Legal

Data Protection & Privacy Policy

Date of Effect: 27/01/2026

Data Protection & Privacy Policy

Date of Effect: 27/01/2026

Introduction

Welcome to the Whisky Asset website. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how Whisky Asset (UK) Limited (referred to as "we" or "us") collects, uses, and protects your information when you use our website or services.

This Policy was written in line with the Data Protection Act 2018/Regulation (EU) 2016/679 and the Data (Use and Access) Act 2025.

We want this policy to be clear and easy to understand for everyone. If anything is unclear, please contact us using the details at the end of this policy. By using our website, you agree to this Privacy Policy.

Who We Are

Whisky Asset is a UK-based business offering information and services related to whisky cask ownership for stewardship and bottling (we do not offer financial investment services). Whisky Asset (UK) Limited shall be seen as the Data Controller for all data collected for Whisky Asset (UK) Limited purposes.

Contact Details: If you have questions about this policy or wish to exercise your rights, you can contact us by email at info@whiskyasset.com. For any Freedom of Information Enquires a member of our HR & Compliance Team will be in touch as our designated Data Protection Officers appointed in line with Section 69 of the Data Protection Act 2018.

Information We Collect

We collect information in two ways: (1) information you provide directly, and (2) information collected automatically through cookies and similar technologies.

1. Information You Provide Directly

  • Contact Form Data: When you fill out a form on our site (for example, to request information or to be contacted), we ask for your full name, email address, and phone number. This information is necessary for us to follow up on your request. If you choose not to provide this data, we may not be able to contact you or provide the information you requested.
  • Communications: If you contact us via email, phone, or other means, we may collect the information you provide during those communications (such as the content of your email or any additional contact details). We will use this information to address your inquiry and keep records of our correspondence.

We do not collect any special categories of personal data (such as health information). Our services are intended only for those who are of Legal Drinking Age in their respective countries.

2. Information Collected Automatically (Cookies and Tracking)

When you visit our website, certain data is collected automatically through cookies and tracking technologies:

  • Cookies: Cookies are small text files placed on your device to help the site function or to track usage (e.g. see how many people visit). We use both essential cookies (necessary for the website to work) and non-essential cookies (for analytics and advertising). For example, cookies remember your preferences and help us understand how you use our site.
  • Usage Data: We collect technical information such as your Internet Protocol (IP) address, browser type, device information, and browsing actions on our site (e.g. pages visited, time spent on pages, and links clicked). This information is collected via analytics and advertising tools and helps us improve our website and marketing. Note that data like IP addresses and browsing habits are considered personal data under privacy laws.
  • Meta Pixel: Our site uses the Meta Pixel (formerly Facebook Pixel), which is a piece of code from Meta (Facebook/Instagram). The Meta Pixel sets cookies and tracks your interactions with our site (such as pages visited or links clicked). This helps us understand the effectiveness of our ads on Meta platforms and helps us show relevant ads on Facebook/Instagram if you have shown interest in our services. The Meta Pixel may collect information such as your IP address and browsing behaviour on our site. This information is sent to Meta Platforms, Inc. and may be combined with your profile on Facebook/Instagram if you have one. We use Meta Pixel only for better ad targeting and ad performance measurement.
  • Google Analytics: We use Google Analytics (provided by Google) to collect information about how visitors use our website. Google Analytics uses its own cookies to gather data on things like which pages you view, how long you stay, how you arrived at our site, and what you click on. This helps us analyse web traffic and improve our site design and content. The information collected by Google Analytics is transferred to Google and aggregated for us in reports. We do not receive personal details like your name from Google Analytics, and we do not allow Google to use this data for its own purposes. We have configured Google Analytics to anonymize IP addresses where possible.
  • Google Advertising Cookies: We use Google advertising services (such as Google Ads/DoubleClick cookies) to help deliver our ads to people who may be interested in our services. For example, if you visit our site, Google's advertising cookies may note that so you might see a Whisky Asset advertisement on other websites or in Google search results. These cookies and similar technologies help us with remarketing and ad campaign performance tracking.
  • Cookie Consent: On your first visit to our site, you will be presented with a cookie notice or banner. Except for essential cookies, we will not set analytics or advertising cookies unless you give your consent. You are free to accept or reject non-essential cookies. If you reject, our site will still work, but our ability to analyse usage and tailor ads will be limited. You can also adjust your browser settings to delete or block cookies at any time.

For more information, see the "Your Rights and Choices" section below, where we explain how you can opt out of certain data collection (like analytics and advertising). We also maintain a Cookies Notice (if applicable) with more details on each cookie we use and its purpose.

