Privacy Policy
Privacy Notice and Policy: August 2025
|
Version No |
Date Issued |
Approved By |
Issued By |
|
v1.0 |
01.03.24 |
CIDO |
Head of Privacy, Data and Information Security |
|
v2.0 |
07.07.25 |
CEO |
Risk & Compliance Manager |
- POLICY STATMENT
This Privacy Policy sets out the basis upon which we process personal information, whether that information is provided to us by you directly or via a third party. This policy does not apply to our employees, contractors, agency staff, or job applicants as we have a separate notice that we provide directly to them.
This Privacy Policy (also referred to as Privacy Notice) applies to the entire Highbourne Group. When using terms such as “Highbourne Group”, “we”, “us”, or “our”, we are referring to the specific Highbourne company responsible for processing your information. We, along with our subsidiaries and affiliates
(together "Highbourne''), value and respect your privacy.
2. OUR PRIVACY PROMISE
The protection of your privacy and personal information is important to us. We make sure that not only do we have appropriate security measures in place, but that any other organisation we work with to provide a service also meets the same standard as us.
- We respect your privacy and marketing preferences. We will never sell your information or share it with other organisations for marketing without your consent.
2. When we ask for your information, we will clearly explain what we are collecting, why we need it, how we will use it, and how long we will keep it.
3. We will only collect and use your personal information if we have your permission or have a lawful basis for doing so.
4. We will only collect the minimum amount of information necessary to provide the product and services you have requested.
5. We will always be clear about what information we will collect about you and how we will use it.
6. We will only use your personal information for its original purpose and we will delete or anonymise it, when that purpose is no longer relevant.
7. If we receive information about you from others, we will verify that the other party has a lawful basis to share your information with us or we will delete that information
3. Types of information we collect and how we use it
|
Type of information we collect |
How we process the your information |
|
Personal identifiers, contacts, and characteristics (e.g., name, contact details, date of birth, job title, organisation you represent) |
- Provide quotes, estimates or appointments. |
|
Registration Data (Trading name, trading address, landline and mobile telephone numbers, email address, company registration number, company |
-Provide quotes, estimates, or appointments. |
|
Geographic Location |
- Arrange visits for surveys or installations. |
|
Telephone audio recordings |
- Respond to enquiries or complaints. |
|
CCTV video recordings |
- Detect and prevent criminal activity. |
|
Social media or other online identifying tokens or |
- Link with social media for advertising purposes. |
|
Usernames and passwords |
- Manage login sessions. |
|
Website usage data (e.g., browser type, OS, referral source, pages visited) |
- Examine and identify usage patterns to improve products and services. |
|
Payment details |
-Process orders. - Manage refunds and returns. |
|
Purchase history and trends |
- Manage rebates and supplier claim backs. |
|
Credit reference score |
- Manage rebates and supplier claim backs. |
|
Credit reference score |
- Manage credit accounts. |
|
Recorded Phone calls |
- Training and quality control. |
4. How we keep your information safe
We take great care to use appropriate administrative, technical, and physical safeguards designed to protect against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure or use.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of information you submit via our website, and any transmission is at your own risk. Once we have received your information, we will take appropriate technical and organisational measures to safeguard your personal data against loss, theft and unauthorised use, access, or modification.
If you've registered for or created an account to use any of our online services, your account details may be password protected. You are responsible for maintaining the confidentiality of your password and for signing out when you are finished using our services.
Access to personal data is limited to those within our organisation who have a legitimate business need. Data processed by third parties is only done so under our explicit instruction and in accordance with their contractual obligations.
We require, through contractual agreements, that our service providers and processors only use or disclose personal information to perform services for us, as instructed by us, or to comply with legal requirements. They must also protect the privacy and security of this information in line with data protection obligation.
5. Data retention period
We only keep your personal information for as long as the purpose for which your information was provided exists, or as required to comply with a legal, or statutory obligation. For example, we are legally obliged to retain purchase records for 6 (six) years from the end of the last company financial year to which they relate.
Your personal information will be erased or anonymised when there is no longer a legal basis for retaining.
