Privacy Policy
Privacy Notice and Policy: March 2024
This Privacy Policy sets out the basis upon which we process personal information, whether that information is provided to us by you directly or via a third party.
This Privacy Policy does not apply to our employees, contractors, agency staff, candidates for employment or engagement for whom we have a separate privacy notice provided directly to them at the time of engagement.
This Privacy Policy (also referred to as Privacy Notice) is issued on behalf of the Highbourne Group, when we mention Highbourne Group, we, us, or our, we are referring to the relevant company in the Highbourne Group responsible for processing your information. We at the Highbourne Group along with our subsidiaries and affiliates (collectively "Highbourne''), respect your concerns about privacy.
Our Privacy Promise
1. The protection of your privacy and personal information is important to us. We make sure that not only do we have appropriate security measures in place, but that any other organisation we work with to provide a service also meets the same standard as us.
2. We will respect your privacy and your marketing preferences, and we will not sell your information, or share it with other organisations for marketing purposes without your consent.
3. We will make it clear at the point when we request your information, what we are collecting it for, how we are going to use it, and how long we will keep it.
4. We will collect and use your personal information only if we have your permission or have a lawful basis for doing so.
5. We will minimise the amount of information we collect from you to what we need to deliver the product and services you have requested.
6. We will be clear in our dealings with you as to what information about you we will collect and how we will use it.
7. We will use your personal information only for the purposes for which it was originally collected and once that purpose has ended, we will delete or anonymise it, so that you can no longer be identified.
8. When other parties provide us with information about you, we will perform reasonable steps to confirm that the other party has a lawful basis to share your information with us, for the purpose given, or we will delete that information.
Our Contact Details
These are the registration details for our companies and the contact relating to data protection.
HIGHBORNE GROUP LIMITED
Our company number is 06216887.
Our Information Commissioner's registration number is Z224814X.
Our web address is https://www.highbournegroup.co.uk
CITY PLUMBING SUPPLIES HOLDINGS LIMITED (Trading as City Plumbing)
Our company number is 02489546.
Our Information Commissioner's registration number is Z1656911.
Our web address is https://www.cityplumbing.co.uk
DIRECT HEATING SPARES LIMITED (Trading as Direct Heating Spares)
Our company number is 05668463.
Our Information Commissioner's registration number is ZB219027.
Our web address is https://www.dhsspares.co.uk
NATIONAL SHOWER SPARES LIMITED (Trading as NSS and National Shower Spares)
Our company number is SC209728.
Our Information Commissioner's registration number is Z2462678.
Our web address is https://www.showerspares.com
PTS GROUP LIMITED (Trading as PTS and Plumbing Trade Suppliers)
Our company number is 02219435.
Our Information Commissioner's registration number is ZA027503.
Our web addresses are https://www.ptsireland.co.uk and https://www.cityplumbing.co.uk/content/pts.
THE UNDERFLOOR HEATING STORE LIMITED (Trading as The Underfloor Heating Store)
Our company number is 05687171.
Our Information Commissioner's registration number is ZA108077.
Our web address is https://www.theunderfloorheatingstore.com
The above companies are registered in the United Kingdom and can be contacted,
via post to:
Highbourne House Eldon Way, Crick Industrial Estate, Crick, Northampton, United Kingdom, NN6 7SL
Or email
PrivacyOffice@highbournegroup.co.uk
Our EU office postal contact for data protection queries is:
FOA Privacy Office, Unit 1, Block K, Ballymount Drive, Ballymount Industrial Estate, Dublin, Republic of Ireland, D12 YP92
Or email PrivacyOffice@highbournegroup.co.uk
The type of information we collect
We may collect and process the following information about you:
- Personal identifiers, contacts, and characteristics (for example, name, contact details and physical address, date of birth, job title, place of work, copies of official identification).
- Geographic Location.
- Telephone audio recordings.
- CCTV video recordings.
- Social media or other online identifying tokens or handles.
- Usernames and passwords.
- Website usage data (for example, Internet Web browser type and version, operating system, referral source and pages visited)
- Payment details.
- Purchase history and trends.
- Credit reference score.
How we obtain your personal information
Most of the personal information we process is provided directly by you for one or more of the following reasons:
- When you request a quotation or estimate for products and services.
- When you or your organisation applies for an account to purchase products and services from one or more of our companies.
- Where we or your organisation have assigned you an account to access any of our interactive online systems, or mobile applications.