How We Use Your Information

We will only use your personal information for the specific purposes outlined in this policy. We process all personal data in accordance with data protection and usage legislation. The main purposes for which we process your data are:

  • To Respond to Inquiries and Provide Services: If you submit your name, email, and phone number through our forms, we will use that information to contact you and provide information requested about whisky cask ownership or related services.
  • Marketing and Follow-up: With your permission, we may use your contact information to send you updates, newsletters, or marketing communications about our products and offers. You can opt out at any time. We do not sell your personal data to third parties for their own marketing.
  • Advertising: We use data collected through cookies (Meta Pixel and Google Ads cookies) to serve targeted advertisements on platforms like Facebook/Instagram and Google's ad network.
  • Analytics and Improvement: We process usage data (from Google Analytics and similar tools) to understand website performance and improve content and user experience.
  • Compliance and Security: Your personal data will be used where necessary to comply with legal obligations. Information you provide is held in a secure location and not processed outside our business unless disclosure is required by law.

Your personal data will only be used for the purposes stated within this Privacy Policy. For purposes not stated in this policy we will contact you for consent of data usage.

Third-Party Services and Data Sharing

We value your privacy. We do not sell or rent your personal information to third parties. However, we do share some data with third parties to run our website and services. These third parties only process your data on our instructions and for the purposes described in this policy.

  • Meta (Facebook/Instagram): As noted above, we use the Meta Pixel which sends certain information about your visit (like pages viewed or actions taken) to Meta Platforms, Inc. This allows us to create targeted ads on Facebook and Instagram. Meta may combine this information with data they already have about you (for example, your Facebook profile). Data collected via Meta Pixel may be transferred to servers in the United States and other countries where Meta operates.
  • Google (Analytics and Ads): We use Google LLC services for analytics and advertising. Google Analytics collects usage data and processes it on Google's servers to give us traffic insights. Google Ads cookies help with showing you advertisements. Google may process data in worldwide data centres (including outside the UK/EEA) and uses safeguards for cross-border transfers. Google acts as a data processor for analytics data and may be a joint controller for some advertising activities, where applicable and with your consent.
  • Microsoft Outlook (Email Service): When you submit a form, a notification email is sent to us and handled by Microsoft Outlook (Microsoft 365). This means your contact details and message are stored on Microsoft's email servers. Microsoft may process this data as needed to provide email services (such as storage and spam scanning), with applicable international transfer safeguards.
  • Zapier (Data Automation): We use Zapier, Inc. to transfer form data (name, email, phone) into our CRM (HubSpot). Zapier acts as a data processor on our behalf. Zapier is hosted on secure Amazon Web Services servers in the United States, and we maintain a Data Processing Agreement with Zapier.
  • HubSpot (Customer Relationship Management): We use HubSpot, Inc. as our CRM to store and manage contact data and communications. Data for European customers may be hosted in EU data centres (such as Germany), while some processing may occur in the United States or other jurisdictions. We have a Data Processing Agreement in place with HubSpot.

Aside from these services, we will not share your personal data with other third parties unless: (a) you ask or consent; (b) it is necessary to fulfil a contract; (c) required by law or regulatory authority; or (d) needed to protect rights, privacy, safety, or property.

Under GDPR we must have a valid legal basis to process your confidential personal data. We rely on the following legal grounds, depending on the situation:

  • Consent: In many cases, we process your data only if you have given consent. For example, we rely on consent to set non-essential cookies (such as Google Analytics or Meta Pixel) and for certain marketing communications.
  • Legitimate Interests: We process data where it is in our legitimate business interests and does not override your rights and interests (for example, responding to inquiries, improving our services, and promoting services to relevant audiences). When we rely on legitimate interests, we assess and balance any impact on your rights.
  • Contract: If you become a customer or take steps to become one, we may process personal data to perform a contract or pre-contractual steps at your request.
  • Legal Obligation: We may process data to comply with legal obligations, including lawful disclosure requirements.

You can withdraw consent at any time and we will cease consent-based processing from that point onward. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

If you have questions about the specific legal basis for any processing, please contact us for more information. Typically, consent and legitimate interests are the primary bases for our website's data activities.

Data Retention - How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes collected, including legal, accounting, or reporting requirements.

