Rough and Tough Data Protection Policy


Last updated: 30th May 2024



At Rough and Tough, we understand the paramount importance of safeguarding the privacy and personal data of our valued customers and website users. This Data Protection Policy delineates our unwavering commitment to protecting personal data and ensuring stringent compliance with all applicable data protection laws, including those in the European Union (EU), United Kingdom (UK), and United States of America (USA).


Who We Are

Rough and Tough operates under Rough and Tough Ltd, registered in England and Wales (Company Registration No: 09250514) with its registered office at 11 Dewsbury Road, Romford, RM3 8DN


Data Protection Officer

Our designated Data Protection Officer oversees adherence to this policy and ensures the responsible handling of personal data within our organization. 


You can contact our Data Protection Officer at:



Personal Data We Process

We process personal data provided by our valued customers and website visitors during their interactions with our services. This may include identity data (such as names and contact details), transactional data (including orders and payment information), and communications data (such as inquiries and feedback).


As a data processor, we also handle personal data on behalf of our customers, encompassing orders, accounts, and other ecommerce data necessary for the provision of our services.


Protecting Personal Data

At Rough and Tough, we employ robust technical and organizational controls to safeguard the personal data entrusted to us. These measures include, but are not limited to:


– Encryption of data at rest and in transit

– Access controls and authentication mechanisms

– Comprehensive employee data security training

– Data minimization strategies, ensuring we collect only the minimum necessary personal data

– Strict adherence to PCI DSS standards for the protection of payment data

– Regular assessments and updates to our security protocols, aligning with industry best practices


Data Retention and Recycling

We do not retain any personal identifiable information for more than 30 days after the stated purposes of order fulfillment, tax audit compliance, and account communication have been fulfilled. After this 30-day period, all personal identifiable data is securely recycled and permanently removed from our systems.


Use of Personal Data

We use the personal data collected solely for the purposes of processing orders, fulfilling purchases, complying with tax audit requirements, and communicating with customers about their accounts. We do not use personal data for any other purposes.


Disclosure to Third Parties

We do not sell, rent, or share personal data with any third parties outside of Rough and Tough. Any limited disclosure necessary for core operational requirements is subject to strict contractual obligations to adhere to our instructions and all applicable data protection laws.


Data Subject Rights

As a data subject, you have specific rights over your personal data, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. To exercise these rights or for any inquiries, please contact our Data Protection Officer using the provided email address.  


Legal Basis for Data Processing

We process personal data based on one or more of the following legal bases:


– Consent obtained from the data subject

– Contractual necessity for the provision of our services

– Legitimate business interests pursued by Rough and Tough

– Special category data is processed only with explicit consent


Complaints and Questions  

If you have any questions, concerns, or complaints regarding our Data Protection Policy or the handling of your personal data, please contact our Data Protection Officer. As a data subject, you also have the right to lodge complaints with your local supervisory authority.


International Data Transfers

In instances where personal data is transferred outside the UK/EEA, we employ Standard Contractual Clauses and other valid mechanisms to ensure an adequate level of data protection and safeguard your privacy rights.


Record Keeping

We maintain internal records of our data processing activities to demonstrate regulatory compliance, including the purposes of processing, data sharing practices, and retention policies.


Data Protection by Design  

Rough and Tough adopts a Data Protection by Design approach, assessing data privacy risks early in the development process and integrating appropriate privacy features into our products and services.


Data Protection Impact Assessments

For high-risk data processing activities, we conduct comprehensive Data Protection Impact Assessments to identify and mitigate potential privacy risks, evaluating the necessity, proportionality, and measures to mitigate identified risks.  


Breach Notification

In the event of a qualifying data breach, we adhere to data breach notification laws, promptly notifying the relevant supervisory authorities and affected data subjects within mandated timeframes.


Cookie Usage

Our website employs strictly necessary and functional cookies. Before placing any non-essential cookies, we will obtain your consent. Please refer to our Cookie Policy for detailed information on our cookie practices.  


Direct Marketing

Where permitted by law, we may contact individuals with updates about our products and services. All marketing communications will include clear instructions on how to opt-out or unsubscribe from future marketing messages.


Protecting Special Categories of Personal Data

When processing special categories of personal data, such as health information or biometric data, we implement enhanced security measures to ensure compliance with legal obligations and provide an appropriate level of protection.


Data Minimization

We adhere to the principle of data minimization, collecting only the minimum necessary personal data required for the delivery of our services, ensuring that data collection is adequate, relevant, and limited to the stated purposes.


Supplier Oversight

Third-party suppliers undergo rigorous information security assessments to evaluate their compliance with legal requirements and our data protection policies before engaging in any data processing activities.


Status of UK Data Post-Brexit

For UK data subjects, we continue to uphold the standards set forth by the UK GDPR post-Brexit, aligning with the Data Protection, Privacy, and Electronic Communications Regulations.  


Direct Marketing Consent Withdrawal

Data subjects can withdraw their consent for direct marketing communications at any time without affecting their ability to make purchases or access core services. Withdrawal can be facilitated via unsubscribe links provided in marketing communications or through direct contact with our Data Protection Officer.


More Information

For further clarification or inquiries regarding our Data Protection Policy or data handling practices, please contact us at


At Rough and Tough, we are steadfast in our commitment to protecting your privacy and safeguarding your personal data. We appreciate the trust you place in us and assure you that we will handle your information with the utmost care and responsibility.

My Cart
Recently Viewed
Compare Products (0 Products)
Compare Product
Compare Product
Compare Product
Compare Product