Privacy Policy
Who We Are
iGrass is a trading division of Landscaping Trade Supplies.
The expression “we”, where used in this Policy, means iGRASS and the expressions “us” and “our” should be read accordingly.
About This Privacy Policy
We are committed to protecting and respecting the privacy of customers, suppliers, their employees and workers and other individuals with whom it communicates. For the purposes of the relevant data protection legislation, including the General Data Protection Regulation, the “data controller” is iGRASS.
This Privacy Policy sets out the basis on which we collect personal data (as defined below) from you and the way in which it will be processed by us. Please read this Privacy Policy carefully to understand our policy and practices regarding personal data and how we shall treat it.
It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice that we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your personal data. This Policy supplements any other such notices and is not intended to override them.
If you have any questions about this Policy, or if you wish to send us a request to exercise any of your legal rights (which are described elsewhere in this Privacy Policy), please contact us at info@igrass.co.uk or 08000 884 339.
Purpose for which we collect information
We shall only use your personal data to the extent that the law allows us to do so. Most commonly, we will use personal data in the following circumstances:
- To provide products and services to you or to the organisation by which you are employed or engaged, either at your or your organisation’s request or in order to fulfil an existing contract;
- Where we need do so in order to comply with a legal or regulatory obligation; or
- Where it is necessary to do so for our legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. “Legitimate Interest” means our interest in conducting and managing our business to enable us to give you the best service or product and a secure experience, and the interest of our business generally. We ensure that we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to do so by law).
Types of Personal Data We Collect
“Personal data” means any information which identifies (or from which we can identify) a natural person, as opposed to a company or other organisation. We may collect, use, store and transfer the following different kinds of personal data about individuals:-
- “Identity Data”, which comprises an individual’s first name, last name and title;
- “Contact Data”, which comprises an individual’s address, email address and telephone number(s);
- “Financial Data”, which comprises an individual’s bank account or payment card details;
- “Transaction Data”, which comprises details about payments made by an individual to us or by us to an individual (if you are a sole trader) or the organisation by which the individual is employed or engaged, and details of services that the individual or organisation has purchased from us;
- “Technical Data”, which comprises an individual’s IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the device(s) used to access our website;
- “Usage Data”, which comprises information about how an individual uses our website, products or services; and
- “Marketing and Communications Data”, which comprises an individual’s preferences in receiving marketing from us or third parties on our behalf, and the individual’s communication preferences.
Aggregated Data
We may also collect, use and share “Aggregated Data”, such as statistical or demographic data. Aggregated Data may be derived from an individual’s personal data but does not constitute “personal data” in law as it does not directly or indirectly reveal an individual’s identity. For example, we may aggregate (i.e. combine with information relating to others) Usage Data to calculate the percentage of users accessing a specific feature of our website. However, if we combine or connect Aggregated Data with your information so that it can directly or indirectly identify an individual, we treat the combined data as personal data and use it strictly in accordance with this Privacy Policy.
Special Categories of Personal Data
“Special Categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning an individual’s health or data concerning an individual’s sex life or sexual orientation.
The processing of Special Categories of personal data is prohibited except in certain limited circumstances. We shall only collect and use Special Categories of personal data where such circumstances apply.
Minimum Required Data
Where we need to collect personal data by law, or in order to provide products or services that we have agreed to provide to an individual or the individual’s organisation, and the individual fails to provide the minimum required data when requested, we may not be able to provide that advice or those services and may as a consequence have to cancel our agreement to provide the products or services in question. In that event we shall notify the individual or the organisation accordingly. For example, if the individual is a sole trader and has asked us to open a trading account, we may ask for details of trade references in order to assess the application and complete our identity, money laundering and credit checks before we are able to open an account for the individual.
How and When Do We Collect Personal Data?
We may collect personal data on an individual in the following ways:
- Where the individual voluntarily provides it to us.
When an individual instructs us to provide products or services, agrees to receive communications from us, sends us an email, requests a price quotation or other information about us or the products or services that we provide, fills in forms on our website, completes one of our customer surveys or provides us with information about themselves when attending a seminar or other marketing event or communicates with us in any way, that individual is voluntarily giving us information that we collect. We also collect information given to us when we contact an individual for the purpose of providing products or services, providing a price proposal or other information or managing our business relationship with the individual or the individual’s organisation. That information may include an individual’s Identity Data, Contact Data, Financial Data, Transaction Data and Marketing or Communications Data.
- Information that we collect automatically.