6. How we collect and receive your information
Most of the personal information we process is provided directly by you for one or more of the following reasons:
|
Quotation, Estimate or Appointment |
When you require a quote for products or services and arrange an appointment with us |
|
Account Application |
Purchasing products or service and applying for credit |
|
Account creation or using our online services |
Accessing our online systems or mobile apps |
|
Communication with us |
If you are an employee or worker within a supplier OR as an individual to exercise your rights |
|
CCTV |
Images captured/recorded by CCTV equipment |
|
Social media or other online identifying tokens or |
- Link with social media for advertising purposes. |
|
Personal data we collect using cookies and other similar technologies |
When you access and use our Site, our App, we and our third party partners may collect certain Behavioural Data and Technical Data using web beacons, pixels, tags and other similar technologies, which we generically refer to as “Cookies”. |
|
Visitors to our branches and other physical locations |
If you attend one of our branches, offices or other locations, we may process personal data that you volunteer in connection with your visit and any |
|
Job applicants |
If you apply for a job with us, we will collect and process the personal data you volunteer in connection with your application. |
|
Supplier mailing list |
Previous consent given to a supplier to share personal information |
|
Our partners |
Personal information shared by them with us when you have purchased a product/service in line with their terms and conditions |
|
Employer partnerships |
Your employer shares your details with us if you are working on a project or providing services to us |
|
Delegated Authority (individuals or companies who act on behalf of someone to make decisions on their behalf) |
Communication from the Delegated Authority |
|
Insurance company or broker |
Contact relating to a product or warranty |
|
Legal Authority or Financial Authority |
Sharing your information due to a lawful enquiry |
7. How we use your personal data
The General Data Protection Regulation (GDPR), including the UK's adopted version after Brexit, provides the lawful basis for our processing of your personal information. This lawful basis depends on how and why the information was collected or given to us. According to Article 6 of the GDPR, processing is only lawful if at least one of the following conditions is met.
|
1. |
the data subject has given consent to the processing of their personal data for one or more specific purposes; |
|
2. |
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
|
3. |
processing is necessary for compliance with a legal obligation to which the controller is subject; |
|
4. |
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
|
5. |
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
In the above context we are the controller, and you are the data subject, the GDPR further states that point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.
This is set out below:
|
Marketing activities |
Marketing activities |
Legitimate basis for processing |
|
If we send you marketing communications by post and/or email/SMS |
We use your personal data, contact data and marketing and communications data to send you (or the organisation you represent) marketing communications by post and/or email/SMS. Our marketing will include press releases and information about us, our website, our App, our Branches, our Products and Services, any events we may hold and the offers and promotions we offer from time to time. |
We may use your data to send you relevant marketing content. It is in our legitimate interest to use your personal data to send our marketing to you by post. However, if you have expressly opted in to receive postal marketing from us, then our legal basis for sending postal marketing to you will be based on your consent. We will not send direct marketing to you by post if you have opted out of receiving postal marketing from us.
|
|
If we make telephone marketing calls to you |
We use your personal data, contact data and marketing and communications data to make marketing telephone calls to you (or the organisation you represent). Our marketing calls will include information about us, our trade account offering, our website, our App, our Branches, our Products and Services, any events we may hold and the offers and promotions we offer from time to time. We may also call you to offer assistance if you have started an online application for a trade account but have not been able to complete the process for any reason. |
We may use your data to send you relevant marketing content. We have a legitimate interest in using your personal data to make telephone
|
|
Provision of our Services |
Provision of our Services |
Legitimate basis for processing |
|
Browsing our site |
When you browse our website, we collect and process certain behavioural and technical data to help us understand how you are using and navigating our website. We do this so that we can better understand which parts of our website are more or less popular and improve the structure and navigation of our website. |
It is necessary for us to use your personal data to perform our obligations in accordance with any contract that may have with you for the Products and Services, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide access to our website in a secure and effective way and so that we can improve our website. |
|
If you request our appointment service |
If you request an appointment, we will use your personal data, contact data and any other information you volunteer to arrange to provide the service you have requested. |
We must use your personal data to fulfill our contractual obligations for the products and services we provide to you. It is also in our or a third party's legitimate interest to use your personal data as outlined above, to deliver the requested service and maintain high service standards. |
|
If you use the “Branch Locator” search tool on our Site |
We will use your post code to locate the nearest branch. If you choose to search using your location, we will process your device location data to carry out the search. |
It is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we are able to help with your enquiry. However, we will only use your location data with consent. |
|
If you apply for an account |
If you wish to open an account with us, you will be required to complete an application form and provide your registration data.
