Data Protection Policy 

This Data Protection Policy is adopted by BrandXYZ Ltd Ltd on 19th September 2024.

Parties

  1. BRANDXYZ LTD whose registered office is at 2 Station View, Hazel Grove, Stockport, England, SK7 5ER. BRANDXYZ LTD is the data controller.

Background

  1. BRANDXYZ LTD recognises its obligations under the UK General Data Protection Regulation ((EU) 2016/679) ("UK GDPR") and the Data Protection Act 2018 (together "the Data Protection Legislation") to ensure that personal data is processed lawfully, fairly and transparently. 
  2. In the course of its operations, BRANDXYZ LTD collects and processes personal data about its customers, employees and other third parties. This policy establishes a framework for ensuring compliance with the data protection principles regarding the rights of individuals and for the secure processing of all personal data. 
  3. The Board of Directors has overall responsibility for ensuring BRANDXYZ LTD's compliance with its data protection obligations and the Data Protection Officer is responsible for overseeing the implementation of this policy and monitoring BRANDXYZ LTD's compliance.
  4. This policy applies to all personal data processed by BRANDXYZ LTD and to all employees, contractors, suppliers and other persons working on behalf of BRANDXYZ LTD. 
  1. Definitions 
    1. Data controller means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data. 
    2. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. 
    3. Data subject means an identified or identifiable living individual about whom BRANDXYZ LTD holds personal data. Data subjects may be employees or clients.
    4. Personal data means any information relating to a data subject. 
    5. Processing means any operation or set of operations which is performed on personal data, whether or not by automated means. 
    6. Special category data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
  2. Scope
    1. This policy applies to all personal data processed by the Company. "Personal data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    2. This policy protects the rights and freedoms of data subjects. A "data subject" is an identified or identifiable living individual about whom the Company processes personal data. 
    3. This policy applies regardless of the location where personal data is processed or whether processing takes place in or outside of the UK. It also applies to all personal data transfers outside of the UK.
    4. This policy applies for as long as the Company processes personal data of data subjects. The Company shall retain personal data in accordance with the data retention schedule. 
    5. The provisions of this policy shall continue in force indefinitely and shall be binding on any successor or assign of the Company.
  3. Data Protection Principles
    1. Personal data shall be processed lawfully, fairly and in a transparent manner. 
      1. BRANDXYZ LTD shall inform data subjects of the lawful basis being relied on for the processing and explain its purposes.
    2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 
      1. BRANDXYZ LTD shall specify its purposes for processing personal data so that data subjects understand for what purposes personal data is being processed for. 
    3. Personal data processed shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
      1. BRANDXYZ LTD shall ensure that personal data processed is sufficient for the purpose and not excessive. 
    4. Personal data shall be accurate and, where necessary, kept up to date. Inaccurate personal data shall be erased or rectified without delay.
      1. BRANDXYZ LTD shall take every reasonable step to ensure personal data is accurate, complete and kept up to date. 
    5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. 
      1. BRANDXYZ LTD shall only retain personal data for as long as necessary in relation to the purposes for which it was originally collected or further processed.
    6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
      1. BRANDXYZ LTD shall implement appropriate technical and organisational measures to ensure an appropriate level of security of personal data.
  4. Lawful Basis for Processing
    1. Lawful bases for processing
      1. BRANDXYZ LTD shall ensure that one of the following lawful bases is relied on for each processing purpose:
      2. Consent: BRANDXYZ LTD will seek consent from data subjects to process their personal data for direct marketing purposes. Consent will be freely given, specific, informed and unambiguous. BRANDXYZ LTD will keep clear records to demonstrate consent. 
      3. Contract: Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
      4. Legal obligation: Processing is necessary to comply with a common law or statutory obligation. 
      5. Vital interests: Processing is necessary to protect someone’s life.
      6. Public task: Processing is necessary for the performance of a task in the public interest or in the exercise of official authority.
      7. Legitimate interests: Processing is necessary for the purposes of legitimate interests of BRANDXYZ LTD or a third party, except where such interests are overridden by interests or fundamental rights and freedoms of the data subject.
  5. Consent
    1. Form of consent - Consent must be given by a clear affirmative act, such as a written statement or oral statement that unambiguously expresses the data subject's wishes by which they signify agreement to personal data relating to them being processed. Pre-ticked boxes, inactivity or conduct do not constitute consent. 
    2. Information to be provided - At the time when consent is sought, the data subject will be informed of the purposes of the processing and the identity of the data controller and any third-party controllers who will rely on the consent. The information provided shall be presented in a manner which is clearly distinguishable, intelligible and easily accessible, using clear and plain language. 
