Privacy Policy
Last updated: March 2026
Contents
1. About Us
This website (our “Site”) is operated by Lochlea Distilling Co. Ltd (“we”, “our”, “us”). We are a company registered in Scotland with company number SC533717, whose registered office is at Lochlea Distillery, Craigie, Kilmarnock, KA1 5NN.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the “controller” of that personal data for the purposes of those laws.
2. About This Policy
This privacy policy (our “Privacy Policy”) sets out:
- The personal data we collect about you or that you give to us (“personal data”)
- Why we collect it and how we use it
- When we may share or disclose it
- How long we keep it
- How to contact us and relevant supervisory authorities
3. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
- By email: info@lochleadistillery.com
- By post: Lochlea Distilling Co. Ltd, Lochlea Distillery, Craigie, By Kilmarnock, KA1 5NN
We will endeavour to respond promptly. Our email and telephone facilities are monitored during the hours of 9:00am to 5:00pm, Monday to Friday (excluding public and bank holidays in Scotland).
4. Scope
This Privacy Policy applies to your use of www.lochleadistillery.com and all associated webpages. It also applies to our social media accounts on:
- X (formerly Twitter)
- TikTok
5. Third-Party Sites
Our Site may link to websites owned and operated by third parties. These third-party websites may collect information about you under their own privacy policies. We are not responsible for the privacy practices of those sites. Please consult their privacy policies for further information.
6. How We Collect Personal Data
We collect personal data about you when you:
- Access or browse our Site
- Register for an account or sign up for marketing communications
- Purchase goods through our Site
- Contact us by email, telephone, post, or through social media
- Send us feedback or complete customer surveys
- Participate in competitions or promotions
- Visit our social media profiles
We collect personal data both directly (when you provide it to us) and indirectly (when you browse our Site, through cookies and similar technologies, or via third-party service providers such as social media platforms).
For more information about how we use cookies, please see our Cookie Policy.
7. Personal Data We Collect
Depending on how you interact with us, we may collect the following personal data:
- Your name, postal address, email address, and telephone number
- Your date of birth (for age verification purposes)
- Your location and/or the device from which you access our Site
- Your social media profile information (where you interact with us via social media)
- Payment and bank account details (processed securely by our payment provider — see section 16)
- Business and employee details, where you represent a business customer
- Feedback you provide by phone, email, post, or via social media
- Account details such as username and login credentials
- Information about how you use our Site, including pages visited, interactions, and browsing behaviour
8. How We Use Your Personal Data
We use your personal data to:
- Create and manage your account
- Verify your identity and age
- Process your orders and provide goods and services to you
- Process payments securely (via our payment provider Stripe)
- Arrange delivery of Products to you
- Customise our Site and its content to your preferences
- Notify you of changes to our Site or services that may affect you
- Send you marketing communications (where you have opted in)
- Respond to enquiries, feedback and complaints
- Improve our products and services, including through customer surveys
- Prevent fraud and protect the rights, property or safety of others
- Comply with legal and regulatory obligations
This Site is not intended for use by children (under 18) and we do not knowingly collect personal data from children.
9. Legal Basis for Processing
Under the UK GDPR, we are required to have a lawful basis for processing your personal data. The bases we rely on include:
- Consent — where you have given clear consent for us to process your personal data for a specific purpose (e.g. marketing communications). You may withdraw consent at any time.
- Contract — where processing is necessary to fulfil a contract with you, or because you have asked us to take steps before entering into a contract (e.g. processing your order).
- Legal obligation — where processing is necessary for us to comply with the law (e.g. tax and accounting requirements).
- Legitimate interests — where processing is necessary for our legitimate interests or a third party’s legitimate interests, provided those interests are not overridden by your rights (e.g. fraud prevention, improving our services).
10. Data Processing Details
- The table below provides further detail on the personal data we collect, the purposes for which we use it, and how long we retain it.
11. Who We Share Your Data With
If you submit someone else’s personal data to us, you must have their consent to do so.
We routinely share personal data with:
- Delivery partners — your name and address to enable delivery of goods
- Payment providers — Stripe processes your payment securely on our behalf
- Service providers — companies that assist with operating our Site, including hosting providers, email service providers, and analytics platforms
- Law enforcement or other authorities — where required by applicable law, or where we reasonably suspect a breach of our terms that may endanger rights, property or safety
12. International Transfers
Some of our service providers may be based outside the United Kingdom. Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by UK data protection law, including:
- Transfers to countries with an adequacy decision from the UK Secretary of State
- Standard contractual clauses approved by the Information Commissioner
- Binding corporate rules or other approved mechanisms
13. Third-Party Marketing
From time to time, we may wish to share your personal data with selected third parties so they can send you information about their products or services. We will only do this with your explicit consent.
If you have previously agreed to this, you can unsubscribe at any time by contacting us or by clicking the unsubscribe link in any marketing communication.
14. Cookies and Similar Technologies
A cookie is a small text file placed on your device when you visit our Site. We use cookies and similar technologies to improve your experience, analyse traffic, and assist with marketing.
For full details of the cookies we use and how to manage them, please see our Cookie Policy.
15. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right to be informed — to know how your data is being used (this policy)
- Right of access — to request a copy of the personal data we hold about you
- Right to rectification — to have inaccurate data corrected
- Right to erasure — to request deletion of your data in certain circumstances
- Right to restrict processing — to limit how we use your data
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format
- Right to object — to object to processing for direct marketing (at any time), or to object to processing based on legitimate interests
- Rights in relation to automated decision-making — not to be subject to decisions made solely by automated means that produce legal or similarly significant effects
For further information on each of these rights, see the ICO’s guidance on your data rights.
To exercise any of these rights, please contact us using the details in section 3. We may ask you to verify your identity before acting on your request.
16. Keeping Your Data Secure
We have appropriate technical and organisational security measures in place to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way. We limit access to your personal data to those with a genuine business need to see it, and they are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected data security breach. We will notify you and the relevant regulator of a breach where we are legally required to do so.
We do not have direct access to your payment card information. All payment processing is handled by Stripe, which is PCI DSS compliant (see pcisecuritystandards.org).
For tips on staying safe online, visit Get Safe Online.
17. Data Retention
We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected. As a guide:
- Purchase data — 6 years after the transaction (to meet legal, tax and accounting obligations under HMRC requirements)
- Marketing data — until you unsubscribe or withdraw consent
- Enquiry data — 2 years after last correspondence
- Website analytics — anonymised and retained indefinitely for trend analysis
When personal data is no longer required, we will securely delete or anonymise it.
18. How to Complain
We hope that we can resolve any query or concern you raise about our use of your personal data. Please contact us using the details in section 3.
You also have the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner’s Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
- Live chat: available on the ICO website
We may update this Privacy Policy from time to time. Please check this page periodically to ensure you have seen the current version. This policy was last updated in March 2026.