The General Data Protection Regulation (GDPR) is a legal review of how companies use and store the personal data of customers that affects any company who’s customers reside inside the EU and ensures that companies like us are using personal data in a fair and transparent way. It comes into effect on 25th May 2018.

Like any web-based company, we need a certain amount of your personal data to be able to take payment, send or deliver products to your address and to contact you incase of any problems. This data is stored by us for 24 months, and in addition to the obvious reasons that we need this information to process your order, we also use it to analyse sales data and to create internal financial and sales reports. The only place that your details are saved by us is in our website’s database and in back-ups hosted on the same servers, we don’t keep physical or digital copies anywhere else. The only other place your details end up is on a sticky label that goes on to the front of your parcel so the postmen and women know where to deliver it!

We have not and will not ever give your personal data to any other company other than those we use for our core processes of payments, dispatches and internally analysing sales data. We also don’t currently send out marketing emails, but if we ever do, we’ll make sure we ask for your permission before doing so.

We currently use PayPal for processing payments and do not store any payment information ourselves. This takes a big responsibility out of our hands – PayPal are an enormous company who take security, data protection and privacy very seriously. Here’s a short article about what they are advising regarding the GDPR and here’s their full Privacy Policy if you really want to dig.

We use Google to manage our email communications and they again are an enormous company who take security, data protection and privacy very, very seriously. Here’s some stuff they have written about the GDPR.

We also forward your name and address to Royal Mail’s Click & Drop Service through an integration with our website – this creates a label for your postal order and charges us for the cost. Here’s Royal Mail’s article on the GDPR.

Our website is hosted behind a secure connection and firewall by a very local company called Electric Hosting who specialise in hosting sites like ours built on WordPress. They are thoroughly clever and knowledgeable chaps who we trust with our website and databases (where your information is saved) they also run an extremely capable digital creative agency called Electric Studio.

In addition to secure hosting, we also have done everything possible to ensure that our web build is as safe as possible from external attacks (hacking) by limiting a whole bunch accessibility to things that only we ever need to see. Obviously this makes complete sense, but you would be surprised by how many companies do not take this aspect seriously, or even know about strengthening and security rules.

So what do you need to know once the GDPR comes in to effect?

We will be updating our T&C’s before the 25th of May to make sure we are covering all bases in regards to the above ways that we handle and store your data. You have to confirm that you agree to these conditions every time that you place an order, so it won’t mean anything different from the current process and you can be sure that there is zero funny business from us – we have built this company on trust from our customers and that’s the way that we want to keep it.

Another thing that the GDPR enforces is your ‘right to be forgotten’ – this means that you can request, at anytime, that we delete any of your personal data that we have stored.

Marketing is the only other aspect that is affected by the GDPR and we are not currently utilising your data for any internal marketing purposes (this is to do with the TPD regulations)- but as previously mentioned, if we do, we will always gain your specific permission to do so before hand.

Oxford Vapours delegated Data Protection officer is Stephen, our Online manager. If you have any questions regarding your personal data, how we use it and the GDPR regulations, you can email him directly or call our office.

We really are processing your data in a very simple way, so the GDPR does not mean a huge amount of change for us – we just have to make sure that we continue doing so in a responsible, secure and transparent way.

Vaping is for adults only.


Please confirm that you are 18 or over.

Yes No