|
Your personal data is used to meet our contractual obligations and support our legitimate interests in providing products and services, including managing and maintaining your City Plumbing account, and improving our website, products and services. |
|
Ordering/returning of products/services |
We may collect and process your personal data whether you are interacting with us on your own behalf or on behalf of any organisation you represent. You can purchase products in person in our branches. We also operate an online service which allows you to place an order for products online via your online account. If you wish to return any products you have purchased from us, we will collect and process your personal data, contact data. |
We must use your personal data to fulfill our contractual obligations for the |
|
If you participate in one of our promotions |
The administration of the My City Plumbing Rewards Programme requires the processing of your personal data, contact data, certain registration data, (where applicable), as well as any other personal data that you may have volunteered in relation to your rewards entry. This processing is necessary to administer the rewards associated with qualifying purchases. |
We must use your personal data to fulfill our contractual obligations (e.g. the |
|
Business efficiency and analytical processes |
To use software and tools containing artificial intelligence (AI) for business efficiency and analytical purposes. |
AI may be used to analyse emails / content you have provided to us such as
|
|
Customer Services |
Customer Services |
Legitimate basis for processing |
|
If you have a general question or need help with any issue concerning our website, our App or our Products and Services |
There are various ways in which you are able to contact us (see the “contact us” section under Help & Advice on our website). You can contact your local branch by telephone, via our “Contact Us”. You can also contact our customer services team by email or by phone or by completing the “contact us” form. |
We utilise your personal data to deliver quality customer service, including addressing your enquiries and complaints and enhancing our overall service standards. |
|
Using our App |
We may collect and process your personal data whether you are interacting with our App on your own behalf or on behalf of any organisation you represent. We may also link interactions within the App and the website. |
It is necessary for us to use your personal data to perform our obligations. We must use your personal data to fulfill our contractual obligations for the products and services we provide, manage your account, and uphold the legitimate interests of both you and us. This ensures that we can effectively administer your account, provide you with the full range of account features and benefits, and maintain secure access to the App. |
|
If you use our Chatbot Tool |
When accessing the Chatbot through our website, the |
We have a legitimate interest in using your personal data as described to respond to your enquiries, resolve any problems, and enhance our Products and Services, website, and App. |
Where other laws and regulations require us to process your information, we do so under a legal obligation; therefore, our lawful basis for processing would be legal obligation.
8. Sharing of your personal information
We do not sell or share your information in any manner not specified in this Privacy Policy. Your information may be shared within the Highbourne Group of companies to:
● Manage your account (including credit accounts).
● Fulfil a service or product order which you have placed with one of our companies.
● Comply with the terms of a promotion, or other activity which you have consented to.
● To conduct marketing activities for our other products and services, with your permission
We use service providers to help our business operate effectively and maintain our services. We work with many suppliers, and we might share your personal information with them depending on which organisation, product or service you use. This sharing allows them to provide the services to us, or your information may simply be held in their systems as a result of services they provide to us.
These suppliers, provide many services to our organisation including:
● Suppliers sending communications, which may include information such as product updates, quality assurance, safety measures and where product recalls are announced.
● IT service hosting, providing the physical locations where some of our IT systems reside.
● Software as Service providers, providing the actual cloud software which we use to deliver part of the services to you, or our administration functions, for example, our websites, a solution building application, one of our mobile applications.
● Providers of Software as a service, which provide AI (Artificial Intelligence) services to deliver some of our services to you, or our administration functions, for example, our websites, a solution building application, and our mobile applications.
● Courier service providers, to collect and deliver the items you have ordered.
● Providers of rebates or discounts, for the purpose of calculating or processing your rebate or discount in schemes in which you have participated.
● Credit referencing agencies, in order to process any application for credit.
● Fraud screening agencies, to identify and detect fraud and ensure compliance with our terms and conditions.
● Marketing agencies, if you have given consent to take part in promotional activities for us.
● Card payment services, to facilitate our card payments.
● Providers of financial management services identify duplicate payments and outstanding debts.
