Your data matters
Looking after the personal information you share with us is important. We would like to tell you when we collect your information, what we use it for, who we share it with and how we look after it.
City Plumbing Supplies Holdings Limited (trading as City Plumbing, PTS and The Bathroom Showroom) is part of the Highbourne Group of companies.
This is our privacy notice, telling you what data we collect, what we do with it, who helps us process it and how you can exercise your rights with regards to your personal information.
Our Privacy Promise:
- The protection of your privacy and personal information is important to us. We make sure that not only do we have appropriate security measures in place, but that any other organisation we work with to provide a service also meets the same standard as us.
- We will respect your privacy. You should receive marketing emails only from us. We will make sure that any boxes you need to tick if you are happy to receive marketing are presented clearly and at an appropriate time.
- We will make it clear at the point when we request your information, what we are collecting it for and how we are going to use it.
- We will collect and use your personal information only if we have your permission or we have sensible business reasons for doing so.
- We will minimise the amount of information we collect from you to what we need to deliver the product and services you have requested.
- We will be clear in our dealings with you as to what information about you we will collect and how we will use it.
- We will use personal information only for the purposes for which it was originally collected and we will make sure we store it safely, and delete it securely.
Do remember that our websites are accessible via the internet. Please remember that if you post any comments or links on any of our sites that they can be read and accessed by anyone and everyone.
Who we are:
City Plumbing Supplies Holdings Limited is a company registered in England with the number 02489546 and is part of the Highbourne Group of companies.
Our address is Highbourne House, Eldon Way, Crick, Northants, NN6 7SL.
We are registered as a data controller with the Information Commissioner’s office – our registration number is Z1656911
What information we collect about you and how do we use it:
If you are a customer, we collect personal data to:
● Respond to your enquiries, complaints or rights requests.
● Quote for, or provide, a service.
● Keep you informed about our products and services.
● Process orders, and to follow up on orders that are not completed.
● Arrange visits to your home or premises to carry out a survey or installation.
● Manage your account, including verifying your identity if necessary.
● Manage your credit account, including carrying out credit checks.
● Notify you about important changes or developments to our site or services
● Manage deliveries, returns and refunds
● Process competition entries
● Deal with product liability issues
● Deal with enquiries and complaints
● Manage claims and for insurance purposes
● Manage record keeping
● Use your purchase history to manage rebates and supplier claimbacks
● Conduct market research
● Publish trends and/or to improve usefulness and content of our website
● Track activity on our site and to provide a more personalised online experience
● Link with social media sites and services, for example, for advertising purposes
If you are a supplier, we collect personal data to:
● Process and manage orders
● Manage deliveries, installations, returns and refunds
● Deal with product liability issues
● Manage accounts, including conducting credit and other background checks where applicable
● Notify you about important changes or developments to our websites, services and policies
● Manage our supply chain
● Handle rights requests, enquiries and complaints
● Manage claims and for insurance purposes
● Manage record keeping
● Conduct Market Research
This personal information may include, but is not limited to the following details:
● Name, address, email address, telephone number, date of birth, copies of identification, account name
● Delivery addresses, payment details, contact information, complaint / enquiry information, delivery photographs, survey and installation details
● Identification, purchase history and trends, credit limits, contact information, account activity, log in details
● AML and credit check results, fraud investigation
● Like many websites, our server logs capture details of your operating system, browser software, IP (Internet Protocol) address and Uniform Resource Locator (URL), including the date and time of your visit.
Sometimes information about you might be provided to us by another source such as:
● Next of kin / delegated authorities
● Business associates
● Your employer in partnership/business with us
● ‘Trusted Sources’:
►Credit / Default Agencies
►Third-party service affiliates or suppliers who have sought your consent
We do record and/or monitor some telephone calls
For example calls to our customer services teams. We do this for the following purposes:
● Training and quality control
● As evidence of conversations
● For the prevention or detection of crime (e.g. fraudulent claims)
What legal basis do we use to process this information?
When a business like ours processes your data we have to have a legal reason for doing so, which is also known as the legal basis. There are a number of legal bases which may differ depending on the type of personal data we are processing and for what purpose. We’d like to explain this in as clear a way as possible:
● When you sign up to something like the receipt of marketing emails, this is done with your Consent.
● Where you provide data to us so that we can fulfil a service, e.g. set up of an account, provision of a quote or estimate, or an order, this is a Contract.
● If we need to process your information because other laws and regulations tell us to, we do so under a Legal Obligation, e.g. maintaining a record of a transaction.
● Additional contact with you after you have made a purchase, for example telling you about another closely related product or service is processed under Legitimate Interest. This is also the legal basis we use to nurture the business relationships that we have with our commercial partners.
We also use Legitimate Interest where we identify suspected criminal activity such as fraudulent claims or the use of stolen payment card details, we will record details of the suspected criminal activity and may take appropriate action, including refusing to accept orders, make payments or give refunds. We may also report the incident to the relevant bank or payment card issuer or to the police or other appropriate authorities.
Some data is classified as ‘special category’ and requires particular protection. As a rule we do not not collect this type of data for customers, visitors to our website or suppliers. If we do need to process this data we will obtain Explicit Consent to do so or we will use our right in Establishing, exercising or defending a legal claim.
Occasionally we may need to process criminal conviction data. In this situation we use Legal Claims i.e. processing in connection with legal or potential legal proceedings, obtaining legal advice or establishing, defending and/or exercising legal rights.
We do not knowingly collect or store any personal information of children under the age of 16, because the mechanisms whereby we collect personal information are not applicable to this age group.
