Got a question? Email us [email protected]

Privacy Policy

Privacy Policy - Last Updated 01-03-19

We take all user of TGWA data privacy very seriously and this policy we will describes how we handle and manage your data.


We are The Grand Whisky Auction Ltd, and you can contact us at [email protected].

We process your data to provide services to you, or for our legitimate interests.

We only process your data for as long as we need to, and then we will delete it.

We do not sell or share your data with others unless they are providing a service to us (such as payment service providers), or unless you ask us to share your data.

Our services include a number of places where you can send data to third parties. If you want to use these, you should check you are happy with the way they use your data.

We do not market to you without your consent and, if you give us your consent, you can withdraw it at any time.

We take security seriously, and host our services on a secure third party server.

You’ve got lots of rights, including the right to complain to the Information Commissioner’s Office. If you need a hand in exercising your rights, feel free to contact us [email protected].

Who We Are

The Grand Whisky Auction Ltd ("we", "us", "our") is a limited company registered at “The Registrar of Companies for Scotland (registration number SC612333) with a registered address at The Cellar, Newmore, Invergordon, IV18 0LQ.

How we process your data

Throughout your interactions with us we will collect only the data that we require in order to provide you with the service that you are requesting.

We may, for example, collect information about the type of device you use to access our websites, the operating system and version, your IP address, your general geographic location, as indicated by your IP address, your browser type, the webpages you view on our websites, whether you interact with content available on our websites and how.

The key information that we process is shown below for your information:

IP Addresses

When you access any of our services we will store a record of your IP address along with details of your request in our logs. This information is stored and used by our system team to ensure the integrity of our services.

Authorisation, Session data and Cookies

Whenever you login to one of our services we will use at least two cookies that will identify your session to our services.

The browser_id cookie is a permanent cookie that uniquely identifies your browser to us and allows us to ensure that previous sessions from that browser are invalidated when logging in again. This is only used for the purposes of invalidating these sessions as well as allowing us to notify you when new sessions are created in new browsers.

The user_session cookie is, initially, a session-only cookie that contains a unique token that identifies your specific session. This data is not stored on our end and is only stored in a hashed form. If you choose to persist your login session, this cookie will be converted to a more permanent cookie with an expiry time at some point in the future. The actual time will depend on the service you are using.

Strictly necessary cookies. These cookies are essential for you to browse our website and use its features. Without these cookies, services like shopping baskets cannot be provided.

Performance cookies. These cookies collect information about how you use our websites. This data may be used to help optimise our website and make it easier for you to navigate.

Functional cookies. These cookies allow our websites to remember choices you make while browsing and personalise your experience. We may store your geographic location in a cookie for instance, to ensure that we show you the website relevant to your area.

Third Party cookies. Third party cookies are those placed by websites and/or parties other than TGWA. These cookies may be used on our website to improve our products or services or to help us provide more relevant advertising. These cookies are subject to the respective privacy policies for these external services, for example, Facebook Data Use Policy.

In addition to these cookies, we also store IP addresses & user agents with your session. This allows us to look for anomalies in its use to help us protect your account and our systems.


In addition to cookies, we sometimes use small graphic images known as 'pixels' (also known as web beacons, clear GIFs, or pixel tags). We use pixels in our email communications to you (if you have selected to receive such communications) to help us to understand whether our email communication has been viewed. We also use third party pixels (such as those from Google, Facebook, and other advertising networks) to help us provide advertising that is relevant to your interests. Learn more about our advertising and marketing activities below.

Other Identifiers

When you use our app, we collect a unique ad-tracking identifier from your device (the Advertising Identifier or “IDFA” on iOS devices and the Google Ad ID or “AID” on Android devices) so that we can learn more about users of our app and provide the most relevant messaging and marketing. Although these identifiers are unique to your device, they do not contain any of your personal information such as your name or email address.

Your name

When you sign up, we need to know your first & last name so that you can be identified. We will use your name to address you and it may be stored in various systems that you use (for example: our helpdesk). This is necessary to provide our service to you. Your name may be shared with other people that share access to an account you are part of.

