Dated: July 2019
Review Date: May 2020
Astral PS Ltd, The Old Co-op Building, 11 Railway Street, Glossop, Derbyshire, SK13 7AG
These definitions should help you understand this policy.
- “GDPR” refers to the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
- “Personal Data” means any information that identifies or can be used to identify an individual directly or indirectly, including, but not limited to, first and last name, identification number, date of birth, email address, gender, occupation, or other demographic information.
- “Website” means all content included in our domains: Foundations.uk.com, FindMyHia.org and AdaptMyHome.org.uk.
- “Services” means anything provided by Astral PS Ltd to our Clients and Customers. This includes verbal, written and face to face services delivered by a range of Astral PS Ltd employees.
- “Channels” means the various means by which we may collect information including our Website, the Services, social media pages, HTML-formatted e-mail messages and through offline sales and marketing activities.
- “we,” “us,” “our,” “CEL,” “Foundations,” and “Astral,” refer to Astral PS Ltd, a company registered and operating in the UK and governed by UK law.
- “Website Visitor” refers to anyone visiting our Website.
- “User” refers to the person or entity that uses our Services. They may have accessed our website, attending a training event or utilise one of our IT systems.
This policy was last updated in July 2019.
- By email: email@example.com
- Or write to us at:
Astral PS Ltd, The Old Co-op Building, 11 Railway Street, Glossop, Derbyshire, SK13 7AG
This document outlines how Astral PS Ltd and trading partners collect and use your data as well as outlining your rights to control its’ use. This policy applies to all data that we have collected or collect related to you.
Your Personal Data
5. Information we collect
a. Information You Explicitly Give Us
Your personal data will include one or more of the following: Your email, first name, last name, your organisation, your job role, your work address or your telephone number.
We collect information about you when you explicitly register to receive information from us. This can include but is not limited to collection through our website or direct interaction. We also collect information when you apply to attend events/training courses, apply to use our services or voluntarily complete our surveys/evaluation. We will only ever collect data from you if required to deliver a service to you such as:
- Subscribing to any newsletters or publications
- Submitting your information to us via an online contact form
- Communicating with us through our online chat
- Submitting to attend a roadshow, event, meeting or training event
- To process applications for Foundations services in accordance with the requirements of our commissioners
- Entering into an arrangement to provide consultative services
- Entering into a licence agreement for one of our IT systems: HIACM, DFG Tenders or DFG Analytics
N.b – In our capacity as the National Body for Home Improvement Agencies (HIAs) who also lead on the improvement of the DFG in England, we have a legitimate interest to process the information of all HIAs and DFG services in England.
b. Information We Collect Automatically
When you use the Services or browse our Website, we may collect information about your visit to our Website, your usage of the Services, and your web browsing. That information may include:
- Your network routing information (where you come from).
- Your Internet Protocol (IP) address used to connect your computer to the Internet and may identify your general geographic location or company.
- Your computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform.
6. How we use your personal data
The way we use your information will depend on which of our services you use, receive information/updates from or attend.
a. To allow you to subscribe to our services and purchase our products; including raising invoices and holding a nominated account administrator.
b. To provide support and improve the services we offer as well as improve customer relationships.
c. To keep you up to date with new products or service developments, or updates to current products or services including: new system features, new events/courses or guidance applicable to your own services.
e. To post testimonials and feedback which you have made pubic, you can request deletion at any time in line with this policy.
f. To provide relevant suggestions to you based on your preferences if you have opted in. We use tracking technologies to help with this.
g. Track and evaluate marketing campaigns including email marketing.
h. To share personal data with third parties who provide services to us, provided that the third party has executed any data processing documentation required by law.
i. To share personal data with third party organisations following meetings, events or training with your explicit consent.
j. To meet legal requirements.
You can opt-out of all communications at any time by contacting us here.
7. What personal data we share and disclose to third parties
We will NEVER sell your personal data to anyone. We may share your personal data with our third-party service providers in order to provide our services. This may include analytics, event management, direct marketing and communications, relationship management, website management and similar services. In all these cases we have a contract in place to enforce their use of your personal data for providing service only which is subject to the terms in this policy and is outlined in the contract we hold with them as our data processor.
We may disclose your personal data as we believe to be necessary or appropriate:
- under applicable law, including laws outside your country of residence;
- to comply with legal process;
- to respond to requests from public and government authorities such as through FoI (Freedom of Information) requests; and
Additionally, in the event of a reorganization, merge, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may transfer the Personal Data it has collected to the relevant third party.
8. Public information and third-party websites
Social media: we maintain a presence on several social media platforms including Twitter, Facebook and LinkedIn. Any information you share on social media is done at your own risk without any expectation of privacy and is done so in line with the privacy policies of those platforms.
Cookies and other tracking technologies
Yes, cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
For further information, visit www.aboutcookies.org.uk or www.allaboutcookies.org.
10. What types of cookies do we have?
Own cookies: Your own cookies are sent to your terminal from a computer or domain managed by us.
Third party cookies: These cookies are sent to your terminal from a computer or domain that is not managed by us but by another entity. For example, we use google analytics to measure the traffic in our website. See the third-party service providers section below for more details.
11. How you can control or delete cookies
You can set your browser to reject cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result. Please consult with your browser documentation for help with cookie management.
12. Data collected for and by you
If you write information you have collected from any individuals, (for example if you include personal data, including but not limited to email addresses, names, organisations and job roles when registering for one of our events) you are responsible for making sure that you have the appropriate consent and permission for us to collect, post and process information about these individuals. We may transfer Personal Data to third party service providers with whom we have entered into a contract that protects personal data and restricts their use of any personal data consistent with this policy.