Who we share data with:
Like most organisations, we engage service providers to assist us in ensuring our business runs smoothly and our ability to provide continued services. We work with a large number of suppliers who provide products and delivery services to us.
We will only provide these third parties with the information they need to deliver the service we have engaged them for and they are prohibited from using that information for any other reason. Whenever we share personal information about our customers or visitors to our website with these third parties, we will put in place contracts which require the protection of the personal information.
Your information may be shared within the Highbourne Group of companies for account management (including credit accounts), analysis and reporting.
Your personal data may be disclosed to the following third parties:
● Tax, customs and excise authorities
● Regulators, courts and the police
● Fraud screening agencies
● Duplicate payment reviewers
● Central and local government
● Insurance companies
● Other professional advisors
In order to process any application for credit we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at experian.co.uk/legal and transunion.co.uk/legal/privacy-centre.
We may also disclose your personal information if we believe that the disclosure is necessary to enforce or apply our terms and conditions or otherwise protect and defend our rights, property or the safety of our customers and other users of the website.
We may disclose and/or transfer your personal information in connection with a reorganisation of all or part of our business, if the majority of our shares are bought by another company or if we transfer all or some of our assets to another company.
Links to other websites
Links may be provided on our website to other websites that are not operated by us. If you use these links, you will leave our website. You should note that we are not responsible for the contents of any third party website. External sites will have their own privacy policies which you should read carefully.
Our Marketing activities
You may receive direct marketing from us if you have signed up to this or where we have a previous relationship, e.g. if you have bought products and services from us before. You have the right to stop receiving this marketing material at any time.
If you have an online account you can access, update and correct your personal information – including your marketing choices – using the account management facilities.
You can opt out of receiving emails or text marketing at any time by using the unsubscribe option in any email message you receive.
You can opt out of postal and telephone marketing by contacting us at firstname.lastname@example.org.
If you prefer not to receive marketing which is tailored to suit your customer profile, please contact us at: email@example.com and confirm which accounts this affects. You will still receive generic marketing unless you opt out of receiving marketing entirely.
We may use direct or anonymised information to engage in data analysis, data matching and profiling activities for a variety of purposes, including, but not limited to:
● Website Activity (cookie history)
● Business conduct
● Investigation and identification of fraud, money laundering and other potential unauthorised activities,
● Financial Viability analysis/reports
● Business partner/client portfolio position, performance, risk positions
● Anti-money laundering
● Tax reporting
● Credit defaulting / exposure
Sending data outside of the UK
Sometimes we need to use services that may be located outside the United Kingdom. This means your personal information may be transferred outside the UK. If we transfer your personal data out of the United Kingdom, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
● the destination country has been deemed to provide an adequate level of protection for personal data by the UK’s Data Protection Authority; or
● where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data protection equivalent to that in the UK.
We take great care to use appropriate administrative, technical and physical safeguards designed to protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of information you submit via our website and any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access or modification.
If you have created an account or registered to use any online services, your account details may be password protected. It is your responsibility to keep your password confidential and to sign out once you have finished browsing.
Access to personal data is restricted to those within our business who have a legitimate business need and data processed by third parties is only done so under strict instruction from us, as per the terms of their contract. We contractually require service providers and processors to safeguard the privacy and security of personal information they process on our behalf in line with data protection obligations and authorise them to use or disclose the information only as necessary to perform services on our behalf and under our instruction or to comply with legal obligations and requirements.
How long do we keep your information?
The length of time we keep some data is dictated by our legal obligations, e.g. we have to keep details of purchases for seven years. Otherwise we keep it for a period time that is related to the reason we collected it in the first place.
When we don’t need to keep your data anymore, we do one of three things:
● we erase it
● we keep a small amount because we have to, and keep it safe, sometimes disguising it.
● If you say you don’t want to hear from us ever again, we keep the minimum amount information to make sure we leave you alone.
Making changes or getting access to the information we hold about you:
You can make a request to rectify, erase or object to or restrict the way your information is handled without undue delay. You can also ask to access the data we hold on you, ask for some of it to be transferred to another organisation or ask a human to intervene in an automated decision making process.
Where you withdraw your consent, this will not affect the lawfulness of the processing of your personal data prior to the withdrawal of your consent.
Should your request be one that we cannot process you will be informed of this, along with the reasons as to why your request cannot be carried out.
You can exercise your rights either verbally or in writing to:
Highbourne Group Ltd
Highbourne House, Eldon Way, Crick, Northants, NN6 7SL
T. 0330 678 0267
If you’re based in the EU/EEA and wish to contact us via our GDPR Representative, DataRep, you may do so at:
Should you make a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail. Requests in relation to accessing your personal data, having your information erased or to opt out of marketing material can be made via: Our Privacy Portal.
If you are making a request on behalf of someone else please complete this form
We have an obligation to respond within one month of receiving your request. If your request is a complex one, the response time can be extended by up to two months. We will let you know about the extended response date, alongside an explanation, within the original one-month time frame.
If required, identification will be requested within the one-month time frame and only limited to what is necessary for confirmation. We might require a copy of your driving licence, passport or a utility bill. We will only request these details via Our Privacy Portal.
If we are not able to comply with a request we will inform you of this within the one-month time frame and provide an explanation outlining our justification.
Your right to complain
If you do not agree with our reasoning you can contact us at firstname.lastname@example.org or you can lodge a complaint with the supervisory authority:
Information Commissioner’s Office
Telephone: +44 303 123 1113 (local rate) or 01625 545745 (national rate)
Changes to this Privacy Notice
If we make changes to our privacy notice we will show you what they are here. If these changes are significant, we may also choose to email relevant individuals with new details. If we are required by law, we will obtain your consent to make these changes.