Retention: Your name will be retained until your user account is deleted. In some cases, your name may be kept with your billing records were we have a legal obligation to store this information.

E-mail addresses

We will store your e-mail address for the purposes of managing your account with us. This will be used for transactional e-mails that relate directly to your account or services. This information is required in order to ensure you are informed about your account and can take appropriate actions in various situations.

We may also use your e-mail address to send you messages about our services which may include notifications about new auctions, special releases, website improved features, improvements to the service, upcoming maintenance as well as ways to help you make the most of our service. If you would rather not receive these messages, please let us know or click the unsubscribe link in these e-mails.

We will not send you any other marketing messages unless you subscribe to our newsletter which you can do through our website when signing up or through one of our applications. When you do this, you will be consenting with us to use your email address for this purpose. You may withdraw this consent at any time by unsubscribing from the messages or contacting us.

Retention: Your email address will be kept until such time as your account associated with it are deleted from our systems.

Outgoing e-mails

If we send you transactional e-mails, these will be passed through our internal mail server and stored for a period of time to assist with debugging delivery problems and ensuring messages are appropriately delivered to their destinations. This is necessary to provide our service to you.

The information stored includes the contents of the message sent, the e-mail addresses of the recipients and any other headers.

Retention: The contents of messages are stored for a period of 30 days from the date the message is received by our mail system. The meta data for any messages is kept for 60 days from this date.

Incoming e-mails

If you send us e-mails, these may be passed through our mail servers. If some cases, these messages will be consumed by one of our services or applications.


We never store your own passwords on our services in plain text. Passwords are hashed using an industry standard hashing algorithm. As a good security practice, we recommend the following with regards to choosing your password:

Use a unique password with our services that is not shared with any others.

Choose a long secure password containing either multiple random words, or a good combination of letters, numbers & symbols.

Exercise good password hygiene and change your password on a regular basis.

Postal address

We require your postal address in order to provide you with an invoice for your services and delivery of goods. This information is collected as a legal obligation and will be stored on our systems along with invoices for a minimum period of 7 years.

If buying, we may wish to send you items by post. To do this, you will need to provide your address to us again and consent to us using it for the purposes of sending you items by post. We may store your address on file to allow us to send you items in the future. You may opt to have this address removed from our records at any time by contacting us.

Payment cards

We do not store full payment card details on our own servers. We work with external PCI-compliant payment processors (SAGE PAY) who store these details.

We store the last 4 digits of your card and the card type on our systems so that you can identify which card will be used for future payments.

We also store the country that the card was registered in and the IP address country that the card was added from as a legal obligation to ensure that the correct VAT rate is charged for your payments.

Retention: We will instruct our payment processors to delete any stored card details when you cancel your account.


If we decide Paypal can be used at any point, we do not control the data that you provide to Paypal in order to make your payment. Paypal share minimal information with us regarding your payment. You should refer to their privacy notices for details on how they manage this information.


We use Google Analytics to help us track the details of visitors browsing our public website. We do not use Google Analytics on any URLs once you have been authenticated. We do not send any personal data to Google's services through Google Analytics and we configure our tracking codes to anonymise any IP addresses.

Support by e-mail

If you contact us by e-mail or through one of our websites, you will be sharing your contact details (e-mail address and/or phone number) with us for the purposes of responding to your query. This is necessary to provide our service to you.

Retention: We retain all support requests (including name & contact details) that we receive for the purposes of auditing and training of staff.

Support by live chat

If we decide to use the live chat function on the website or on facebook and if you do indeed chat with us on our live chat service, you will be sharing your e-mail address with us for the purposes of sending you a transcript as well as identifying yourself to our support team. This is necessary to provide our service to you.

In addition to this information, our live chat system will place a cookie in your browser which will persist until you quit your browser. This is required to ensure that your live chat can continue between separate page requests to our website.

We also use records of live chats for staff training, to make sure we can offer you the best possible service.

