1. Company Information
Data Controller
Loft Restore is the data controller for the personal information we collect and process. Our details are:
Company Name: Loft Restore Limited
Company Number: 12345678
Registered Address: 123 Business Park, Manchester, M1 1AA
Phone: 0800 123 4567
Email: privacy@loftrestore.co.uk
Website: www.loftrestore.co.uk
Data Protection Officer
For data protection queries, you can contact our Data Protection Officer:
Email: dpo@loftrestore.co.uk
Address: Data Protection Officer, Loft Restore Limited, 123 Business Park, Manchester, M1 1AA
2. Information We Collect
Personal Information You Provide
We collect personal information you voluntarily provide when you:
- Request a quote or consultation
- Book an appointment or service
- Contact us via phone, email, or contact forms
- Subscribe to our newsletter or marketing communications
- Create an account on our website
- Leave reviews or feedback
- Apply for employment
Types of Personal Data
| Data Category | Specific Information | Purpose |
|---|---|---|
| Contact Information | Name, address, email, phone number | Service delivery, communication |
| Property Information | Property address, type, age, size, current insulation | Quote preparation, service planning |
| Service Details | Service type, appointment dates, special requirements | Service delivery, scheduling |
| Financial Information | Billing address, payment preferences | Billing, payment processing |
| Communication Records | Email correspondence, call recordings, chat logs | Customer service, quality assurance |
| Technical Data | IP address, browser type, device information | Website functionality, security |
| Marketing Preferences | Communication preferences, interests | Targeted marketing, newsletters |
Automatically Collected Information
When you visit our website, we automatically collect:
- IP address and general location
- Browser type and version
- Operating system
- Pages visited and time spent
- Referring website
- Device type and screen resolution
Information from Third Parties
We may receive information about you from:
- Lead generation partners
- Social media platforms
- Credit reference agencies (for finance applications)
- Public databases and directories
- Other companies within our group
3. How We Use Your Information
Primary Uses
We use your personal information for the following purposes:
Service Delivery
- Processing and responding to enquiries
- Preparing quotes and estimates
- Scheduling appointments and services
- Delivering loft insulation services
- Providing customer support
- Managing warranties and aftercare
Business Operations
- Processing payments and managing accounts
- Maintaining business records
- Quality control and service improvement
- Staff training and development
- Health and safety compliance
- Insurance and legal compliance
Marketing and Communications
With your consent or legitimate interest, we may use your information to:
- Send marketing emails about our services
- Provide information about special offers
- Send newsletters and educational content
- Contact you about related services you might be interested in
- Invite you to leave reviews or provide feedback
Legal and Compliance
We may process your data to:
- Comply with legal obligations
- Establish, exercise, or defend legal claims
- Prevent fraud and ensure security
- Cooperate with law enforcement
- Meet regulatory requirements
4. Legal Basis for Processing
Under UK GDPR, we must have a legal basis for processing your personal data. Our legal bases include:
Contract Performance
Processing necessary to perform our contract with you or take steps to enter into a contract:
- Providing quotes and estimates
- Delivering loft insulation services
- Processing payments
- Managing appointments and scheduling
Legitimate Interests
Processing necessary for our legitimate business interests:
- Improving our services and customer experience
- Marketing to existing customers about related services
- Fraud prevention and security
- Business development and growth
- Staff training and quality improvement
Consent
Where you have given clear consent for specific processing:
- Marketing emails and newsletters
- Cookies and website analytics
- Sharing information with partners for quotes
Legal Obligation
Processing required by law:
- Tax and accounting records
- Health and safety compliance
- Building regulations compliance
- Consumer protection requirements
5. How We Share Your Information
Service Providers and Partners
We may share your information with trusted third parties who help us deliver our services:
Installation Partners
We work with certified installation teams who may need access to your contact and property information to deliver services. All partners are contractually bound to protect your data.
Categories of Recipients
- Installation Teams: Contact and property details for service delivery
- Payment Processors: Financial information for payment processing
- CRM Systems: Customer information for relationship management
- Marketing Platforms: Contact details for email marketing (with consent)
- Analytics Providers: Website usage data for performance analysis
- Cloud Storage: Secure data backup and storage services
- Accountants/Lawyers: As needed for professional services
Legal Requirements
We may disclose your information when required by law:
- To comply with legal proceedings or court orders
- To cooperate with law enforcement investigations
- To meet regulatory or tax obligations
- To protect our rights and interests
- To prevent fraud or other illegal activities
Business Transfers
If we sell, merge, or transfer our business, your information may be transferred to the new owners as part of the transaction. We will notify you of any such transfer.
