Privacy Policy

1. About this Privacy Notice

This Privacy Notice explains how TheHansFordReview collects, uses, shares, and protects your personal data when you visit or interact with https://thehansfordreview.co.uk. It is intended to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

“Personal data” means information that identifies or can be used to identify you.

2. Who We Are and How to Contact Us

The data controller responsible for your personal data is TheHansFordReview. If you have questions about this notice or how we handle your data, please contact us at: privacy@thehansfordreview.co.uk

Data Protection Officer: We have not appointed a Data Protection Officer because we are not legally required to do so. For all privacy matters, please use the contact details above.

3. What Data We Collect

3.1 Data you provide to us

• Contact details (for example, your name and email address) when you send us an enquiry or request content by email or form.
• Account or profile information if we offer and you create an account.
• Newsletter sign-up details (your email address and preferences).
• Content you submit (for example, comments, reviews, or feedback).

3.2 Data collected automatically

• Technical data such as IP address, device identifiers, browser type, operating system, pages viewed, referring/exit pages, and timestamps, collected via server logs and similar technologies.
• Cookies and similar technologies, which may include strictly necessary cookies and, with your consent, analytics and advertising cookies. See Section 6 for details.

3.3 Data from third parties

• Limited information from service providers who help us operate the site (for example, analytics in aggregate form, email delivery status, or security/anti-abuse signals).

We do not intentionally collect special category data (such as health or ethnicity). Please do not submit such information to us. If you do, we will handle it only as necessary and proportionate, and we may delete it.

4. Purposes and Legal Bases for Processing

We process your personal data for the purposes below and under one or more legal bases defined by UK GDPR:

• To operate and provide our website and services (including hosting, delivering pages, load balancing, and ensuring availability).
  
  Legal basis: our legitimate interests in running an online publication and providing content; and, where we provide an account or service you request, performance of a contract.
• To communicate with you (responding to enquiries, sending service messages, managing your requests).
  
  Legal basis: performance of a contract where applicable, or our legitimate interests in responding to messages and operating our services.
• Newsletters and marketing (if you sign up, or where the “soft opt‑in” under PECR applies for similar content).
  
  Legal basis: your consent, or our legitimate interests under the PECR soft opt-in for existing readers where permitted. You can opt out at any time.
• Analytics and audience measurement to understand readership and improve our content and site.
  
  Legal basis: your consent for analytics cookies and similar technologies; and/or our legitimate interests where we use privacy-preserving, cookieless, or aggregated analytics that do not require consent under PECR.
• Security, fraud prevention, and misuse detection (monitoring for suspicious activity, enforcing our terms, protecting our systems and users).
  
  Legal basis: our legitimate interests in securing our services and users; and legal obligations where applicable.
• Compliance and legal claims (record-keeping, responding to lawful requests, establishing and defending legal claims).
  
  Legal basis: legal obligations and our legitimate interests in managing legal risk.
• Consent management records (documenting cookie and marketing preferences).
  
  Legal basis: our legitimate interests in demonstrating compliance, and legal obligations where applicable.

Where we rely on consent, you can withdraw it at any time (see Section 10). Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms.

5. When We Need Your Data

You are not required to provide personal data to browse our site. If you choose not to provide certain information (for example, an email address for a newsletter), we may be unable to deliver that specific feature.

6. Cookies and Similar Technologies

We use cookies and similar technologies to run our site and, with your permission, to understand usage and improve content. Under PECR, we only set non-essential cookies with your consent.

6.1 Types of cookies we may use

• Strictly necessary (essential for security, page navigation, load balancing, or to remember your privacy choices). These do not require consent.
• Functionality (remembering preferences such as region or accessibility settings). Consent may be required depending on implementation.
• Analytics (measuring readership, page performance, and engagement). Set only with consent unless implemented in a compliant, cookieless, aggregated manner.
• Advertising/affiliate (measuring ad performance or affiliate attribution, if present). Set only with consent.

6.2 Managing your choices

• You can accept or reject non-essential cookies via the cookie banner and adjust your choices at any time via the cookie settings available on the site.
• You can also control cookies through your browser settings, including blocking and deleting cookies. If you block essential cookies, some features may not work.