Retention: We retain transcripts of all live chats (including name & contact details of the website visitor) for the purposes of auditing and training of staff.

E-mails directly to/from our employees

If you communicate with our employees directly by e-mail (i.e. not using our normal support channels), we may retain your name & e-mail address in the mailboxes of the employee(s) that you communicate with. This is necessary to provide our service to you.

Retention: Employee e-mails are kept indefinitely. Any e-mails that contain sensitive data that are delivered by accident will be removed immediately.

Call logs & recordings

If you choose to phone us, we will store a log of your call which may include your telephone number if it was sent to us. We also record calls for the purposes of auditing any requests that might be made by you to us over the phone.

Retention: We retain call recordings for 60 days from the date of the call. Call log records are kept for a minimum period of 1 year.

Push notifications to mobile devices

If you use our mobile applications that send push notifications to your phone, we will store a unique token which identifies your mobile device and allows us to address push notifications to your phone. This is necessary to provide our service to you. We also store the content of push notifications for the purposes of debugging.

Retention: The device token is stored until such time as you disable push notifications within our application (note: disabling notifications on your phone alone will not remove the token from our service). Historical push notification content is stored for a period of 3 days from the date it was sent.


We store backups of data stored by us for use in disaster recovery. Backup data is encrypted and stored off site in a secure data centre. This is necessary to provide our service to you.

Retention: Backup data is stored for a period of 4 weeks.

Job applications

If you apply for a job with us, we will store the personal data that you submit for the purposes of considering your application.

Retention: Job application data will only be kept until the position has been filled unless you ask us to keep your information on record for considering for a future position.

Our servers

Our servers are located in the United Kingdom. The physical data centre has numerous physical security measures including biometric security, full CCTV coverage as well as 24/7 manned security.

Transfer of data to group companies

We may share and/or transfer your data with other companies within our relations for the purposes of administration.

Third party processors

In some cases, we may use third parties to provide storage or computing services. We maintain a list of third parties that process data on our behalf.


Personal Data

Professional Services

We may share your details with processional service companies such as accountants or accounting software.

Payment service providers

We may share your details with company who provide us with payment services for taking payments from credit/debit cards.

Technical service providers

We may share your details with providers we use to provide computing services.

E-Mail marketing software

We may share your details with e-mail marketing software providers to allow us to send e-mails to customers.

Communication services

We may share your details with companies who provide us with communication services such as a live chat or e-mail providers. We will not share your data with third parties for the purposes of any marketing without your consent unless otherwise specified in this privacy notice.

Correcting your personal data

It is important to us that the information we store is up to date and accurate. You may update your details at any time through our website.

Removal of your personal data

In some cases, you may be able to request that we remove your personal data from our systems. Get in touch to find out [email protected]

Your rights

You have a lot of rights, including right to request access to and rectification or erasure of your personal data or restriction of processing of it. You also have the right to object to our processing of your data in some situations, as well as the right to data portability.

Notification of data breaches

Upon discovering any data breaches, we will notify any affected individuals as soon as its practical following our data breach notification policy. This policy dictates that in the event of a data breach concerning personal data, the affected parties will be notified by e-mail to the main e-mail address we store with your account.

Electronic storage of data

No method of electronic storage can be 100% secure, however, we have hired sophisticated and detailed security & with developed policies that govern our systems & applications to help ensure your data is as secure as it can be.

Use of our services by persons under the legal drinking age in their respective country

We do not allow anyone under the legal age of their respective country to signup, use or store any personal data with us on any of our services. If we discover or are notified about the presence of a user under this age, we will remove their data from our systems without notice.

Changes to our privacy policy

We may need to make changes to this privacy policy from time to time. All changes will be published to our websites and we recommend reviewing it to stay up to date. If we make any changes that we feel may affect your privacy rights, we will notify you by e-mail or by displaying the information within the our services or applications.

