The policy sets out details of how Brosch Direct, a trading division of Polyco Healthline Ltd, ("we") (as data controller) will collect, process, store, protect and use your personal data, why we use it, with whom we share it and the rights to which you may be entitled. We respect your privacy and value the trust you place in us when you share your personal data with us. We take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of your personal data.

This policy covers our use of your personal data arising from your use of this website as well as when you register on our site to receive information from us or buy and use our products and services

The data controller of this website is Brosch Direct, a trading division of Polyco Healthline Ltd, South Fen Road, Bourne, Lincolnshire, PE10 0DN. Our company number is  02000288.

You can also contact us by emailing gdpr@broschdirect.com.

Privacy Statement 

We are committed to protecting your privacy. Authorised employees within the company use any information collected from you on a need to know basis only.   We constantly review our systems and data to ensure the best possible service to our customers. We will, at all times, endeavour to collect and process your personal information in accordance with the European General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and other applicable data protection. 

Personal Data and its Uses

What we collect and how we use it:

When referring to “personal data”, we mean information we collect from you, from which you may be personally identified. The circumstances where we collect this information from you will include: 

  • Fulfilling a contract/order
    We may use personal data you submit to us when ordering goods or services from us for the purpose of fulfilling that order, and it may be necessary for us to share such data with third parties such as the card payment services provider or carrier of goods. Under certain circumstances, we may use an external credit reference agency to provide information on your credit scoring or credit rating. This will provide an automated decision on your eligibility for credit when it is necessary in order to process your order.
  • Answering your queries
    Where you send us personal data in the context of asking us a question or query (for example, about the company, or its products or services or their quality or availability), we shall use the data you provide in order to respond to your question. In some cases, it may be necessary to share your details with other members of the Polyco Healthline group, or with other third-party data processors.
  • Entering a promotion
    We may use personal data submitted in an entry form for a promotion for the purpose of administering the promotion in accordance with its stated rules. Such rules may require the publication of abbreviated winners’ identity details and may require winners to participate in future publicity. The promotion may be administered by third party agencies on our behalf, who may have access to the data you submit.
  • Direct marketing
    Where you give consent to receive such material, we will from time to time send you information and/or offers about our goods and/or services which we believe may be of interest to you. At any time, however, you may unsubscribe from (“opt out” of) such future contact.
  • Newsletter
    If you have given your consent for us to contact you, we may send you a newsletter to keep you informed of new products, services or changes within the company we consider will be relevant to you.


If you have given your consent for us to contact you, we may send you a newsletter to keep you informed of new products, services or changes within the company we consider will be relevant to you.

The data collected may include in the fulfilment of an order or other interactions:  

  • Your name, address, telephone number (including mobile number);
  • Your payment information (including the amount, your bank account details and method of payment);
  • Your email address;
  • Your job title;
  • Your company name;
  • Goods purchased;
  • Date of transaction;
  • Your IP address (see below).


In addition to the use of the personal data in the circumstances in which it is collected we may also use some, or all, of the information above for the following purposes:

  • Management and administration of services;
  • Onboarding as a client;
  • Developing new goods/services;
  • Personalising offers
  • Preventing fraud
  • Statistical analysis and research
  • Monitoring website use


In addition, we use IP addresses to analyse trends, administer the site, track user’s movement, and gather broad demographic information for aggregate use. Additionally, for systems administration, detecting usage patterns and troubleshooting purposes, our web servers automatically log standard access information including browser type, access times/open mail, URL requested, and referral URL. This information is not shared with third parties and is used only within this Company on a need-to-know basis. 

Any individually identifiable information related to this data will never be used in any way different to that stated above without your explicit permission.

Confidentiality and Sharing of Information

Your data is regarded as confidential and therefore will only be shared between Brosch Direct and it’s group companies on a need to know basis.  It will not be divulged to any third party other than: 

  • As specifically set out above;
  • with our third-party contractors and/or service providers in connection with the provision of the website/goods/services;    
  • if we are required to do so under any regulatory code or practice we follow or if we are asked by any public or regulatory authorities;
  • in connection with a legal claim, as required in connection with that claim;
  • if we're discussing selling or transferring part or all of our business – the information may be transferred to prospective purchasers under suitable terms of confidentiality.

We will not sell or rent your personal information to any third party. Any emails we send will only be in connection with the provision of agreed services and products or to share relevant information you have subscribed to.

We will not collect any personal data from your visits to our site unless you provide this information voluntarily. In any event, you have the right to withdraw your permission for us to hold or use the data listed above and have the right to rectify any information we hold on you. 

In all cases the servers where your personal data is stored and processed are located in the European Economic Area.

Under some circumstances we may be required to disclose or share your information without your consent, for example if we are required to by the police, the courts or for other legal reasons.

Your data will only be held by us for as long as it is legally required, in accordance with the GDPR and our Data Retention Policy.

Legal Basis for processing

The legal bases under which we process your data are:

  • Legitimate interest
    Where our processing in accordance with such legitimate interests is necessary and such interests are not overridden by the interests or fundamental rights of the data subject. In this case, we will use your information to understand how you use our services/site, understanding or responding to your feedback, researching or analyzing our goods and services to improve them or products received from other entities in the group, personalizing offers and maintaining public presence through traditional or social media.
  • Consent
    in connection with the processing of your personal data for direct marketing purposes or to provide you with information on the goods or services you have purchased from us, where you have given us permission to do so. This is also subject to the Privacy and Electronic Communications Regulations (PECR), to which we also adhere. Where consent is used as the basis of processing you have the right to withdraw your consent at any time.
  • Contract
    Where the processing of your personal data is necessary for the performance of a contract in order to supply you with the goods or services you have ordered.