When an individual browses our website, we may collect information about that visit and the individual’s browsing. That information may include the individual’s Technical Data and Usage Data. We may collect this information as a part of log files as well as through the use of cookies or other similar technologies. Our use of cookies and similar technologies is explained more fully in our Cookie Policy.
- Telephone conversations
We record all telephone calls received [or made] by us. This is done for security purposes, in particular in order to ensure the security and safety of our staff, and also for the purpose of keeping a record of the call for customer relationship management purposes. Through these calls we may collect primarily Identity Data, Contact Data, Transaction Data or Marketing and Communications Data.
- Information from other sources.
From time to time we may obtain information about an individual from third party sources, such as public databases (for example, Companies House), and other third party data providers. We take steps to ensure that such third parties are legally permitted or required to disclose such information to us. Examples of the information that we may receive from other sources include: demographic information, device information (such as IP addresses), location, and online behavioural data (such as, page view information and search results and links) from analytics providers and search engine providers (for example, Google based outside the EU). We use this information, alone or in combination with other information (including personal data) that we collect, to enhance our ability to provide relevant marketing and content to the individual and to develop and provide the individual or the organisation with other relevant products and services.
How We Use Personal Data
We have set out below a description of all the ways in which we intend to use any personal data, and the legal bases on which we intend to rely on in order to do so. We have also identified what our Legitimate Interests are where appropriate. Further information about how we assess our Legitimate Interests against any potential impact on you in relation to specific activities can be obtained by contacting us at info@igrass.co.uk. We may use and disclose personal data for the following purposes:
a) Provision of products and services
In processing an individual’s order (or opening a trading account) whether placed for the individual’s account or on behalf of the individual’s organisation, we will use the individual’s Identity Data, Contact Data, Financial Data, Transaction Data and Marketing and Communications Data in order to provide the individual or organisation (as he case may be) with our products and services, which includes managing, processing and despatching orders as well as processing payments. We will also use this information to manage customer or credit accounts and to keep adequate records of the customer’s past purchases, as well as to contact the individual regarding orders placed.
b) To manage our relationship with customers
We may send to an individual important updates about changes to our products or services, including details of new, updated or withdrawn product lines and technical information or information relating to use or maintenance. We may also send to the individual information electronically about products or services which are similar to those that the customer has already purchased from us previously, although we shall not do this where the individual is purchasing goods or services for his or her own personal use and has “opted out”. Where an individual has purchased products or services from us, we may also ask the individual to complete a review or survey about his or her recent purchase. This is necessary in order to keep the individual or organisation updated about any products or services that have been purchased, develop our range of products and services, and grow our business. We also keep records of conversations that we have had in the past in order to maintain and develop our relationship with the individual or organisation; however, we will never store sensitive (or “Special Categories” of) personal data about you for this purpose without your explicit consent.
c) Marketing
If it is in our Legitimate Interests to do so or we currently provide a individual or organisation with products or services and the individual or organisation has not previously asked us not to do so, we may send, or permit selected third parties to send, to an individual (either for the individual’s own account or as the representative of the organisation, as the case may be) other forms of marketing, for example regarding other products and services that we provide . We shall make sure it is clear when we require permission to do this: for example, we have an online form and boxes that the individual must tick in order to consent to receiving such marketing materials. An individual has the right to withdraw consent to receiving direct marketing at any time by contacting us.
d) Advertising
We may use the information that we collect in order to deliver relevant website content and advertisements to individuals or organisations, and to measure or understand the effectiveness of the advertising we provide. We may also use data analytics to improve our website, products and services, marketing, customer relationships and experiences. This is in order for us to be able to study how clients use our products or services and develop them, to grow our business and to inform our marketing strategy. For more information on how we use cookies or other similar technologies for these purposes, as well as how to opt-out of the use of cookies, please visit our Cookie Policy.
e) To administer and protect our business and this website
We may also use your information in order to protect our business and our website, and to help us monitor or improve the advice or services that we offer. This includes troubleshooting, statistical and data analysis, testing, system maintenance, support, reporting and hosting of data. We also use personal data to improve our website so that content is presented in the most effective manner for individuals and their computers, and as part of our efforts to keep our site safe and secure. This is necessary for the running of our business, provision of administration and IT services, network security and prevention of fraud. We may also need to use personal data in the context of a business reorganisation or restructuring exercise.
f) Other purposes
We shall only ever use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another lawful reason and that reason is compatible with the original purpose. If an individual requires an explanation of why we are using personal data or the legal basis on which we are using it, a request may be made by contacting us at info@igrass.co.uk Should we ever need to use personal data for an unrelated purpose, we shall notify the individual and shall explain the legal basis which allows us to do so. Please note that we may process personal data without the individual’s knowledge or consent where this is required or permitted by law.
