GDPR - How We Use Your Information
The UK GDPR (General Data Protection Regulation) is a law that governs how we collect, store and use your personal information. This page explains what data we hold, why we hold it, who we share it with, and how you can ask us to delete it.
This policy applies to personal data collected through this website and in the course of doing business with LFA Machines Oxford Ltd. All sales to EU and UK customers are handled by LFA Machines Oxford Ltd, a company registered in England and Wales.
Who We Are
LFA Machines Oxford Ltd
C/O Pm+M, New Century House, Greenbank Technology Park, Challenge Way, Blackburn, Lancashire, BB1 5QB, United Kingdom
Email: [email protected]
LFA Machines Oxford Ltd is the data controller for personal data collected through this website and in connection with our products and services. This means we are responsible for deciding how and why your personal data is used.
What Data We Collect and Why
We only collect personal data that is necessary for the purposes described below. The table below sets out what data we use, why, and the lawful basis under UK GDPR that allows us to process it.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Processing and fulfilling your orders | Name, delivery address, email address, phone number | Contract performance |
| Sending order confirmations, updates and product recalls | Name, email address | Contract performance / Legal obligation |
| Sending promotional emails and product updates | Name, email address | Consent - you can opt out at any time |
| Managing contracts, agreements and sales due diligence | Name, company name, contact details | Contract performance |
| Responding to customer enquiries | Name, email address, phone number, message content | Legitimate interests |
| Improving and securing our website | Anonymised usage and analytics data | Legitimate interests |
| Maintaining financial, accounting and legal records | Order data, invoicing information | Legal obligation |
| Business telephone communications | Phone numbers | Legitimate interests / Contract performance |
Who Has Access to Your Data
We use a number of trusted third-party services to help us operate our business. Your data is only shared with these parties to the extent necessary for the purpose stated. We do not sell your personal data.
Google LLC
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
We use Google's suite of business tools for the following purposes:
- Business email communications
- Understanding how visitors use our website (anonymised analytics data only)
- Scheduling meetings and calls with you
HubSpot, Inc.
25 First Street, 2nd Floor, Cambridge, MA 02141, USA
We use HubSpot as our customer relationship management system to manage customer enquiries, communications and account history.
Microsoft Corporation
One Microsoft Way, Redmond, WA 98052, USA
We use Microsoft's cloud-based business software for our internal operations, including order processing, invoicing and inventory management. Data is hosted on Microsoft's cloud infrastructure, which operates under recognised international data transfer mechanisms.
DocuSign, Inc.
221 Main Street, Suite 1550, San Francisco, CA 94105, USA
Email: [email protected]
We use DocuSign for electronic signatures on contracts, agreements and sales due diligence documentation.
Datto, Inc.
101 Merritt 7, Norwalk, CT 06851, USA
We use Datto to create secure, encrypted backups of our business data, used solely for disaster recovery purposes.
RingCentral, Inc.
20 Davis Drive, Belmont, CA 94002, USA
We use RingCentral for business telephony. Only phone numbers are associated with this service; no call content or recordings are retained.
Website Hosting
Our website is hosted on secure, third-party cloud infrastructure. Data submitted through our website is protected in transit and at rest. The hosting provider does not have meaningful access to your personal data.
Shipping Agents
When you place an order, we share your name and delivery address with our shipping carriers in order to fulfil your delivery. We primarily use DHL, FedEx and Royal Mail. If we use an alternative carrier, we will let you know when sending your tracking information.
Email Security
We use a third-party email security service for inbound phishing protection. This service operates as a gateway filter only and does not store your personal data on its servers.
Archived Systems
We previously used additional third-party services which are now archived. No new personal data is being added to these systems. Any remaining data will be removed in line with our legal retention obligations.
International Data Transfers
Some of the third-party processors listed above are based outside the United Kingdom. Where your personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with UK GDPR. This includes the use of Standard Contractual Clauses (SCCs) or the processor operating under an adequacy decision or equivalent recognised mechanism.
All processors we work with have committed to GDPR-equivalent data protection standards and operate under recognised international transfer frameworks.
How Long We Keep Your Data
We do not keep your personal data for longer than is necessary. The table below outlines our standard retention periods.
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and invoicing records | 7 years | HMRC / legal requirement |
| Contracts and signed agreements | 7 years from end of contract | Legal obligation |
| Customer and CRM records | 3 years from last interaction, or until deletion is requested | Legitimate interests |
| Marketing consent and email preferences | Until consent is withdrawn | Consent |
| Telephone records | 12 months | Legitimate interests |
| Website analytics | 26 months (anonymised data) | Legitimate interests |
Your Rights
Under UK GDPR, you have the following rights regarding your personal data. There is no charge for exercising these rights, and we will respond within 30 days.
- Right of access - you can request a copy of the personal data we hold about you (a Subject Access Request)
- Right to rectification - you can ask us to correct any inaccurate or incomplete data
- Right to erasure - you can ask us to delete your data (see below for how to do this)
- Right to restrict processing - you can ask us to limit how we use your data in certain circumstances
- Right to data portability - you can request your data in a commonly used, machine-readable format
- Right to object - you can object to us processing your data for marketing purposes or where we rely on legitimate interests
- Right to withdraw consent - where we process your data based on your consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at [email protected].
How to Get Your Data Deleted
To request deletion of your personal data, email us at [email protected] with the following:
- Subject line: GDPR - Please Delete My Information
- Your full name
- All email addresses associated with your account or any previous correspondence
We will confirm deletion within 30 days. Please note that some data may need to be retained where we have a legal obligation to do so - for example, financial and invoicing records required by HMRC. We will let you know if this applies.
Cookies
We use cookies on this website. For full details of the cookies we use and how to manage your preferences, please see our Cookie Policy.
Complaints
If you have a concern about how we handle your personal data, please contact us first at [email protected] and we will do our best to resolve it promptly.
You also have the right to lodge a complaint directly with the UK's data protection authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Changes to This Policy
We may update this policy from time to time to reflect changes in our systems or legal requirements. The latest version will always be available on this page.
This policy was last updated in March 2026.