    3. Records of consent - Accurate records of all consents will be kept by the data controller to demonstrate that the data subject has consented to the processing and that they were properly informed. The records shall show the date, method and what they consented to.
    4. Withdrawal of consent - Consent can be withdrawn by the data subject at any time. The withdrawal of their consent shall be promptly acted upon. 
    5. Children's consent - Consent will not be relied upon as a lawful basis for processing personal data if the data subject is under 16 years of age unless with verifiable parental consent. Extra care will be taken to ensure any child understands what they are consenting to in a manner that is appropriate for their age and stage of development. 
    6. Review of consents - All consents will be reviewed and refreshed periodically either when there is any change in the processing purpose or at a minimum every two years.
  6. The Rights of Individuals
    1. BRANDXYZ LTD will provide privacy notices to inform individuals about how their personal data is used in accordance with the UK GDPR. Privacy notices will be concise, transparent, intelligible, easily accessible and use clear and plain language. 
    2. Individuals have the right to access their personal data and supplementary information about its processing. 6.2.1 BRANDXYZ LTD will aim to respond to requests for access without undue delay and within one month. 6.2.2 Individuals can make a subject access request by contacting the Data Protection Officer. 
    3. Individuals have the right to have inaccurate or incomplete personal data rectified. 6.3.1 BRANDXYZ LTD will respond to requests for rectification without undue delay. 
    4. Individuals have the right to have their personal data erased under certain circumstances set out in Article 17 of the UK GDPR. 6.4.1 BRANDXYZ LTD will consider each request on a case-by-case basis.
    5. Individuals have the right to restrict the processing of their personal data in certain circumstances set out in Article 18 of the UK GDPR. 6.5.1 BRANDXYZ LTD will comply with any restrictions placed on processing.
    6. Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format as set out in Article 20 of the UK GDPR. 6.6.1 BRANDXYZ LTD will provide personal data in a structured, commonly used and machine-readable format upon request. 
    7. Individuals have the right to object to processing of their personal data in certain circumstances set out in Article 21 of the UK GDPR. 6.7.1 BRANDXYZ LTD will consider each objection on a case-by-case basis.
    8. Individuals have specific rights regarding automated decision making and profiling set out in Article 22 of the UK GDPR. 6.8.1 BRANDXYZ LTD will ensure appropriate safeguards are in place if such processing takes place.
  7. Privacy by Design and by Default
    1. The Company shall implement appropriate technical and organisational measures to meet the requirements of privacy by design and privacy by default under Article 25 of the UK GDPR. 
    2. Such measures shall ensure that by default only personal data which are necessary for each specific purpose of the processing are processed and that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 
    3. The Company shall implement the following measures:
      1. Data minimisation by only processing personal data that is necessary for the purposes for which they are processed;
      2. Pseudonymisation of personal data where possible; 
      3. Anonymisation of personal data where possible;
      4. Encryption of personal data in transit and at rest;
      5. The Company shall implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing to meet the requirements of the UK GDPR and protect the rights of data subjects.
  8. Data Breaches
    1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 
    2. The Company shall keep records of personal data breaches, whether or not notified to the supervisory authority. 
    3. The Company shall notify any personal data breach to the supervisory authority within 72 hours of becoming aware of its occurrence, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 
    4. If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the data subject without undue delay. 
    5. The communication to data subjects referred to in clause 8.4 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures proposed under clause 8.6(b) to (e). 
    6. The notification to the supervisory authority referred to in clause 8.3 shall contain: 
      1. a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 
      2. the name and contact details of the data protection officer or other contact point where more information can be obtained; 
      3. a description of the likely consequences of the personal data breach; and 
      4. a description of the measures taken or proposed to be taken by the Company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 
    7. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  9. Data Protection Impact Assessments
    1. BRANDXYZ LTD shall identify any processing operations that are likely to result in a high risk to the rights and freedoms of individuals by virtue of their nature, scope, context and purposes.
    2. Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, BRANDXYZ LTD shall carry out a Data Protection Impact Assessment ("DPIA") prior to the commencement of such processing. 
    3. A DPIA shall contain:
      1. a description of the processing operations and the purposes of the processing; 
      2. an assessment of the necessity and proportionality of the processing in relation to the purposes;
      3. an assessment of the risks to individuals; and
      4. the measures in place to address risk, including security and to demonstrate compliance.
    4. Where a DPIA indicates that the processing would result in a high risk in the absence of measures to mitigate the risk, BRANDXYZ LTD shall consult with the Information Commissioner's Office prior to the commencement of processing. 