When May We Share Personal Data?
We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party suppliers or service providers to use personal data of which we are the controller for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions. We shall not share your personal data with any third parties for marketing purposes without the individual’s express consent. We may, however, share personal data with third parties in the following circumstances:
(a) Service Providers
We will share personal data with service providers where this is necessary in order to provide the individual or organisation with products or services that the individual or organisation has ordered. Examples of Service Providers include payment processors, hosting services, suppliers, sub-contractors and delivery services. We may also need to share personal data with third party software or IT support providers for the purpose of system administration, data security, data storage, back up, disaster recovery and IT support.
(b) Advertising partners
We and our third party partners may use cookies and other tracking technologies, such as pixels and web beacons, to gather information about an individual’s activities on our website and other sites in order to provide the individual with targeted advertising based on his or her browsing activities and interests. For more information about cookies and other tracking technologies, please visit our Cookie Policy.
(c) To transfer information in the case of a sale, merger, consolidation, liquidation, reorganisation, or acquisition
We may share personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
(d) To protect the rights, property, or safety of our business and other customers
We reserve the right to disclose or share an individual’s personal data in order to comply with any legal or regulatory requirements, enforce our terms and conditions (or any other agreement we enter into with the individual or organisation), or to protect the rights, property, or safety of our business and other customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We may also need to share information with HM Revenue & Customs, regulators and other authorities acting as processors based in the United Kingdom, who require reporting of processing activities in certain circumstances. We may also share an individual’s personal data with our professional advisers including lawyers, bankers, auditors, accountants and insurers based who provide legal, financial and banking, audit, insurance, accounting and consultancy services.
Third Party Websites
Our website may include links to external third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about the individual. We do not control these third-party websites and are not responsible for their privacy statements. Individuals leaving our website are encouraged to read the privacy notice of every website subsequently visited.
International Transfers
Some of our trading partners are based outside the European Economic Area (“EEA”). Accordingly, their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer personal data out of the EEA, we ensure that an adequate degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:
- We will only transfer personal data to countries which the European Commission has decided provide an adequate level of protection for personal data. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection that it receives in the EEA. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use service providers based in the US, we may transfer personal data to them if they are part of the Privacy Shield Network, which requires the provision of a level of protection acceptable to the European Commission of personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Where Will We Store Personal Data
All personal data that provided to us is stored on our secure servers and copied and archived on our behalf by an outsourced cloud service provider. We use our best endeavours to ensure that all personal data is treated securely and in accordance with this Policy and comply with the relevant data protection legislation within the United Kingdom. This includes examining the security procedures of our service providers.
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify individuals affected and any applicable regulator of a breach where we are legally required to do so.
Please note that the transmission of information via the internet is not completely secure. Although we shall do our best to protect all personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at the individual’s own risk. Once we have received an individual’s personal data, we shall use effective safeguarding procedures and security features to try to prevent any unauthorised access to it.
How Long Will We Retain Your Personal Data?
We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process it whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of an individual’s personal data are available in our retention policy which you can request from us by contacting us.
In some circumstances we may anonymise an individual’s personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
When an individual has given us your consent to contact him or her for marketing purposes, we shall contact the individual every [three] years from the date on which permission was originally given, to ensure that the individual still wishes to be contacted in this way.
In some circumstances an individual can ask us to delete his or her data: see the “Right to be Forgotten” section below for further information.
Subject Rights
Under certain circumstances, an individual has the following rights:
- to request that we provide the individual with a copy of the personal data that we hold about him or her (“Access Request”);
- to request that we rectify any personal data that we hold about an individual (“Right to Rectification”);
- to request that we erase any personal data that we hold about an individual (“Right to be Forgotten”);
- to restrict the level of processing we carry out with an individual’s personal data (“Restriction of Processing”);
- to obtain from us all personal data that we hold about an individual in a structured, machine readable form, and have this information transmitted to another organisation (“Data Portability”);
- to object to our processing personal data in certain ways (“Right to Object”); and
- to withdraw consent at any time to our processing of his or her personal data.
Please see the relevant sections below for further details on an individual’s rights as a data subject.
Any of these rights may be exercised by emailing us at info@igrass.co.uk. An individual also has the right to lodge a complaint with the Information Commissioner’s Office if unhappy in any way with how we have treated his or her personal information. We would, however, appreciate the opportunity to deal with an individual’s concerns before a complaint is made to the Information Commissioner’s Office, and would therefore ask individuals please to contact us in the first instance.