Your data protection rights
13. How you may exercise your rights
You have several rights under GDPR to your information.
- The right to be informed – you have the right to know how we collect and use your personal data.
- The right of access – you have the right to request a copy of the information we hold about you.
- The right to rectification – you have the right for the data held on you to be accurate.
- The right to erasure – you have the right to request that we erase all the information we hold about you.
- The right to restrict processing – you have the right to restrict how we use your data at any time.
- The right to data portability – if you wish your Personal Data to be processed by another company, Astral will provide you with the portability of your data to the new data controller.
- The right to object – you have the right to object to the processing of your personal data in certain circumstances.
Please see the ICO website for more information on these rights.
We will give you access to any Personal Data we hold about you within 30 days of any request for that information. Individuals may request to access, correct, amend, or delete information we hold about them. Unless it is prohibited by law, we will remove any Personal Data about an individual from our servers at your or their request. There is no charge for an individual to access or update their Personal Data.
If you would like a copy of some or all your personal information, please email: firstname.lastname@example.org
Or write to us: Astral PS Ltd, Unit 11, The Old Co-op Building, Railway Street, Glossop, SK13 7AG.
14. Accuracy and data retention
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate at any time.
Our data retention policy dictates how long we will retain data unless there is a legal requirement to store your data longer.
15. Children's privacy
We endeavour to comply with applicable laws relating to collection and use of data from children. If you believe that we have information from a child, please contact us immediately and we will take reasonable steps to remove that information.
16. Notice of breach of security
We take reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorised access, disclosure, alteration, and destruction, considering the risks involved in the processing and the nature of the Personal Data.
If a staff member, trustee or associate becomes aware of a breach in the data protection or privacy of people around the data we hold, a nominated member of staff will be informed immediately. The lead will then action this, including contacting the Information Commissioners Office if necessary. We undertake to inform users within 72 hours and then report the action we took in response.
We take reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorised access, disclosure, alteration and destruction, considering the risks involved in the processing and the nature of the Personal Data. We will notify you as soon as possible if a security breach caused any unauthorised intrusion into our system. We will also report the action we took in response.
We only use service providers that enter into agreements with us whereby the service provider commits to take the appropriate measures to protect Personal Data and be compliant with GDPR.
17. Third-party service providers
We use several third-party service providers to help us carry out our work effectively. To be transparent and provide you with as much information as we can about who our third-party service providers are, we list below the ones that may keep Personal Data, the types of information they keep, and a description of how we ensure the GDPR compliance through their contracts. We do not own or manage any of the below third-party service providers and cannot accept responsibility for their privacy policies or terms of service.
We use Office 365 (Outlook, Calendar, OneDrive, SharePoint and Teams) for communication, storage and collaboration therefore some Personal Data related to our Services is stored on Microsoft’s systems. Microsoft provide storage space in the UK for their UK based customers and are fully committed to GDPR and secure data storage.
We use several features of G Suite (Drive) to store and generate forms to send to clients and as such Personal Data is processed through this service.
Google is a US company the data of which are in Google Cloud Locations. As described in their Privacy Shield certification, they comply with the EU-US and Swiss-US Privacy Shield as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland, respectively.
We use Mailchimp to deliver our newsletters and other email communications. Mailchimp stores Personal Data about your name, email, organization and other information provided by you.
Mailchimp has servers located around the US. Mailchimp is a registered trademark of the Rocket Science Group, a US company, the data of which are in the US. Mailchimp has certified that they comply with the US-EU Safe Harbour Framework, and the US-Swiss Safe Harbour Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland.
As described in their knowledge base, Mailchimp are ‘committed to achieving compliance with the GDPR and is mindful of [y]our compliance efforts.’ We have signed a Data Processing Addendum as an additional means of meeting the adequacy and security requirements of the GDPR. For more information about the way in which Mailchimp is committed to achieving compliance with the GDPR, see About the General Data Protection Regulation.
We use Freshdesk by Freshworks, Inc. as our ticketing service and help desk software. Freshdesk keeps Personal Data about your name and email, as well as any other information you may have disclosed while interacting with us to receive support.
Freshworks Inc. is a US company, the data of which are in Freshworks Data Hosting. As described on their website they are fully committed in being compliant with the GPDR and confirm that they comply with the US-EU Safe Harbour Framework and the US-Swiss Safe Harbour Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland.
Xero is used as our main accountancy system for the day to day management of the organisations finances including BACs payments and invoice generation.
More information on Xero's compliance with the GDPR can be found here.
HubSpot is used as our main CRM system and holds contact information for users who have accessed or are applying to access our services. Hubspot holds information in a linear timeline (including: emails, notes and attachments) to support our users with an application to access our services. Hubspot also creates web-based forms that are embedded within our own websites to enable our users to communicate with us. The data stored relates only to your Organisation and your role within it.
More information on HubSpot’s GDPR policy can be found here.
We use Eventbrite for registration to some of our events including roadshows, meetings and training courses. Eventbrite process [including but not limited to] your name, your email address, your organization and your job role on our behalf.
The information provided is used to issue tickets for which you are applying. We use this information to manage the event you are booking to attend including but not limited to sending communications about the event, creating name badges and updating you on any event changes.
We use Bookwhen for registration to some of our meetings and training courses. Bookwhen processes [including but not limited to] your name, email address, your organisation and your job title on our behalf. the information is used to issue tickets for the course of meeting which you are applying. We use this information to manage the event you are booking to attend including but not limited to sending communications about the event, creating name badges and updating you on any changes.
We use Rowshare to collect data for our partner agencies who are delivering services utilising our Grant and Hardship funding. Use of Rowshare and the storage of Personal Data is managed via contractual agreements with each partner.