No products in the basket.
The Roof Store ("we", "us", "our") provides roofing products to customers in the United Kingdom via our website and customer services channels. We are the controller of the personal data we collect and process in connection with our site and services.
Legal entity: THE ROOFSTORE ECOM LTD
Registered office: Unit 7 & 9, 14 New Street, Kilmarnock, Scotland, KA1 4JZ
Company number: SC824715
Data protection contact: info@theroofstore.co.uk
This policy explains what personal data we collect when you use our website, place an order, create an account, contact us, or subscribe to marketing; how we use and share that data; and the rights you have under UK data protection law (UK GDPR and the Data Protection Act 2018).
We only collect personal data that is necessary for the purposes described below. Depending on how you interact with us, we may collect:
Identity and contact data — name, billing/delivery address, email address, phone number, company name (if applicable).
Account data — login details, password (hashed), order history, saved addresses, preferences.
Order and fulfilment data — items purchased, order notes, delivery instructions, courier tracking information, returns information.
Payment data (via Stripe) — payment method, transaction amount, status, and limited card details (e.g. last 4 digits, expiry month/year). We do not store or have access to full card numbers or security codes. Card payments are processed by Stripe, which collects and processes payment information as an independent controller. See Stripe’s privacy notice for details.
Communications data — emails, messages, phone call notes, support requests, and related metadata.
Technical and usage data — IP address, device and browser type, operating system, referral source, pages viewed, time on page, interactions, and diagnostic logs. This may be collected via cookies and similar technologies (see “Cookies”).
Marketing data — your preferences for receiving marketing and your communication preferences.
We do not intentionally collect special category data. Please do not provide such information in order notes or messages.
We use your personal data for the purposes and lawful bases set out below:
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide our website and services | Operate the site, enable browsing, maintain security, diagnose issues | Legitimate interests (to operate a secure, effective site) |
| Manage accounts and orders | Account creation, cart/checkout, order confirmation, updates, delivery and returns | Contract (to perform our contract with you) |
| Take and process payments | Card payments handled by Stripe; fraud prevention and 3‑D Secure | Contract; Legitimate interests (prevent fraud); Legal obligation (accounting) |
| Customer support | Respond to enquiries, complaints, warranty and product support | Contract; Legitimate interests |
| Marketing | Send newsletters/offers where you opt in; show on‑site promotions | Consent (email/SMS); Legitimate interests (for existing customers, soft opt‑in, where permitted) |
| Analytics and improvements | Measure site performance and improve user experience | Legitimate interests |
| Legal and compliance | Tax and accounting records, handling claims | Legal obligation; Legitimate interests |
Where we rely on consent, you can withdraw it at any time (see “Your rights”). Where we rely on legitimate interests, we balance our interests against your rights and freedoms.
We share personal data only with trusted recipients and only as needed:
Payment processing: Stripe (card payments). Stripe may collect device and technical data to prevent fraud. Stripe acts as an independent controller for cardholder data.
Delivery and logistics: Couriers and warehousing/fulfilment partners to deliver your order and manage returns.
IT and hosting: Website hosting, security, backup, and maintenance providers.
Professional services: Accountants, auditors, and legal advisers.
Analytics/anti‑fraud/security: Tools that help us protect our services and understand usage.
Authorities: Where required to comply with law or to protect our rights (e.g., preventing fraud).
We require our processors to protect your data and use it only under our instructions. When a recipient acts as an independent controller (e.g., Stripe), they are responsible for their own compliance.
Some recipients (including Stripe) may process data outside the UK. Where this occurs, we will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, or another permitted mechanism.
We use cookies and similar technologies to operate our site, keep you signed in, remember your preferences, and understand how our site is used. You can control cookies through your browser settings and, where applicable, via our on-site cookie controls. For detailed information, see our Cookie Policy [link or page reference].
We keep personal data only for as long as necessary for the purposes set out above, and to comply with legal, tax, and accounting requirements. Typical retention periods include:
Orders and invoices: 6 years from the end of the financial year in which the transaction took place.
Customer accounts: While your account is active; if inactive, we may delete or anonymise after 24 months of inactivity.
Customer support records: Up to 3 years after resolution.
Marketing preferences: Until you unsubscribe or your consent is withdrawn; we keep a minimal suppression record to honour your choice.
Website logs and analytics: Typically 12–24 months, unless a longer period is needed for security or legal reasons.
Our services are not directed at children and we do not knowingly collect data relating to anyone under 16.
You have the following rights under UK data protection law:
Access – request a copy of your personal data.
Rectification – ask us to correct inaccurate or incomplete data.
Erasure – ask us to delete your data in certain circumstances.
Restriction – request we limit how we use your data in certain cases.
Data portability – obtain and reuse your data across services where applicable.
Object – object to processing based on legitimate interests or to direct marketing.
Withdraw consent – where we rely on consent, you can withdraw it at any time.
To exercise these rights, contact us using the details in “About us”. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS), access controls, and staff training. No system is completely secure; please keep your account credentials confidential and let us know if you suspect any unauthorised access.
Our site may contain links to third‑party websites. Those sites have their own privacy notices and we are not responsible for their practices.
We may update this policy from time to time. We will post the updated version on our website and change the “Last updated” date above. If the changes are significant, we may provide additional notice.
If you have questions about this policy or how we handle your data, please contact:
Email: info@theroofstore.co.uk
Phone: 0161 553 0979
Post: Data Protection, THE ROOFSTORE ECOM LTD, Unit 7 & 9, 14 New Street, Kilmarnock, Scotland, KA1 4JZ
Stripe payments
We use Stripe to process payments. Stripe acts as an independent controller for cardholder data. For information on how Stripe handles your personal data and your rights, please refer to Stripe’s privacy notice (search “Stripe Privacy Policy”).
©2025 THE ROOFSTORE ECOM LTD