● Debt recovery agencies, chase or manage debtors.
● Social media platforms may use your email address to match it with their customer records. This enables them to carry out marketing activities that you have given your consent to.
● Third-party providers to conduct sales calls, sales recovery activities and marketing calls on our behalf. These providers may have access to limited personal data, such as your name and contact details, to carry out these activities. These services help us to improve your customer experience,
assist with incomplete transactions (e.g. cancelled appointments or abandoned baskets)
The data shared with third parties is restricted solely to what is necessary for them to deliver the service we have requested. They are prohibited from using this information for any other reason.
We implement contractual agreements with third parties to ensure that any shared personal information is protected in compliance with applicable data protection laws.
A full list of the parties that we may share your personal information with (sub processors) is located here: Highbourne Group Subprocessors
Your personal information may also be disclosed to third parties where we are required to by law, or other statutory obligations, including:
● Tax, customs, and excise authorities
● Regulators, courts, and the police
● Insurance companies
● Legal or professional advisors
We may also disclose your personal information if we believe that the disclosure is necessary to enforce, or apply our terms and conditions, or otherwise protect and defend our rights, property or the safety of our
customers and other users of our websites, systems, and mobile applications.
We may disclose and/or transfer your personal information, in connection with a reorganisation of all, or part of our business, if the majority of our shares are bought by another company, or if we transfer all, or some of our assets to another company.
9. Links to other websites/Third Party links
This Privacy Policy only applies to personal data processed by us through your use of our website, our App and/or in connection with our business operations. However, from time to time, our website may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Notice does not apply to your interaction with the relevant third parties. If you use these links, you will leave our websites. You should note that we are not responsible for the contents of any third-party websites.
External sites will have their own privacy policies which you should read carefully
10 Sensitive information
The General Data Protection Regulation (GDPR) requires special protection for some data classified as ‘special category’. We do not typically collect this data from customers, website visitors, or suppliers. However, if we need to process ‘special category’ data, such as medical information related to a health and safety claim, we will obtain explicit consent or use another legal method.
11. Children's information
We do not knowingly collect or store any personal information of children under the age of 16, because the mechanisms whereby we collect personal information are not applicable to this age group.
12. Our marketing activities
We may send you direct marketing communications if you have previously consented to this or if we have an existing relationship with you, for example, if you have purchased products or services from us in the past.
If you have an online account you can access, update, and correct your personal information, including your marketing choices using the account management facilities.
You can opt out of receiving emails, or text marketing at any time, by using the unsubscribe option in any email message you receive. You can opt out of postal and telephone marketing by contacting us at marketing@cityplumbing.co.uk or completing our webform here.
We will ensure that prior to conducting any marketing activities, we will screen all proposed marketing recipients against our preference and marketing suppression lists and only perform marketing activities to
recipients which we have a lawful basis to do so, have opted in, and have not withdrawn their consent to marketing.
Prior to conducting live telephone marketing calls, we will ensure that the marketing campaign telephone numbers have been screened against the Telephone Preference Service (TPS), and Corporate Telephone Preference Service (CTPS), the telephone preference lists (TPL) which are published 28 days prior to the date of the marketing activity, and we will not call any number present on the TPL for marketing purposes.
13. Profiling
We may use direct, or anonymised information to engage in data analysis, data matching and profiling activities for a variety of purposes, including, but not limited to:
● Website Activity (cookie history)
● Business conduct
● Investigation and identification of fraud, money laundering and other potential unauthorised
activities
● Financial viability analysis/reports
● Business partner/client portfolio position, performance, risk positions
● Tax reporting
● Credit defaulting / exposure
14. Cookies
Cookies are little packets of data that sit on our website, in some cases to make it work, and in some cases to add additional services. For more information about cookies and how to look after them, including how to
turn them off, please visit our cookies policy Cookies Policy.
15. International transfers of personal information
If we need to use services outside the United Kingdom, your personal information may be transferred out of the UK. If this happens, we will ensure that your personal data receives a similar degree of protection by
implementing at least one of the required safeguards:
● the destination country has been deemed to provide an adequate level of protection for personal data by the UK’s Data Protection Authority; or
● We may use specific contracts approved for use in the UK, which give personal data protection equivalent to that required by the UK data protection laws.
