Skip to main content

Privacy policy

Last updated: 10 May 2026

This policy explains how BedBoy collects, uses, stores and protects personal data. We have written it to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

BedBoy is the editorial mattress comparison engine at www.bedboy.co.uk. For the purposes of UK data-protection law, BedBoy is the data controller for the personal data described in this policy.

If you have any questions about this policy or want to exercise any of your rights, write to us at [email protected].

2. What this policy covers

This policy applies to personal data we collect when you visit www.bedboy.co.uk, contact us, sign up to anything we run, or otherwise interact with us. It does not cover third-party retailers you reach through our outbound links. Those sites have their own privacy policies and you should read them separately.

3. The lawful bases we rely on

We only process personal data where we have a lawful basis under Article 6 of the UK GDPR. The bases we rely on are:

  • Consent: for non-essential cookies and analytics, and for any optional marketing email you have asked to receive. You can withdraw consent at any time.
  • Legitimate interests: for keeping the site secure, preventing fraud, measuring aggregate (non-identifying) traffic patterns, and answering messages you have sent us.
  • Legal obligation: for responding to lawful requests from regulators or law-enforcement bodies, and for keeping records we are required to keep.
  • Contract: where we are arranging or providing a service you have specifically asked for.

4. What we collect

4.1 Information you give us

When you contact us, sign up to a list, fill in a form on the site, or submit a comment, you may give us:

  • your name;
  • your email address;
  • the content of your message and any attachments;
  • any other information you choose to share with us.

We do not ask for or store payment-card details. Purchases are completed on the retailer’s own website.

4.2 Information we collect automatically

When you visit BedBoy, our servers and our service providers automatically log:

  • your IP address (truncated where used for analytics);
  • the pages you visit and the time you spent on each page;
  • the website that referred you;
  • your browser type, operating system and approximate location at country/region level;
  • technical data needed to keep the site secure (such as request signatures used to detect abuse).

Server access logs are retained for a maximum of 30 days unless we need to keep them longer for security investigations.

4.3 Cookies

We use a small number of cookies. Strictly necessary cookies (for security and remembering your cookie choice) are set when you arrive. Analytics and other non-essential cookies are only set if you give consent through the cookie banner. Full details, including the third-party cookies that may be set when you load embedded retailer content or click an outbound link, are in our cookies policy.

5. How we use your data

We use the personal data we collect to:

  • run the website and keep it secure;
  • answer messages you have sent us;
  • understand how readers use the site, in aggregate, so we can improve our content (analytics, with consent);
  • track which retailer links generate sales so retailers can pay us the affiliate commission we are owed (without identifying individual readers);
  • send you the optional emails you have specifically asked for, and only those;
  • meet legal, regulatory or accounting obligations.

We do not sell your personal data, and we do not buy lists of personal data from third parties.

6. Affiliate tracking

When you click an outbound link to a retailer, you are passed through one of our affiliate networks so the retailer can attribute the sale back to BedBoy. The networks we work with at the time this policy was last updated are Awin, Affiliate Future and Tradedoubler. These networks may set their own cookies on your browser. Each network has its own privacy notice, which you can find on its website.

We never receive your name, email address or payment details from these networks. We only receive aggregate, anonymised data about whether a click resulted in a sale.

7. Third parties we share data with

We share personal data only when we have to. The categories of recipient are:

  • Hosting and CDN providers that store and serve the site (data is processed under written contracts that comply with UK GDPR);
  • Analytics providers (principally Google Analytics) only where you have given cookie consent;
  • Affiliate networks (Awin, Affiliate Future, Tradedoubler) for sales attribution as described above;
  • Email-delivery providers if you have asked us to email you;
  • Professional advisers (lawyers, accountants, auditors) where we are required to use them;
  • Regulators or law-enforcement bodies where we are legally required to share information.

8. International transfers

Some of the third parties named above are based outside the UK. Where personal data is transferred outside the UK, we make sure it is protected by an appropriate safeguard recognised under UK GDPR: typically a UK adequacy decision, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

9. How long we keep your data

We keep personal data only for as long as we need it for the purpose we collected it for, and for any retention period required by law. Indicative retention periods are:

  • Contact-form submissions: up to 24 months from the date of your last reply, then deleted.
  • Email subscribers: while you remain subscribed; deleted within 30 days of unsubscribing.
  • Server access logs: 30 days, longer only if needed for a specific security investigation.
  • Analytics data: aggregated and retained for the period set out in our cookies policy.
  • Records we are required to keep by law (for example, tax records): for the statutory period.

10. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Access: ask for a copy of the personal data we hold about you;
  • Rectification: ask us to correct anything that is inaccurate or incomplete;
  • Erasure (the “right to be forgotten”): ask us to delete personal data where we no longer have a lawful basis for keeping it;
  • Restriction: ask us to limit how we use your data while a query is investigated;
  • Portability: ask for a copy of the data you have given us in a structured, commonly used, machine-readable format;
  • Object: object to our processing where we rely on legitimate interests;
  • Withdraw consent: for any processing that relies on consent, you can withdraw it at any time.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. We do not charge for handling reasonable requests.

11. How to complain

If you are unhappy with how we have handled your personal data, please contact us first so we can try to put it right.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s independent data-protection regulator. The ICO can be reached at ico.org.uk or on 0303 123 1113.

12. Security

We use technical and organisational measures designed to protect personal data from loss, misuse and unauthorised access. The site is served over HTTPS, traffic is filtered through Cloudflare, and access to systems holding personal data is restricted to a small number of named staff. No transmission over the internet is ever completely secure, but we monitor for threats and review our controls regularly.

13. Children

BedBoy is aimed at adults shopping for beds and bedding. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please email [email protected] and we will delete it.

14. Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of the page. If the change is significant, we will publish a notice on the home page or email anyone on our list before the change takes effect.

15. Contact

For all data-protection enquiries, email [email protected].