01256 636 509 Enjoy our 25 year Anniversary Spring Promo! - Office Hours 9.00-5.30pm M-F [email protected]

GDPR Privacy Policy


We store your data in secure systems and use it only for sales order processing purposes.

  • We do not share any of your data with anyone.
  • We do not do any marketing mailshots.
  • We store no card details.
  • We store your order data in our ecommerce site and Xero accounts system on hosted secure servers.

What personal data we collect and why

Who we are

Our website address is: https://henleyfan.com.  It is owned and operated by The Henley Fan Company Ltd, a private company registered in England and Wales registration no 07401225.

Sales Data

The only data we collect is that necessary to process customer orders along with the accompanying pre and post sales communications.  In our website database and accounting system we store the customer name, address, email and order product details.  No payment card details are retained by us as these are processed separately by the payment processor and both they and us have annual PCIDSS audits designed to protect the payment process.  Any card numbers taken when making a phone order payments are entered into the merchant gateway’s secure site directly and immediately encrypted.  We retain the transaction information (but not the card data) in order to satisfy HMRC requirements and other government record keeping requirements.  We further use this for reference in the event of a warranty issue/claim or support issue.  We use your email to send a request to review our performance on the TrustPilot independent site and will alert you or any important product safety issues in the future.  The customer data is stored on a secure hosted web server and also in our accounting system hosted by Xero.


To avoid the risk of malicious software being planted on our site no comments or content of any kind is permitted to be placed on any of our blog or web pages.


No media or any other form of file upload is permitted on our site as a security precaution.

Contact forms

We have no contact forms – if you wish to get in touch please send an email.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.  If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.  These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.


We use Google analytics to monitor webpage usage and provide aggregate metadata about how many visitors view each page.  Google captures and collects data from your visit to our site and your cookies and we are the Controller of that data in allowing it to be passed to them.  Google will automatically delete all data when it reaches the retention period that we have set at one month.  Apart from this no data at customer level granularity is retained.

How long we retain your data

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Your name, address and order data is passed from our website to the Xero online accounting system that we use for creating invoices, VAT and other accounting, using OAuth2a protocol encrypted communications.

Your contact information

If you have any queries about our privacy policy please email us on the email at the top of this page.

Additional information

How we protect your data

Our website is hosted on servers by one of the UK’s best hosting services Havenswift.  They have an excellent reputation for service and security.  We have very strong security on our server with multiple security measures including a strong firewall, additional server password protection, hidden login screen, no uploads or comments and DDOS attack prevention measures that will be triggered by any suspicious activity. We also have various live anti-hacking and anti-spam software modules.

To avoid the risk of malicious software being planted on our site no comments or content of any kind is permitted to be placed on any of our blog or web pages.  Multiple attempts to load any data or click on any page too quickly will trigger our firewall blocking which is set to a high and sensitive level.   Multiple customer login attempts with wrong passwords will also result in blocking.  Any admin login attempt requires multiple passwords and hardware authentication keys.  No admin access has been granted to any third parties and we are alerted any time someone logs in as an administrator. In addition we do full daily scans for malware and viruses.  Regular alerts are provided to us of the health and state of the website as well as security logs that provide us with full details of any attempted attacks or issues.

Our email communications are handled by a corporate gmail system with 2FA password protection.  Our telephone system is Vonage and this only stores numbers as a log of calls made with no name or other details.

What data breach procedures we have in place

We have full offsite server backups of our sites.  We also have a list of registered customers in a separate system so that we can notify them in the event of a security breach.  All passwords will be reset.

What third parties we receive data from

We do not receive data from any third parties.

What automated decision making and/or profiling we do with user data


Industry regulatory disclosure requirements

We comply with all regulatory requirements on disclosure.