Privacy Policy


BFRC are committed to a policy of protecting the rights and privacy of individuals. Protecting your personal information is of high priority for both the staff and management of BFRC.

Purpose of Policy

BFRC has created this policy to ensure that:

  • It complies with GDPR, PCI DSS, UK PII and other data protection legislation and follows good practice.
    Both the PCI DSS and the GDPR aim to ensure organisations keep personal data in a secure way. The PCI DSS focuses on payment card and cardholder data, while the GDPR covers regulation for EU residents’ personal data. The important difference is that GDPR is more general than PCI DSS.
  • It is open about how it processes and stores your personal information
  • It demonstrates our accountability and responsibility for data protection
  • It has implemented a GDPR compliant Subject Access Request (SAR) procedure for responding to all types of data privacy related requests.

Who are we?

BFRC is the premier UK authority for independently verified ratings of energy efficient windows and doors. BFRC is registered at Companies House as ‘British Fenestration Rating Council’ (hereafter referred to as BFRC) as a company limited by guarantee (registration number 05649431) and registered address of Newspaper House, 40 Rushworth Street, London, SE1 0RB. BFRC is a subsidiary company wholly owned by the Glass & Glazing Federation.

What’s not included?

This policy doesn’t cover other companies or organisations (which advertise our products or services and use cookies, tags and other technology) collecting and using your personal information to offer any relevant online advertisements to you.  Please read our Cookie Policy for information about how we use cookies on our websites.

You can connect to other organisations’ websites, apps, products, services and social media from our websites via links.  This privacy policy doesn’t apply to how the other organisations may use your personal information.

You’re advised to review their privacy policies before providing your personal data.

How do we collect information about you?

There are different ways in which we collect information about you. This includes when you use the BFRC website and when you contact us via email, phone or post.  In some instances, they will have a legal basis for us doing so.  

What type of information is collected from you?

BFRC collect certain personal information about you. These would include your name, business contacts, address, email address, IP address and possibly images, business information, and in certain circumstances, employee details. We might also hold your credit/debit card or bank information to process payments if you purchase a product or service from us and give us your explicit consent to hold such data about you.

How is your information used?

BFRC may use your personal data:

  • To notify you about changes to our services
  • To fulfil our legal obligation under government licence and regulation
  • To process financial payments
  • To process applications to join the BFRC
  • To process homeowner certificate applications
  • To reserve places for you at any events you have booked via our reservation channels
  • To carry out obligations arising from any contracts entered into
  • For market research, user trend studies, website user improvements and customer services
  • To provide you with obligatory information
  • To third parties who undertake services on our behalf in relation to our business operations, or where you have otherwise provided consent for us to do so (e.g. for promotional material)
  • To provide you with information, products or services which you have requested or which we believe may be of interest to you
  • To seek your views or comments on the services we provide
  • To process job applications

How long is your information retained for?

Your personal information will not be retained beyond what is required and will be held on our system for as long as it is necessary in relation to the purpose for which it was collected or for which it was further processed. The length of time for which we retain your personal information will take into account the legal and contractual requirements that influence the retention period.

Your personal information will be deleted or destroyed within a set time (currently 3 months) after it has been confirmed that it is no longer required to be retained.

Who has access to your information?

BFRC work with third party service providers who are a natural or legal person, public authority, agency or body other than the data subject (you), the controller (BFRC), a processing internal or external person or entity who, under the direct authority of the BFRC or a processor, are authorised to process your data, such as Local Authorities, External Printing and Inspection services.

Third party service providers may, from time to time, collect personal information directly from you to organise appointments or book their services, or for their own marketing and tracking purposes.

If they do collect your personal information in this way, these companies will be acting as Data Controllers in their own right, separately from BFRC. Any use of your personal information will therefore be subject to that company’s own privacy policy which should be made available to you at the time they collect your personal information.


All processing of personal data requires a lawful basis, e.g. Contractual or Legal Obligation, where Consent provides one such lawful basis.

Your consent is considered to be freely given, specific, informed and an unambiguous indication by you, through a statement or by a clear affirmative action, which signifies agreement to the processing of your personal data.  For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on one of our web pages, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context your acceptance of the proposed processing of your personal data.

Your consent can be withdrawn at any time; however, your right to withdraw consent is not retrospective (i.e. you cannot withdraw consent to processing that has already taken place).

Personal information we collect from Third Parties

We may collect personal information provided to us by other companies who have obtained your permission to share this information with us, or who need to share information with us in relation to goods/services you have purchased.

We also may collect personal information from third party databases or from other third parties who are involved with the purchase of goods and/or services.

How can you access your information that we hold?

You have the right to obtain confirmation that your data is being processed and to access your personal data that we hold about you, which is known as a Subject Access Request (SAR). We will typically provide this information free of charge; however, we may charge a ‘reasonable fee’, when a request is unfounded or excessive, to cover administrative cost.

Data accuracy

We take all reasonable steps to ensure that the information we hold about you is up to date and accurate. If, however, you change any of the information we hold about you, such as your address, then please contact us on email: or write to us at: Newspaper House, 40 Rushworth Street, London, SE1 0RB.

How secure is your information?

All data held is protected by multiple layers of data and system security, i.e. (but not limited to) Data encryption, firewalling, intrusion detection, malware prevention, conforming to the least privilege model (data held on our networks has access restrictions according to individuals, teams and business entity needs, which is reviewed on a regularly basis).

All data transfer to external entities, will be encrypted, transferred over a secure network and conform to 2FA (two factor Authentication).