- When you communicate with us in the context of an employee or worker representing an organisation which we supply services to or consume products or services.
- When you communicate with us directly as an individual, or as a customer of an organisation that has procured our products and services.
- When you communicate with us as an individual to exercise your rights.
- Because of your usage of any of our online services or mobile applications.
- When video images are recorded by our CCTV equipment located in vehicles and buildings which we own or operate.
We may also obtain your personal information from other sources or organisations for one or more of the following reasons:
- Because of our procurement of a mailing list from any supplier, where you have previously consented for that supplier to share your personal information with others for marketing purposes.
- One of our partners provides us with your information, in accordance with the terms and conditions of a product or service which you have obtained from them.
- Your next of kin has notified us of important information about you.
- Your employer is in partnership/business with us and is required to notify us about your employment, or you are working on a project, or providing services to us.
- A delegated authority has communicated with us.
- A legal authority, or body has provided us with information about you, because of a lawful enquiry.
- An insurance company made an enquiry about a product or warranty claim to us.
- A financial institution making lawful enquiries.
How we use your personal information
If you are a customer, we use your personal order information to:
- Provide you with a quote or estimate for products or services.
- Keep you informed about our products and services.
- Respond to your enquiries, complaints, or rights requests.
- Process orders, and to follow up on orders that are not completed.
- Arrange visits to your home or premises to carry out a survey or installation.
- Manage your account, including verifying your identity if necessary.
- Manage your credit account, including carrying out credit checks.
- Notify you about important changes or developments to our site or services.
- Manage deliveries, returns and refunds.
- Process competition entries.
- Deal with product liability issues.
- Deal with enquiries and complaints.
- Manage claims and for insurance purposes.
- Manage record keeping.
- Use your purchase history to manage rebates and supplier claim backs.
- Conduct market research.
- Publish trends, and/or to improve usefulness, and content to our website.
- Track activity on our site and to provide a more personalised online experience.
- Link with social media sites and services, for example, for advertising purposes.
- Manage your participation in reward and discount schemes.
- Manage our online systems and mobile applications that you have access to.
- Manage your login sessions.
- Store and retrieve your preferences.
- Send notifications to you as part of a registration process, or other system events related to the operation of the system, or provided services, which may include resetting your password.
- Send you notification of system maintenance activities.
- Send you notification of password expiry.
- Confirming a supplied email address is valid.
- Send you service consumption reports or other information you have requested.
- Respond to communications from you relating to products and services we provide to an organisation you represent, directly to you as an individual or as a customer of an organisation.
- Examine and identify website and mobile application usage patterns to enable us to improve our products and services.
- Detect and prevent criminal activity and assist in claim management.
If you are a supplier, we use your information order to:
- Process and manage orders.
- Manage deliveries, installations, returns and refunds.
- Deal with product liability issues.
- Manage accounts, including conducting credit and other background checks where applicable.
- Notify you about important changes or developments to our websites, services, and policies.
- Manage our supply chain.
- Handle rights requests, enquiries, and complaints.
- Manage claims and for insurance purposes.
- Manage record keeping.
- Conduct Market Research.
We do record and/or monitor some telephone calls
For example, calls to our customer services teams.
We do this for the following purposes:
- Training and quality control.
- As evidence of conversations.
- For the prevention or detection of crime.
We may share your personal information
We do not sell or otherwise share personal information, except as described in this Privacy Policy.
Your information may be shared within the Highbourne Group of companies to:
- Manage your account (including credit accounts).
- Fulfil a service or product order which you have placed with one of our companies.
- To comply with the terms of a promotion, or other activity which you have consented to.
- To perform marketing activities for our other products and services which you have consented to.
We engage service providers to assist us in ensuring our business runs smoothly and our ability to provide continued services. We work with a large number of suppliers who provide products and services to us and depending on which organisation, or product, or service you use, we may share your personal information with one or more of these suppliers, so they can provide the services to us, or your personal information, or may simply be held in their systems, as a consequence of services they provide to us.
These suppliers, provide many services to our organisation including:
- IT service hosting, providing the physical locations where some of our IT systems reside.
- Software as Service providers, providing the actual cloud software which we use to deliver part of the services to you, or our administration functions, for example, our websites, a solution building application, one of our mobile applications.
- Courier service providers, to collect and deliver the items you have ordered.
- Rebate or discount providers, in order to calculate or process your discount, rebate in schemes you have participated.
- Credit referencing agencies, in order to process any application for credit.