    5. The findings of any DPIA shall be integrated into relevant internal documents including policies, procedures, training programs and audit/assurance measures.
    6. A record of any DPIA shall be made available to the Information Commissioner's Office on request.
  10. International Data Transfers
    1. The Company will only transfer personal data anywhere outside the UK, EEA or an 'adequate' third country where the European Commission has made an 'adequacy decision'. 
    2. For transfers to a country outside the EEA and without an adequacy decision, the Company will ensure there are 'appropriate safeguards' in place such as:
      1. Standard data protection clauses approved by the European Commission
      2. Binding corporate rules approved by a supervisory authority 
      3. An approved code of conduct or certification mechanism together with binding and enforceable commitments
    3. If none of the safeguards in clause 10.2 are in place, the Company may still transfer personal data where: 
      1. The data subject has explicitly consented to the proposed transfer
      2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
      3. The transfer is necessary for important reasons of public interest
      4. The transfer is necessary for the establishment, exercise or defence of legal claims
      5. The transfer is necessary to protect the vital interests of the data subject
    4. The Company will document all transfers of personal data made outside the EEA in order to be able to demonstrate compliance with the requirements of this Section 10.
  11. Data Retention
    1. The Company will retain personal data for no longer than is necessary in relation to the purposes for which the personal data was originally collected or further processed.
    2. The following retention periods will be applied to different categories of personal data:
      1. Customer records including names, addresses, contact details and order histories will be retained for a period of 6 years from the end of the customer relationship. 
      2. Employee records including names, addresses, contact details, performance management records and salary information will be retained for a period of 7 years after the end of employment. 
    3. The criteria used to determine retention periods include:
      1. Legal obligation(s) - e.g. retention periods required by tax or company law. 
      2. Legitimate interest(s) - e.g. retaining records to deal with any disputes with customers or former employees.
    4. At the end of the retention period, personal data will be deleted or destroyed as follows:
      1. Electronic records will be deleted from the Company's IT systems and appropriate back up media. 
      2. Physical records will be securely shredded or pulped and cannot be reconstructed.
    5. In limited circumstances, personal data may be retained for longer than the standard periods where there is an ongoing legal claim relating to the data in question.
    6. The Company will conduct periodic reviews of the data inventory and retention schedule to ensure that they remain compliant and relevant.
  12. Data Quality and Integrity
    1. The Company shall ensure that all personal data processed is accurate, kept up to date and corrected or removed without delay if found to be inaccurate. 
    2. The accuracy of personal data shall be checked when it is collected and at regular intervals afterwards. All reasonable steps must be taken to ensure that personal data that is inaccurate is erased or rectified without delay. 
    3. Data subjects have the right to update or amend personal data which is incomplete by contacting the Data Protection Officer. The Data Protection Officer shall implement appropriate and proportionate measures to allow data subjects to update or amend personal data held by the Company to maintain its accuracy.
    4. The Company shall only collect and process personal data that is necessary for the purposes for which it is collected. Personal data kept shall be limited to what is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. 
    5. Personal data shall not be kept in a form which permits identification of a data subject for no longer than is necessary for the purposes for which the personal data is processed. 
    6. The Company shall establish standard retention periods for erasing or anonymising personal data according to the purposes for which it was collected or processed based on its data retention policy and procedures. 
    7. Personal data shall be deleted or anonymised once it is no longer necessary for the purposes for which it was collected or processed, or at the expiry of the standard retention period.
  13. Direct Marketing
    1. Consent shall be obtained before BRANDXYZ LTD undertakes any direct marketing activities. 
      1. Consent must be freely given, specific and informed. There must be a clear affirmative opt-in action such as ticking a box.
      2. Consent obtained for one purpose shall not be used for any other purpose. 
    2. Individuals have a right to object to direct marketing, including profiling relating to direct marketing, at any time. 
      1. A simple opt-out from marketing must be provided at the point of first contact and in every subsequent marketing communication. 
      2. All requests to opt-out must be complied with within a reasonable period and at the latest within 1 month of receipt. 
    3. Where an individual's contact details have been obtained in the course of a sale, or negotiations for a sale, they may be marketed similar products or services of BRANDXYZ LTD. 
      1. However, the individual must still be given a simple opt-out at the time of collection and with every subsequent message. 
    4. Records of consents and marketing preferences shall be maintained. 
    5. If using third party data for direct marketing, the requirements for consent and opt-out options must be complied with. 