  • If you fill out a contact form or request information, we retain your data for six months to deal with your request and follow up.
  • If you become a customer, we retain your information while you are active and for three years after that as required by law.
  • If you consent to marketing communications, we retain contact details until you unsubscribe or ask us to delete your information.
  • Cookie and analytics data are generally retained for shorter periods (for example, Google Analytics data may be retained for about 14 months depending on configuration). Advertising cookies have their own retention periods (for example, the Meta `_fbp` cookie may last around 90 days unless renewed).
  • Emails and correspondence may be archived for a period in our email system. We regularly review and delete or anonymize data no longer needed.

When we no longer have a legitimate need or legal obligation to keep personal data, we delete or anonymize it. Where immediate deletion is not possible (for example, in backups), data remains isolated and protected until deletion is possible.

Data Security

We take security of your personal data seriously and have implemented appropriate technical and organizational measures to prevent unauthorized access, loss, misuse, or alteration.

  • Encryption: Where possible, we use encryption to protect data in transit and at rest.
  • Access Controls: Personal data is accessible only to authorized team members with a business need.
  • Secure Providers: We use reputable providers (Meta, Google, Microsoft, Zapier, HubSpot, etc.) with strong security practices.
  • Monitoring and Testing: We keep systems updated and monitor for potential threats and data breaches.
  • Employee Training: Employees handling personal data are trained and monitored on secure data handling by our Data Protection Officers.

While no website or internet transmission is completely secure, we continuously review and improve our controls to keep your data safe.

International Data Transfers

We are based in the UK, but some third-party services we use operate in other countries. As a result, your personal data may be transferred and stored outside the UK and EEA (including the United States).

UK GDPR requires that when personal data is transferred internationally, we ensure an adequate level of protection for that data.

When transferring data internationally, we apply safeguards required by UK GDPR, including:

  • Adequacy and Frameworks: Where available, we rely on adequacy decisions and frameworks such as the UK-US Data Bridge (the UK extension to the EU-US Data Privacy Framework).
  • Standard Contractual Clauses: We use approved clauses and/or UK transfer agreements with providers where needed, including European Commission Standard Contractual Clauses and the UK International Data Transfer Agreement/Addendum.
  • Additional Safeguards: We apply measures such as encryption and vendor security review where relevant, including pseudonymization and routine supplier due diligence.

Regardless of where your data is processed, we uphold your rights described in this policy.

By using our site and providing information, you acknowledge that personal data may be transferred to and processed in countries outside the UK. We will always take steps to ensure the same level of protection required under UK law.

Your Rights and Choices

Under UK data protection law and UK GDPR, you have the following rights regarding your personal data:

  • Right to Be Informed: You have the right to know how we collect and use your data.
  • Right of Access: You can request access to personal data we hold about you (Subject Access Request under Section 45 of the Data Protection Act 2018), subject to identity verification and authority checks where appropriate.
  • Right to Rectification: You can request correction of inaccurate or incomplete personal data (Section 46).
  • Right to Erasure: You can request deletion of your personal data in applicable circumstances (Section 47), including where data is no longer needed for the purpose collected, consent is withdrawn, or data was processed unlawfully.
  • Right to Restrict Processing: You can request restricted processing of your data in applicable circumstances (Section 47). We will confirm in writing whether your request is granted or refused and explain the reason.
  • Right to Data Portability: For data processed by automated means under consent/contract, you can request a structured, machine-readable copy.
  • Right to Object: You can object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time, and we will honor that immediately.
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw at any time.
  • Rights Related to Automated Decision-Making: We do not make decisions that produce legal or similarly significant effects solely by automated means (Section 49).

You may lodge a complaint with the Information Commissioner's Office (ICO) under Sections 51-54 of the Data Protection Act 2018 if you believe your data protection rights have been breached. Contact ICO on 0303 123 1113 or https://ico.org.uk.

Exercising Your Rights: To exercise any of your rights, contact us at info@whiskyasset.com. Prior to fulfilling requests, we require proof of identity verification to ensure disclosures are made to the correct individual. Requests are answered within one month, unless an extension is lawfully required. We encourage you to contact us first so we can address concerns directly, but you are entitled to contact the ICO at any time.

Changes to This Privacy Policy

We reserve the right to make changes to this policy at any time to remain aligned with industry regulations, best practices, or legislative changes. Any changes will be communicated no later than 30 days before they take effect.

Contact Us

Any questions or concerns about this policy or about how your personal data is controlled can be sent to:

Whisky Asset (UK) Limited
1 West Regent Street
Glasgow, G2 1RW
info@whiskyasset.com

We will gladly assist with any inquiries regarding your privacy. Thank you for reading our Privacy Policy. Your trust is important to us, and we are committed to safeguarding your personal data while providing quality information and services about whisky cask ownership.