- Fraud screening agencies, to identify and detect fraud and ensure compliance with our terms and conditions.
- Marketing agencies, where you have consented to participate in marketing activities on our behalf.
- Card payment services, to facilitate our card payments.
- Financial management providers, identify duplicate or payments owed.
- Debt recovery agencies, chase or manage debtors.
- Social media platforms, to match your email address with their customer records, to enable them to perform marketing activities which you have consented to.
We will only provide these third parties with the minimum information they need to deliver the service we have engaged them for, and they are prohibited from using that information for any other reason.
Whenever we share personal information with third parties, we put in place contracts which require the protection of the personal information, in accordance with the applicable data protection laws.
A full list of the parties that we may share your personal information with (sub processors) is located here: https://www.highbournegroup.co.uk/subprocessors/
Your personal information may also be disclosed to third parties where we are required to by law, or other statutory obligations, including:
- Tax, customs, and excise authorities
- Regulators, courts, and the police
- Insurance companies
- Legal or professional advisors
We may also disclose your personal information if we believe that the disclosure is necessary to enforce, or apply our terms and conditions, or otherwise protect and defend our rights, property or the safety of our customers and other users of our websites, systems, and mobile applications.
We may disclose and/or transfer your personal information, in connection with a reorganisation of all, or part of our business, if the majority of our shares are bought by another company, or if we transfer all, or some of our assets to another company.
Links to other websites
Links may be provided on our websites to other websites that are not operated by us. If you use these links, you will leave our websites. You should note that we are not responsible for the contents of any third-party websites.
External sites will have their own privacy policies which you should read carefully.
What legal basis do we use to process this information?
Under the General Data Protection Regulation (GDPR), including the UK adopted post Brexit version, the lawful basis we rely on for processing your (data subject) information will vary depending on the context of how the information was collected, or provided to us, and the purpose for which the information was provided. Article 6 of the GDPR states that processing shall be lawful only if, and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In the above context we are the controller, and you are the data subject, the GDPR further states that point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.
To explain this in as clear a way as possible:
- When you sign up to something like the receipt of marketing emails, this is done with your consent, therefore our lawful basis would be consent.
- Where you provide data to us so that we can fulfil a service, e.g., set up an account, provision of a quote or estimate, or an order, or a contract, therefore our lawful basis would be contract.
- If we need to process your information, because other laws and regulations tell us to, we do so under a legal obligation, therefore our lawful basis would be legal obligation.
- Additional contact with you, after you have made a purchase, for example telling you about another closely related product, we do so because we have a legitimate interest to, therefore our lawful basis would be legitimate interest.
Where the use of our or third-party systems required your consent, prior to the collection and processing of your information, our lawful basis is:
(a) Consent.
You can remove your consent at any time, and you can do this by contacting: PrivacyOffice@highbournegroup.co.uk.
This may arise for example, when you are completing online forms, using our mobile applications or webchat system.
Where we provide services directly to you, our lawful basis is that:
(b) Contract.
This may arise for example, when you sign up for business account, or complete a warranty application.
Where your information is provided to us by an organisation whom we provide products and services to, our lawful basis is:
(c) Legitimate Interest.
This may arise for example when, we inform you of another closely related product or service, where we identify suspected criminal activity, such as fraudulent claims, or the use of stolen payment card details.
Sensitive information
The GDPR classifies some data as ‘special category’ and this requires particular protection. As a rule, we do not collect this type of data for customers, visitors to our websites, or suppliers, for example if we have been informed of a health and safety claim, which may include medical information, or if we do need to process ‘special category’ data, we will obtain explicit consent to do so, or other legal method.
Children’s information
We do not knowingly collect or store any personal information of children under the age of 16, because the mechanisms whereby we collect personal information are not applicable to this age group.
Our marketing activities
You may receive direct marketing from us, if you have signed up to this, or where we have a previous relationship, e.g., if you have bought products and services from us before.
If you have an online account you can access, update, and correct your personal information, including your marketing choices using the account management facilities.
You can opt out of receiving emails, or text marketing at any time, by using the unsubscribe option in any email message you receive.
You can opt out of postal and telephone marketing by contacting us at marketing@cityplumbing.co.uk.
We will ensure that prior to conducting any marketing activities, we will screen all proposed marketing recipients against our preference and marketing suppression lists and only perform marketing activities to recipients which we have a lawful basis to do so, have opted in, and have not withdrawn their consent to marketing.