Typical retention periods: session cookies expire when you close your browser; persistent cookies may last from 1 month to 24 months unless you delete them sooner. Your cookie preferences may be stored for up to 6 years to demonstrate compliance.

7. Sharing Your Data

We do not sell your personal data. We share data only as needed for the purposes in this notice, with appropriate safeguards:

• Hosting, infrastructure, and security providers (for example, web hosting, content delivery networks, DDoS protection, monitoring).
• Analytics providers (receiving aggregated or pseudonymised data when consented or permitted).
• Communication and email service providers (to send service messages and newsletters).
• Payment or subscription processors if we offer paid services and you choose to use them.
• Advertising or affiliate partners if we display ads or affiliate links, and only with your consent where required.
• Professional advisers (lawyers, accountants) under confidentiality obligations.
• Law enforcement and regulators where required by law or to protect rights, users, or our services.
• Business transfers in the event of a reorganisation, merger, or acquisition, subject to this notice and applicable law.

8. International Data Transfers

We are based in the United Kingdom. Some service providers or their support teams may be located outside the UK and the EEA. Where we transfer personal data internationally, we do so in accordance with data protection law, using one or more of the following safeguards:

• Adequacy regulations/decisions (transfers to countries deemed to provide an adequate level of protection).
• UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses with the UK Addendum, plus supplementary measures where appropriate.
• Participation in an approved framework where applicable (for example, the UK–US Data Bridge for eligible transfers).

You can request more information about our transfer safeguards by emailing privacy@thehansfordreview.co.uk

9. Data Retention

We keep personal data only for as long as necessary for the purposes described in this notice, including to comply with legal, accounting, or reporting requirements. Typical retention periods are:

• Server and security logs: up to 12 months, unless a longer period is required to investigate incidents.
• Contact enquiries and correspondence: up to 24 months after resolution.
• Newsletter subscriptions: until you unsubscribe, then suppression records retained for up to 24 months to honour your opt-out.
• Account and service data (if applicable): for the life of the account plus up to 6 years for record-keeping.
• Cookie consent records: up to 6 years.
• Analytics data: typically 14 to 26 months, depending on configuration.
• Backup archives: typically 30 to 90 days on a rolling basis.

We may retain data longer if necessary to establish, exercise, or defend legal claims.

10. Your Rights

Subject to conditions and exceptions under UK GDPR, you have the following rights:

• Access: to receive a copy of your personal data and information about how we process it.
• Rectification: to correct inaccurate or incomplete data.
• Erasure: to request deletion of your data when there is no lawful reason to keep it.
• Restriction: to ask us to limit processing in certain circumstances.
• Portability: to receive data you provided in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
• Object: to object to processing based on our legitimate interests, and to object at any time to direct marketing (including profiling for marketing).
• Withdraw consent: where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights, contact privacy@thehansfordreview.co.uk We may need to verify your identity before responding. We aim to respond within one month of receiving a complete request. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact the ICO by calling 0303 123 1113.

11. Direct Marketing

We will send you newsletters or similar communications only with your consent or, where permitted, under the PECR “soft opt‑in” for existing readers regarding similar content. You can opt out at any time using the unsubscribe option in our messages or by contacting privacy@thehansfordreview.co.uk We do not share your details with third parties for their own direct marketing.

12. Children’s Privacy

Our website is intended for a general audience and is not directed to children. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, least‑privilege permissions, multi‑factor authentication where appropriate, regular patching and monitoring, secure development practices, staff awareness, vendor due diligence, and incident response procedures. No online service can be completely secure, but we work to protect your information and review our measures regularly.

14. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you.

15. Third-Party Links and Embedded Content

Our articles may contain links to other websites or embedded content (for example, media from social platforms). Those third parties may collect data about you in accordance with their own privacy policies and cookie practices. We are not responsible for third-party sites or services.

16. International Visitors

We primarily target users in the United Kingdom. We have not appointed an EU/EEA representative because we do not systematically target individuals in the EU/EEA. If that changes, we will update this notice.

17. Changes to This Privacy Notice

We may update this notice from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will post the updated version on this page and update the “Last updated” date below. If changes are material, we will take additional steps to inform you where appropriate.

18. How to Contact Us

If you have questions, concerns, or requests about this notice or your personal data, contact: privacy@thehansfordreview.co.uk

Last updated: 6 December 2025