Our lawful basis for data processing

Under the General Data Protection Regulation, unless we have otherwise specified above, we will be processing your data as a legitimate interest. These interests include staff training, ensuring the security of our systems and to allow us to operate our business in an efficient manner.

Where our processing is based on consent, you may withdraw consent at any time.

Where our processing is necessary for us to perform our contract with you, or to take steps to enter into a contract with you, we will not be able to enter into a contract with you or deliver our services to you if you do not give us the data in question.

Disclosure of information to law enforcement agencies

We may disclose your information if we are requested to by any law enforcement agency where we believe we are required to comply with the request under any applicable laws.

Data protection authority

You may have the right to lodge a complaint with your local data protection authority or the Information Commissioner's Office (ICO) in the United Kingdom (our authority).

The ICO can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Other information can be found on their website at ico.gov.uk.

Contacting us

If you have any questions about our privacy policy or any other aspects of our services, you may contact us by e-mail on [email protected].

Business Operations

We use data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business. This processing is necessary to serve our legitimate interest.


There are different legal bases that we rely on to use your personal information, namely:

Performance of a service

The use of your personal information may be necessary to perform the service we offer. For example, to complete your purchase of your TGWA Product, to sell whisky in our auction, to register and maintain your account, to help with delivery issues, to handle returns.

Legitimate interests

We may use your personal information for our legitimate interests. For example, we rely on our legitimate interest to analyse and improve our TGWA service and the content on our websites and app, to send you notifications about auctions or information about TGWA services or to use your personal information for administrative, fraud detection or legal purposes.

Where we process your personal information based on our legitimate interest and no opt-out mechanism is available to you, you may exercise your right to object by sending an email to [email protected].

Terms & Conditions

By agreeing to the terms and conditions laid out by TGWA you are also agreeing to our privacy policy stated above and at www.thegrandwhiskyauction.com.

The landing page will initially be used for collecting of users data with the intention of distributing further dates of auctions, bottles available and other such marketing as detailed above.

Counterfeit Policy

Counterfeit Policy

The Grand Whisky Auction

This policy is in place to assure all users and members that The Grand Whisky Auction is doing everything in its power to combat the sale of fake whisky.

All counterfeits will be rejected and the associated user accounts will be removed immediately. Any counterfeit goods and fraudulent behaviour may be reported to the authorities and further legal action may be taken.

Our experts have been recruited specifically to reassure our members of the quality and authenticity of the lots.  As standard procedure, the following checks are routinely carried out:

    • Physical - Each bottle will be scrutinised examining various different things such as font on the label, colour of the liquid, quality of build, bottle fill level, seal integrity, coding, barcodes etc.
    • Comparison - When and where applicable an exact double of the bottle will be sourced from our network.  All of the above physical checks on the lot will then be repeated and compared to the known genuine. If there is any discrepancies the bottle will not be listed or will be removed from auction.
    • Origin - If there is any speculation to that a bottle or lot is counterfeit due diligence will be carried out as to its provenance, through the seller.  If the seller cannot reasonably prove the bottle in question is genuine, it will not be auctioned.

The Grand Whisky Auction also recognises that our site members and users have a vast array of knowledge and encourages users to get in touch if they suspect any bottle may be fake or counterfeit - please email [email protected].

Any queries we receive in regards to the authenticity of a bottle will be treated confidentially and with the highest importance.

For all buyers, the lots are sold as seen as and as per the terms and conditions. Thus, any persons bidding agrees that they have fully inspected the lot and are happy that the lot is genuine prior to placing a bid.

By agreeing to the (T&Cs) when registering with the site you are agreeing that the items you sell are genuine and are aware of the implications of attempting to sell counterfeit goods.

Should the seller wish for goods to be returned, they are solely responsible for arranging the shipping of the bottle to their address.

Should a bottle fail to meet our standards or not comply with our checking process this will result in the sellers bottle being returned or disposed of at the seller’s expense, plus an admin fee of £100.00 (Exc VAT).  The Grand Whisky Auction Ltd does not accept any liability for claims made against counterfeit bottles.