We shall comply with any request made under this section as soon as possible, and normally within one month from the date on which the request is received. However, if necessary, for example if the request is particularly complex or we receive a number of similar requests, we may extend this period by an additional two months, but we shall notify the individuals who have made if we need to do this.
Individuals will not usually have to pay a fee to access personal data (or to exercise any of their other rights). However, please note that where we receive requests under this section which are manifestly unfounded or excessive, for example because they are repetitive in nature, we may:
- charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
- refuse to act on the request.
We may need to request specific information from an individual to help us confirm an individual’s identity and verify his or her right to access their personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact an individual to ask for further information in relation to the individual’s request in order to speed up our response.
Access Request
An individual has the right to request a copy of the information that we hold about him or her at any time. This enables the individual to receive a copy of the personal data that we hold and to check that we are lawfully processing it. Please note that in most circumstances, we shall not make a charge for this. However, we may charge a reasonable fee based on administrative costs for any further copies requested.
Right To Rectification
An individual has the right at any time to ask us to rectify any personal data that we hold about him or her and which is incorrect or incomplete. This enables the individual to have corrected any incomplete or inaccurate data that we hold, though we may need to verify the accuracy of the any new data that the individual provides to us.
If we have disclosed any incorrect or incomplete data to any third parties, we shall inform them of any necessary amendments or corrections made to the personal data of the individual concerned.
Right To Be Forgotten
An individual has the right at any time to ask us to erase the personal data that we hold about him or her if:
- it is no longer necessary for us to handle that personal data for the purpose for which it was originally collected;
- the individual has withdrawn consent for us to hold that personal data (where consent was the basis on which it was collected or used);
- the individual objects to the processing of the data and there is no lawful overriding reason for us to continue processing it;
- the personal data was unlawfully processed; or
- we have to erase the personal data in order to comply with a legal obligation.
Please note, however, that we may not always be able to comply with a request of erasure for specific legal reasons: in that event we shall inform the individual of those reasons at the time when erasure is requested.
Restriction of Processing
An individual may ask us to restrict how we use his or her data in the following circumstances:
- 1. where the individual believes that the personal data we hold about him or her is inaccurate, he or she may ask that we refrain from using that data until we can verify the accuracy of it;
- 2. where we have unlawfully processed personal data, the individual may ask that we restrict our usage of it rather than erase it completely; or
- 3. where the individual has objected to our use of his or her personal data but we need to verify whether we have overriding legitimate grounds to use it.
Where we no longer need to hold personal data, the individual may nevertheless require us to retain it for the purpose of establishing, exercising or defending a legal claim; or
Data Portability
An individual has the right to obtain from us all personal data which he or she previously provided to us in a structured, commonly used and machine readable form, provided that such data was processed based on the individual’s consent, or for the purpose of a contract between us, and the processing was carried out by automated means. This right only applies to automated information for which the individual originally provided consent for us to use or where we used the information to perform a contract with the individual personally.
This will allow an individual to move, copy or transfer personal data easily from one IT environment to another (for example, if the individual wishes to change legal advisers). Alternatively, we can transmit such data directly to another organisation.
Please note that we shall not be able to comply with a data portability request if this will affect the rights and freedoms of others.
Right To Object
An individual has the right to object, on grounds relating to his or her particular situation, to our processing of his or her personal data where we are doing this for the performance of a task carried out in the public interest (about which we shall have advised the individual, if applicable), or where we are carrying out processing for the purposes of legitimate interests pursued by us.
An individual also has the right at any time to ask us not to process his or her personal data for direct marketing or profiling purposes (to the extent that such profiling is related to such direct marketing). We shall have informed the individual prior to obtaining his or her personal data whether we intend to process that personal data for this purpose, or if we intend to disclose it to any third party for such purposes.
If we process personal data for automatic decision making or profiling purposes (i.e. to analyse or predict an individual’s personal preferences or transaction history, and such profiling is automated) we shall inform the individual in advance, and will only do this where this is a necessary condition of entering into a contract between the individual and us, or where the individual has given us explicit consent to do so.
Right To Withdrawn Consent
Where an individual has given consent to the processing by us of any personal data, he or she has the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before consent is withdrawn. If an individual withdraws consent, we may no longer be able to provide legal advice or services to the individual or to the individual’s organisation. We shall advise the individual (and, if applicable, may inform other individuals in the same organisation) if this is the case at the time when consent is withdrawn.
In addition to any other way in which we make available to individuals the ability to withdraw consent to the processing of personal data, an individual may also withdraw consent at any time by contacting us at info@igrass.co.uk.