    6. Marketing of similar products/services to existing customers may not require consent if the criteria of clause 13.3 are met. However, the right to object in clause 13.2 still applies.
  14. Accountability and Governance
    1. The Board of Directors retains overall accountability for ensuring compliance with data protection obligations within BRANDXYZ LTD. 
    2. Day-to-day responsibility for oversight and monitoring of data protection compliance has been delegated to the Data Protection Officer. 
    3. The Data Protection Officer will be provided with adequate resources and access to personal data and processing operations to enable them to fulfil their tasks. 
    4. Adequate resources will be provided to enable compliance with this policy and data protection obligations in general. This includes staffing, training, IT systems and other resources. 
    5. Data protection impact assessments will be carried out for any processing presenting specific risks to the rights and freedoms of individuals. 
    6. Compliance with this policy and BRANDXYZ LTD's data protection obligations in general will be monitored and risks assessed on an ongoing basis. 
    7. Data protection will be integrated into all our operations and day-to-day business activities. Compliance will be monitored and reviewed. 
    8. The contact details of the Data Protection Officer will be made available to all staff, customers and other relevant personal data subjects. 
    9. Records of processing activities will be kept, together with other documentation such as training, DPIAs, contracts, privacy notices to demonstrate compliance. 
    10. Compliance audits will be carried out periodically, including an annual review of data protection policies, procedures and practices. 
    11. The Data Protection Officer will monitor compliance and recommend improvements where necessary. Compliance will be kept under review in light of operational, technological or regulatory changes. 
    12. Security incidents or data breaches will be reported to the ICO within 72 hours and affected individuals without undue delay. Post-breach reviews will be carried out.
  15. Transfer or Personal Data to Third Parties
    1. The Company shall only transfer personal data to third parties where it has appropriate safeguards in place to ensure the security of the data and protect the rights of individuals. 
    2. Transfers of personal data to third parties will be subject to written agreements incorporating the standard contractual clauses approved by the European Commission or other legally binding commitments to protect the personal data.
    3. The Company shall ensure that personal data transferred to third parties is securely transferred and shall implement appropriate security measures regarding the transfer. 
      1. If a third party engages another processor, the Company will ensure there are adequate protections in place, including a written agreement.
      2. The Company shall remain liable for the actions of its third-party processors and shall ensure compliance through appropriate oversight and monitoring. 
    4. Any international transfers of personal data will comply with the requirements of Articles 44-49 of the UK GDPR regarding transfer mechanisms and safeguards.
  16. Data Subject Access Requests
    1. Receiving requests
      1. A data subject access request must be submitted in writing, which can include email, and be addressed to the Data Protection Officer. 
      2. The Company will validate the identity of the requestor before providing any information.
    2. Responding to requests 
      1. The Company will respond to a valid data subject access request without undue delay, and within one month at the latest.
      2. Information will be provided free of charge, unless the request is manifestly unfounded or excessive. 
      3. Where a request is manifestly unfounded or excessive, the Company will request a "reasonable fee" based on the administrative costs of providing the information or communication or taking the action requested.
      4. The Company will provide the personal data in a commonly used electronic format or provide access to view the data on screen if electronic disclosure is not possible. 
    3. Verifying identity
      1. The Company reserves the right to request additional information from the requestor to verify their identity.
    4. Providing access 
      1. The Company will provide access to the data subject's personal data in the following manner: [details of how access will be provided e.g. via email, secure online portal, in person at Company premises].
    5. Refusing to act on request
      1. The Company can refuse to act on any request if it is manifestly unfounded or excessive, in particular because of its repetitive character.
  17. Processing of Special Category Data
    1. BRANDXYZ LTD shall only process special categories of personal data in circumstances where:
      1. It has obtained explicit consent from the data subject to process those personal data in the specified circumstances unless BRANDXYZ LTD is required to process those data by law. 
      2. It is processing those data for the purpose of carrying out the obligations and exercising specific rights of BRANDXYZ LTD or of the data subject in the field of employment law and social security and social protection law.
    2. BRANDXYZ LTD shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
      1. the pseudonymisation and encryption of personal data; 
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and service;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
    3. Data subjects may at any time object to the processing of their special category personal data, request BRANDXYZ LTD to restrict processing or request portability. 
    4. BRANDXYZ LTD shall not process special category personal data for marketing purposes.
