website security, troubleshooting, fraud prevention, and analytics to understand usage and improve our services (Legitimate interests; Consent for non‑essential cookies).
  • Compliance with legal obligations and enforcement of our terms (Legal obligation; Legitimate interests).
  • Recruitment and talent management (Contract; Legitimate interests; Legal obligation).

5. Cookies and Similar Technologies

We use cookies and similar technologies to make our site work, remember your preferences, enhance performance, and help us understand how the site is used. Some cookies are essential for core features (such as security, shopping cart, and session management). Others are optional and help with analytics and personalisation.

Categories of cookies we may use:

  • Strictly necessary: required for the website to function. These do not require your consent.
  • Performance/analytics: help us understand how visitors use the site so we can improve it.
  • Functional: remember choices and preferences to provide enhanced features.
  • Advertising or social media: used to measure campaigns or personalise content, where applicable.

Where required by law, we ask for your consent before placing non‑essential cookies. You can withdraw or change your consent at any time by adjusting your browser settings to block or delete cookies and, where available, by using the cookie preferences options presented on our website. Note that disabling cookies may affect site functionality.

Cookie lifespans vary. Session cookies expire when you close your browser; persistent cookies may remain for a period typically ranging from a few days up to two years unless you delete them sooner in your browser.

6. Sharing Your Personal Data

We share personal data only as necessary, with appropriate safeguards, and for the purposes described in this policy:

  • Service providers (processors) that help us operate the website and our business, such as hosting, security, IT support, email and communications platforms, analytics, payment processing, order fulfilment, and delivery couriers. These providers act on our instructions.
  • Professional advisers, insurers, banks, and auditors where necessary for our legitimate interests and compliance.
  • Authorities, regulators, and law enforcement when required by law or to protect our rights or the rights of others.
  • Business transfers: in connection with a merger, acquisition, or reorganisation, your data may be transferred to the relevant third party subject to confidentiality and data protection safeguards.

We do not sell your personal data.

7. International Data Transfers

Some service providers may be located outside the UK or may process data in other countries. Where this results in an international transfer of personal data, we ensure that an appropriate safeguard is in place, such as:

  • UK adequacy regulations confirming an adequate level of protection in the destination country; or
  • Approved transfer mechanisms, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary measures where necessary.

Further information about these safeguards can be provided upon request via our website contact form.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Typical retention periods include:

  • Customer enquiries and correspondence: up to 24 months after last contact.
  • Accounts and orders: generally 6–7 years to comply with tax and accounting obligations.
  • Marketing data: until you withdraw consent or object, or after a period of inactivity (typically 24 months), whichever occurs first.
  • Website analytics data: typically 14–26 months, where applicable.
  • Technical logs and security records: typically up to 12 months unless needed longer for security or legal reasons.
  • Recruitment data: up to 6 months after the process ends; longer if you consent to talent‑pool retention.

We may retain data longer if necessary to establish, exercise, or defend legal claims.

9. Your Rights

Under UK data protection law, you have the following rights, subject to legal conditions and exemptions:

  • Access: request a copy of your personal data we hold.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: request deletion of your data in certain circumstances.
  • Restriction: ask us to limit processing in certain cases.
  • Portability: receive your data in a structured, commonly used format and have it transmitted to another controller where feasible.
  • Objection: object to processing based on our legitimate interests and to direct marketing.
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time.
  • Automated decisions: the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise your rights, please contact us via the website contact form and provide enough information to identify you and your request. We may ask for additional information to verify your identity. We aim to respond within one month, or up to three months for complex requests. There is no fee unless your request is manifestly unfounded or excessive.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where applicable, secure configurations, vulnerability management, staff confidentiality obligations, and regular monitoring. However, no internet transmission or storage system is completely secure, and we cannot guarantee absolute security.

11. Children’s Privacy

Our website is not directed to individuals under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

12. How to Contact Us

For questions about this policy or to exercise your privacy rights, please contact us via the contact form on our website and include “Privacy” in your message so it reaches our Privacy Lead.

13. Complaints to the ICO

You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO). Contact details:

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Telephone: 0303 123 1113

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. We will post the updated version on this page and change the “Last updated” date below. Your continued use of the website after an update constitutes acceptance of the revised policy.

Last updated: 8 December 2025

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2025 HopStarBrewery