Prior to conducting live telephone marketing calls, we will ensure that the marketing campaign telephone numbers have been screened against the Telephone Preference Service (TPS), and Corporate Telephone Preference Service (CTPS), the telephone preference lists (TPL) which are published 28 days prior to the date of the marketing activity, and we will not call any number present on the TPL for marketing purposes.
Profiling
We may use direct, or anonymised information to engage in data analysis, data matching and profiling activities for a variety of purposes, including, but not limited to:
- Website Activity (cookie history).
- Business conduct.
- Investigation and identification of fraud, money laundering and other potential unauthorised activities.
- Financial Viability analysis / reports.
- Business partner/client portfolio position, performance, risk positions.
- Tax reporting.
- Credit defaulting / exposure.
Cookies
Cookies are little packets of data that sit on our website, in some cases to make it work, and in some cases to add additional services. For more information about cookies and how to look after them, including how to turn them off, please visit our cookie policy on the relevant website.
International transfers of personal information
Sometimes we need to use services that may be located outside the United Kingdom. This means your personal information may be transferred outside the UK.
If we transfer your personal data out of the United Kingdom, we ensure a similar degree of protection is afforded to it, by ensuring at least one of the following safeguards is implemented:
- the destination country has been deemed to provide an adequate level of protection for personal data by the UK’s Data Protection Authority; or
- we may use specific contracts approved for use in the UK, which give personal data protection equivalent to that required by the UK data protection laws.
How we keep your information safe
We take great care to use appropriate administrative, technical, and physical safeguards designed to protect against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure or use.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of information you submit via our website, and any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access, or modification.
If you have created an account or registered to use any online services, your account details may be password protected. It is your responsibility to keep your password confidential, and to sign out once you have finished browsing.
Access to personal data is restricted to those within our business who have a legitimate business need, and data processed by third parties is only done so under strict instruction from us, as per the terms of their contract.
We contractually require service providers and processors to safeguard the privacy and security of personal information they process on our behalf in line with data protection obligations and authorise them to use or disclose the information, only as necessary to perform services on our behalf, and under our instruction, or to comply with legal obligations and requirements.
How long we keep your information for
We only keep your personal information for as long as the purpose for which your information was provided exists, or as required to comply with a legal, or statutory obligation. For example, we are legally obliged to retain purchase records for seven years.
When the lawful reason to keep your personal information no longer exists, we will erase your information or change it, so that the information no longer identifies you.
Making changes or getting access to the information we hold about you.
You have the right to request the following:
- Request details of and have copies of your information.
- Request us to correct or rectify your information.
- Request us to erase your information.
- Log an objection to a part of, or all of the ways in which we are processing your information.
- Request that we restrict the way your information is processed.
- Request that we provide your information in a portable form, so it can be transferred to another organisation.
- Object to an automated decision-making process.
If you withdraw your consent, this will not affect the lawfulness of the processing of your personal data prior to the withdrawal of your consent.
If we are unable to process any part of your request you will be informed of this, along with the reasons as to why your request cannot be carried out.
You can exercise all of your rights, which includes accessing your personal data, having your information erased, or to opt out of marketing material by clicking on this link:
- Exercise my rights or,
- use the contact details at the beginning of this policy to communicate with us
If you are making a request on behalf of someone else, please note that we will need to verify the identity of the person whom it is for, and the authority of the requester before disclosing any personal data. You can submit the request, by clicking on this link:
- Request made on behalf of someone or,
- use the contact details at the beginning of this policy to communicate with us and explain who the request is for.
For CCTV footage requests, please click on this link CCTV footage request.
We have an obligation to respond within one month of receiving your request or when we have confirmed your identity if needed. If your request is a complex one, the response time can be extended by up to two months. If we need to extend, we will let you know about the extended response date, and the reason, but we will do so within the original one-month time frame.
If required, identification may be requested within the one-month time frame and only limited to what is necessary for identity confirmation. We might require a copy of your driving licence, passport, or a utility bill.
If we are not able to comply with a request, we will inform you of this within the one-month time frame and provide an explanation outlining our justification.
Your right to complain
If you do not agree with our reasoning, you can contact our Data Protection Officer at privacyoffice@highbournegroup.co.uk or you can lodge a complaint with the supervisory authority:
Information Commissioner’s Office
https://ico.org.uk/make-a-complaint/
Telephone: +44 303 123 1113 (local rate) or 01625 545745 (national rate)