Privacy notice for retail customers

When we ask you to provide personal information we will let you know why we are asking, and how we will use your data, and will direct you towards this notice for further information. This privacy statement explains how we use any personal information we collect about our visitors who purchase items from our shop or online.

1. What information do we collect about you?

The personal information we collect about our visitors may include:

  • Name
  • Contact details for communications, e.g. postal address, email address and telephone number
  • Bank account, bank or credit card details
  • Details of correspondence sent to/received from you

2. How will we use the information about you?

Receiving information about museum activities

We will only use your personal data to send you information about retail offers and promotions with your explicit consent. We will retain your information only for as long as you wish to receive updates from us, and you may opt out at any time by emailing us at or by writing to the Retail Department, Royal Armouries, Armouries Drive, Leeds, LS10 1LT.

Purchasing goods from our museum shop or online

The purchase of goods from our museum shop or online is governed by legal and contractual obligations. We will use the personal information that you provide to process your order, to take payment, to deliver your goods, and to protect your rights as consumers. We will share your bank or credit card details with Worldpay, and use NatWest Bank to process payments by cheque. You can view Worldpay’s privacy policy at We are required to keep bank and credit card receipts for up to three years, and records of sales for up to seven years, after which time they are destroyed.

Helping us to improve our retail service

We will also use your details to ask for feedback on your experience, and will use this information to help us evaluate our performance, and to improve the delivery of our retail services. These comments are usually anonymous, and after the information has been summarised, the cards or forms are destroyed. However some visitors provide contact details because they wish to receive a response from us.

Answering your letters and emails

When we receive correspondence from you, we will keep copies of your emails and letters together with any response we send you for a period of one year after which they will be destroyed.

3. How we ensure your information is up to date?

We carry out routine checks of the personal information we collect to ensure that it is accurate and up-to-date. We will also contact you from time to time to check that any information we hold about you is relevant for the purposes of processing.

4. Who we share your information with?

We will not sell your details to any third parties, nor disclose your personal information to any third parties or external organisations, other than those data processors and service providers carrying out work on our behalf. The museum carries out comprehensive checks on any companies working on our behalf before we work with them, and puts contracts in place in line with the Data Protection Act 2018, that sets out our expectations and requirements, especially regarding how they manage your personal information.

In the event where we wish to share your personal information in a way that is not covered in this statement, we will apply for your explicit and informed consent.

5. How we keep your information secure

The museum has implemented security procedures to ensure that the personal information under our control is protected from unauthorised access, improper use, unauthorised modification, accidental or malicious disclosure. All employees and data processors are obliged to respect the confidentiality of the personal information of our visitors, friends and supporters. Your information will be retained within our secure information systems for as long as you continue to engage with us, and will then be securely destroyed or transferred to the museum’s archives as appropriate.

6. How you can access to your information

The museum complies with the terms of the Data Protection Act 2018, and you have the right to request a copy of the personal information that we hold about you at any time by emailing or writing to us at the contact details below. There is usually no charge for making this request, and we will normally respond to you within one month (twenty working days). However if we hold a large amount of information about you or your request is complicated, then we may need to charge you a reasonable fee, based on the cost of providing the information, and extend the deadline by up to two months. We will advise you of any charges or delays in responding to your request.

You also have the right:

  • to have your personal information rectified if it is inaccurate or incomplete;
  • to request the deletion or removal of your personal information (the right to be forgotten);
  • to ‘block’ or suppress the processing of your personal information;
  • to obtain and reuse your personal information for your own purposes across different services;
  • to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics; and
  • not to be subject to a decision when it is based on automated processing, and it produces a legal effect or a similarly significant effect on you.

We will fully respond to any requests to remove, change or provide any personal information you have given to us. We will keep a record of your request for a period of two years in order to show that we have complied with the Act after which it will be destroyed.

For further information on your rights visit the Information Commissioner’s website,

7. How to contact us?

If you have any questions about our privacy policy or the information we hold about you please contact our Data Protection Officer:

Philip Abbott
Data Protection Officer
Royal Armouries
Armouries Drive
LS10 1LT

If you feel that we have not upheld your rights and wish to make a complaint, you should contact our Data Controller:

Malcolm Duncan
Data Controller
Royal Armouries
Armouries Drive
LS10 1LT

8. Information Commissioner

If you are not satisfied with our response, or believe that we are not processing your personal information in accordance with the law, you have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 0303 123 113


When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

enabling a service to recognise your device so you don't have to give the same information several times during one task recognising that you may already have given a username and password so you don't need to do it for every web page requested measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast.

Removing & Disabling Cookies

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit or

To opt out of being tracked by Google Analytics across all websites visit

We have tried to cover all cookies in this list that we or our service providers use. Please be aware that there may be a delay in updating this list. If you do notice any discrepancies please be sure to contact us and let us know.

Cookies Set By Us

Cookies for improving service

Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This is to ensure that the service is available when you want it and fast.

Name: _utma
Typical content: randomly generated number
Expires: 2 years

Name: _utmb
Typical content: randomly generated number
Expires: 30 minutes

Name: _utmc
Typical content: randomly generated number
Expires: when user exits browse

Name: _utmz
Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search)
Expires: 6 months

For further details on the cookies set by Google Analytics, please refer to the Google Code website.

Name: __g_c
Typical content: alphanumeric key
Expires: when user exits browser

This cookie tells us that you are actively using our site. This way we can always know, at any given time, how many users we have visiting.

Essential cookies required for site to function correctly

Name: sess_id
Typical content: randomly generated number + information about site preferences and shopping cart contents
Expires: 2 weeks

This cookie keeps track of the contents of your shopping cart, stores delivery addresses if the address book is used, and stores your details if you choose to register with us. They are also used after you have logged on as part of that process.

Name: quick_menu_offset
Typical content: alphanumeric key
Expires: when user exits browser

This cookie is set after login, which indicates when you're logged in, for most interface use.

Cookies Set by Third Party Services

Throughout the site we utilise the services of external companies to enhance the visitors' experience. They set cookies to enhance their service or to track usage or to validate users. These cookies are only set when the page that uses that service is visited.

Cookies for improving service

Typical content: randomly generated number + info on the bandwidth of the connection to allow the appropriate quality video to be streamed.
Expires: 8 months

This cookie allows YouTube to detect the bandwidth of your network so that they can send the best quality video it can handle.

Cookies for authentication

Name: ASP.NET_SessionId
Typical content: random number generated + information required to authenticate a certified domain
Expires: when user exits browser

This is a session cookie which tracks the server response time for rendering the site seal. It ensures that the information contained in the site seal remains current and constant for that browser session of each customer.