16. Your Data Protection rights
Your Personal Information will be collected, stored, and processed by us in accordance with your rights under any applicable Data Protection Laws. You have the following rights in relation to your Personal Information, under certain circumstances:
|
Right of access |
You have the right to request details of the Personal Information which we hold about you and copies of such Personal Information. |
|
Right to withdraw consent |
Where our use of your Personal Information is based upon your consent, you have the right to withdraw such consent at any time. In the event you wish to withdraw your consent to processing, please contact us using the details provided below. |
|
Right to data portability |
You may, in certain circumstances, request us to port (i.e. transmit) your Personal Information directly to another organisation. |
|
Right to rectification
Right to erasure (‘right to be forgotten’) |
We want to ensure that the Personal Information about you that we hold is Information about you.
|
|
Right to restrict processing |
You can ask us to “block” or suppress the processing of your personal data in certain circumstances or you object to us processing it for a particular purpose. This may not mean that we will stop storing your personal data. At your request and where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal data with so that you can contact them directly. |
|
Right to object to processing |
You have the right to object to specific types of processing of your Personal Information, such as, where we are processing your Personal Information for the purposes of direct marketing. |
|
Rights in relation to automated decision-making |
In certain circumstances, you have the right not to be subject to decisions being taken solely on the basis of automated processing/decision making. |
|
Right to lodge a complaint |
If you do not agree with our reasoning you can contact our Data Protection Officer at privacyoffice@highbournegroup.co.uk or you can lodge a complaint with the supervisory authority:
|
If you withdraw your consent, this will not affect the lawfulness of the processing of your personal data prior to the withdrawal of your consent.
If we are unable to process any part of your request you will be informed of this, along with the reasons as to why your request cannot be carried out.
17. Exercising your rights
You can exercise all of your rights, as follows:
|
Change details, opt out of marketing, access |
|
|
If you are making a request on behalf of someone else, please note that we will need to verify the identity of the person whom it is for, and the authority of the requester before disclosing any personal data. |
|
|
For CCTV footage requests |
We are required to respond to your request within one (1) calendar month of receiving it, or after we have confirmed your identity, if necessary. This response time may be extended by up to two (2) calendar months for complex requests. If we need this extension, we will notify you of the new response date and the reason for the delay within the initial one-month period. If we need to verify your identity, we may ask for a copy of your driving licence, passport, or a utility bill within that one-month timeframe. We will only request the minimum information necessary to confirm your identity.
If we are unable to process any part of your request you will be informed of this, along with the reasons as to why your request cannot be carried out.
18. Our company details
These are the company registration details and the contact information for data protection matters.
|
Company |
Company Number |
Information Commissioner's registration number |
Website address |
|
Highbourne Group Limited |
06216887 |
Z224814X |
|
|
City Plumbing Supplies Holdings Limited (Trading as City Plumbing and PTS/Plumbing Trade Supplies in Great Britain) |
02489546 |
Z1656911 |
|
|
Direct Heating Spares Limited (Trading as Direct Heating Spares) |
05668463 |
ZB219027 |
|
|
National Shower Spares Limited (Trading as NSS and National Shower Spares) |
SC209728 |
Z2462678 |
|
|
PTS Group Limited (Trading as PTS and Plumbing Trading Supplies on the island of Ireland) |
02219435 |
ZA027503 |
|
|
The Underfloor Heating Store Limited (Trading as The Underfloor Heating Store) |
05687171 |
ZA108077 |
The companies listed above are registered in England and Wales. You can contact them by mail at: Highbourne House Eldon Way, Crick Industrial Estate, Crick, Northampton, United Kingdom, NN6 7SL Or you can email PrivacyOffice@highbournegroup.co.uk
Our EU office postal contact for data protection queries is: FOA Privacy Office, Unit 1, Block K, Ballymount Drive, Ballymount Industrial Estate, Dublin, Republic of Ireland, D12 YP92 Or email PrivacyOffice@highbournegroup.co.uk
19. Changes to this Privacy Policy
We may revise this Privacy Policy from time to time. When we make updates, the “Last Updated” date at the top of this document will reflect the changes. The revised Privacy Policy will be posted on our websites and on our intranet sites.