To the extent that the provision of your personal information is a statutory or contractual requirement or a requirement necessary to enter into a contract if the information is not provided we cannot agree to provide the product or service to you. 

Individual Rights 

We have listed below the rights you have over your information and how you can use them below. These rights are subject to restrictions in the European General Data Protection Regulations and, subject to the exemptions, may only apply to certain types of information or processing. 
Withdrawal of consent: you can remove your consent, where you have provided it, at any time. 

Access: you may have the right to request confirmation that we are processing your information and, if we are, to request a copy.

Correction: you may have the right to request that we rectify inaccurate personal information about you.  

Restriction: you may have the right to request that we do not use the personal information you have provided (e.g. if you believe it to be inaccurate). 

Portability: you may have the right to ask us to help you move your information to other companies. 

Automated Decision Making: you may have the right object to decisions being taken by automated means. 

Erasure: you may have the right to request that we erase personal data about you. 

You also have the right to complain to the relevant supervisory authority.   If you wish to raise a complaint in the UK about the way we handle your data, you should contact the Information Commissioners Office. Details on how to contact them are available at https://ico.org.uk.

To make a request to exercise your individual rights contact: gdpr@broschdirect.com.

Changes to the Policy

We may change this policy from time to time. In this event, we will provide information on our website that it has changed (via banner or pop-up) and may also email you.


This website uses cookies. For more information, please read below.

This website uses cookies to better the users experience while visiting the website. Where applicable this website uses a cookie control system allowing the user on their first visit to the website to allow or disallow the use of cookies on their computer / device. This complies with recent legislation requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user's computer / device.

Cookies are small files saved to the user's computers hard drive that track, save and store information about the user's interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.

This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computers hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google's privacy policy here for further information.

Other cookies may be stored to your computers hard drive by external vendors when this website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected. Please visit www.aboutcookies.org for more information.

Review Due: 1st April 2021


The need to retain data varies widely with the type of data. Some data can be immediately deleted, and some must be retained until reasonable potential for future need no longer exists.

Since this can be somewhat subjective, a retention policy is important to ensure that the company's guidelines on retention are consistently applied throughout the organisation.


The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location.

Note that the need to retain certain information can be mandated by local, industry regulations and will comply with EU General Data Protection Regulation GDPR and the Data Protection Act 2018 and the Data Protection (Amendment) Act 2003. Where this policy differs from applicable regulations, the policy specified in the regulations will apply.

Policy Elements 

Reasons for Data Retention 

We do not wish to simply adopt a "save everything" approach. That is not practical or cost effective and would place an excessive burden on company and IT Staff to manage the constantly-growing amount of data.

Some data, however, must be retained to protect our interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:

  • Litigation
  • Accident investigation
  • Security incident investigation
  • Regulatory requirements
  • Intellectual property preservation

Data Duplication

As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file.

May be stored on a local user's machine, on a central file server, and again on a backup system. When identifying and classifying the company's data, it is important to also understand where that data may be stored, particularly for duplicate copies, so that this policy may be applied to all duplicates of the information. For this reason, you should only duplicate data when there is an absolute valid business reason.

Retention Requirements 

The following guidelines should be used to determine the storage period for different types of data:

  • Personal customer data: Personal data will be held for as long as the individual is a customer of the company plus 6 years.
  • Personal employee data: General employee data will be held for the duration of employment and then for 6 years after the last day of contractual employment. Employee contracts will be held for 6 years after last day of contractual employment.
  • Tax payments will be held for six years.
  • Records of leave will be held for three years.
  • Recruitment details: Interview notes of unsuccessful applicants will be held for 1 year after interview. This personal data will then be destroyed.
  • Planning data: 7 years.
  • Health and Safety: 7 years for records of major accidents and dangerous occurrences.
  • Public data: Public data will be retained for 3 years
  • Operational data: Operational data will be retained for 5 years.
  • Critical data including Tax and VAT: Critical data must be retained for 6 years
  • Confidential data: Confidential data must be retained for 7 years.
  • Customer data: Customer data will be retained for 5 years.

Retention of Encrypted Data 

If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained.

Data Destruction 

Data destruction is a critical component of a data retention policy. Data destruction ensures that we will use data efficiently, thereby making data management and data retrieval more efficient and cost effective. The method of destruction will vary, according to the media, but the following methods may be employed:

  • Electronic files – full deletion (note – the Recycle Bin is not classed as deletion. You should also empty the Recycle Bin)
  • Paper – secure shredding or burning
  • USB storage – secure physical destruction
  • Hard drive storage – secure physical destruction

Then the retention timeframe expires, the responsible person must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her line manager so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the company's senior management team.

We explicitly direct that you must not destroy data in violation of this policy. Destroying data that a user may feel is harmful to himself or herself is particularly forbidden or destroying data in an attempt to cover up a violation of law or company policy.

Disciplinary Consequences 

All principles described in this policy must be strictly followed. A breach of data retention guidelines will invoke disciplinary and possibly legal action.

Our quality policy can be found here.

Our ethical trading policy can be found here.

Copyright © 2020 Brosch Direct Ltd