International Transfers
We primarily process data within the UK. If we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place:
- Adequacy decisions by the UK government
- Standard contractual clauses
- Binding corporate rules
- Certification schemes
6. Data Security
Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
Technical Safeguards
- SSL encryption for website communications
- Encrypted data storage and backups
- Secure payment processing systems
- Regular security updates and patches
- Firewall and intrusion detection systems
- Multi-factor authentication for access
Organizational Safeguards
- Staff training on data protection
- Access controls and user permissions
- Regular security audits and assessments
- Data protection impact assessments
- Incident response procedures
- Vendor security requirements
Data Breach Response
In the unlikely event of a data breach:
- We will contain and assess the breach immediately
- Notify the ICO within 72 hours if required
- Inform affected individuals without undue delay
- Take steps to minimize harm and prevent recurrence
- Provide support and guidance to affected customers
Your Security Responsibilities
You can help protect your information by:
- Using strong, unique passwords
- Keeping login credentials confidential
- Logging out of accounts when finished
- Reporting suspicious activity immediately
- Keeping your contact information up to date
7. Data Retention
Retention Principles
We keep your personal data only as long as necessary for the purposes it was collected. Our retention periods are based on:
- Legal and regulatory requirements
- Business needs and legitimate interests
- The type and sensitivity of the data
- Risk of harm from unauthorized access
Specific Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Customer service records | 7 years after service completion | Warranty obligations, legal claims |
| Financial records | 7 years from end of accounting period | Tax and accounting requirements |
| Marketing communications | Until consent withdrawn + 30 days | Processing withdrawal requests |
| Website analytics | 26 months | Business analysis and improvement |
| Enquiry records (no service) | 3 years | Business development, follow-up |
| CCTV footage | 30 days | Security and safety monitoring |
| Employment records | 7 years after employment ends | Legal and tax obligations |
Data Disposal
When we no longer need your personal data, we securely delete or destroy it using:
- Secure deletion software for digital data
- Physical destruction of paper records
- Certified data destruction services
- Overwriting of storage media
8. Your Data Protection Rights
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access
You can request a copy of the personal data we hold about you, along with information about how we process it.
Right of Rectification
You can ask us to correct any inaccurate or incomplete personal data we hold about you.
Right of Erasure ('Right to be Forgotten')
You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the original purpose.
Additional Rights
- Right to Restrict Processing: You can ask us to limit how we use your data in certain circumstances
- Right to Data Portability: You can request your data in a structured, machine-readable format
- Right to Object: You can object to processing based on legitimate interests or for direct marketing
- Rights Related to Automated Decision-Making: Protection against purely automated decisions that significantly affect you
Exercising Your Rights
To exercise any of these rights:
- Contact us using the details provided in this policy
- Provide sufficient information to verify your identity
- Specify which right you wish to exercise
- We will respond within one month (extendable to three months for complex requests)
Right to Complain
If you're unhappy with how we handle your personal data, you have the right to complain to:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
9. Cookies and Website Tracking
What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience and understand how our website is used.
Types of Cookies We Use
| Cookie Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Essential Cookies | Website functionality, security, form submission | Session/1 year | No (necessary for service) |
| Analytics Cookies | Google Analytics, website performance monitoring | 2 years | Yes |
| Marketing Cookies | Facebook Pixel, Google Ads tracking | 1-2 years | Yes |
| Preference Cookies | Language settings, cookie preferences | 1 year | No (user preference) |
Managing Cookies
You can control cookies through:
- Our cookie banner and preference center
- Your browser settings
- Third-party opt-out tools
- Privacy browser extensions
Third-Party Services
We use the following third-party services that may collect data:
- Google Analytics: Website traffic analysis
- Google Ads: Advertising and conversion tracking
- Facebook Pixel: Social media advertising
- Live Chat Software: Customer support
- CRM Integration: Lead management
10. Marketing Communications
Marketing Consent
We will only send you marketing communications if:
- You have given explicit consent
- You are an existing customer and we're marketing similar services
- You have not opted out of marketing communications
Types of Marketing
Email Marketing
- Service offers and promotions
- Educational content about loft insulation
- Seasonal maintenance reminders
- Customer satisfaction surveys
- Company news and updates
Targeted Advertising
- Google Ads based on website visits
- Facebook/Instagram advertising
- Retargeting campaigns
- Local area targeting
Opting Out
You can stop marketing communications at any time:
- Click "unsubscribe" in any marketing email
- Contact us directly to opt out
- Update your preferences in your account
- Use browser tools to block tracking
Legitimate Interest Marketing
For existing customers, we may market similar services based on legitimate interest. You always have the right to object to this processing.
11. Children's Privacy
Age Restrictions
Our services are intended for adults aged 18 and over. We do not knowingly collect personal information from children under 16 without parental consent.
If We Discover Child Data
If we become aware that we have collected personal data from a child under 16 without parental consent:
- We will delete the information as soon as possible
- We will not use the information for any purpose
- We will not share the information with third parties
- We will implement additional safeguards to prevent future collection
Parental Rights
Parents and guardians have the right to:
- Access their child's personal data
- Request correction or deletion
- Object to processing
- Withdraw consent at any time
12. Changes to This Privacy Policy
Policy Updates
We may update this privacy policy from time to time to reflect:
- Changes in our business practices
- New legal or regulatory requirements
- Updates to our technology systems
- Feedback from customers and regulators
How We Notify You
When we make significant changes, we will:
- Update the "Last Updated" date at the top of this policy
- Post a notice on our website homepage
- Send an email to registered customers (for material changes)
- Provide a summary of key changes
Your Continued Use
By continuing to use our services after changes are posted, you accept the updated privacy policy. If you disagree with changes, please stop using our services and contact us about data deletion.
Important: We recommend reviewing this privacy policy periodically to stay informed about how we protect your information.