    5. BRANDXYZ LTD shall ensure that any personal data breach involving special category data is reported to the Information Commissioner's Office without undue delay and where feasible, not later than 72 hours after having become aware of it.
  18. Records of Processing Activities
    1. The Company shall maintain a record of all categories of processing activities carried out on behalf of the Company. 
    2. The Company's record of processing activities shall contain the following information:
      1. the name and contact details of the Company; 
      2. the purposes of the processing;
      3. a description of the categories of individuals and categories of personal data;
      4. the categories of recipients to whom personal data have been or will be disclosed; 
      5. where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation;
      6. where possible, the envisaged time limits for erasure of the different categories of data; 
      7. where possible, a general description of the technical and organisational security measures.
    3. The Company shall make the record available to the Information Commissioner's Office on request.
    4. The Company shall also carry out a review of the personal data processed and update the record of processing activities accordingly on at least an annual basis. 
    5. Individuals shall have the right to access the records of processing activities in certain circumstances.
  19. Training and Audits
    1. BRANDXYZ LTD shall ensure that all employees who have access to any kind of personal data shall have completed data protection training before commencing work that processing personal data. 
    2. Refresher training shall be provided to all employees at least every twelve (12) months or sooner if there is a significant change in relevant legislation or BRANDXYZ LTD's processes and procedures.
    3. The data protection training provided shall cover as a minimum:
      1. BRANDXYZ LTD's obligations under the Data Protection Legislation. 
      2. The rights of Data Subjects under the Data Protection Legislation.
      3. How to draft appropriate privacy notices. 
      4. Conducting subject access requests. 
      5. Rules around consent.
      6. International data transfers. 
      7. Recognising and reporting personal data breaches.
    4. The Data Protection Officer shall conduct annual audits of BRANDXYZ LTD's processing activities and shall provide a written report to the board of directors. 
    5. Such audits shall include a review of policies, procedures and their implementation, staff interviews and training records, subject access requests and consent records, privacy notices and marketing preferences, data transfers and international data sharing, and security and breach management.
  20. Privacy Notices
    1. The Company shall provide privacy notices to data subjects prior to obtaining personal data from them. 
    2. Privacy notices shall contain the following information:
      1. The identity and contact details of the Company; 
      2. The purposes of the processing for which the personal data is intended, as well as the lawful basis for the processing;
      3. Any third party recipients of the personal data; 
      4. Any international transfers of personal data; 
      5. The retention period for storing personal data; 
      6. Information about the rights of data subjects, including the right to withdraw consent, and how to exercise those rights;
      7. The right to lodge a complaint with the Information Commissioner's Office; 
      8. Whether the provision of personal data is part of a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failing to provide the personal data;
      9. The existence of automated decision making, including profiling.
    3. Where services are provided directly to a child, the Company shall ensure privacy notices are written in a clear and plain way that a child can easily understand. 
    4. Privacy notices shall be concise, transparent, intelligible and easily accessible. Clear and plain language shall be used. 
    5. The Company shall advise data subjects of any further processing or changes to the purposes of processing in privacy notices.
    6. A record of all privacy notices dispatched shall be maintained by the Company.
  21. Cookies
    1. The Company uses the following cookies:
      1. Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
      2. Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
      3. Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). 
      4. Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. 
    2. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. 
    3. We will not use your personal data for any purpose other than those set out in our Privacy Policy.
    4. Changes to our cookie policy will be posted on this page. 
  22. Changes to this Policy 
    1. Any material changes to this Policy will be communicated to employees, customers and other relevant parties.
    2. The Company reserves the right to update this Policy at any time. An up-to-date version of this Policy will be available on the Company's website. 
    3. Changes made to this Policy will take effect 7 days after publication or communication to relevant parties.
    4. A record of all changes made to this Policy will be maintained by the Data Protection Officer.
    5. Individuals will not be penalised for breaching a clause of this Policy that has not been properly notified and communicated. 

This Data Protection Policy was approved by the Board of Directors of BRANDXYZ LTD on 19TH September 2024.

On behalf of BRANDXYZ LTD: Jo Taylor, Managing Director 

Get in touch

Want to know more, got a question, or want to chat?

Email hello (AT) brandxyz (DOT) co (DOT) uk or Call 0161 531 8727

Thank you! Your message has been received and we'll be in touch shortly.
Oops! Something went wrong while submitting the form.
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
Decline Accept