OVERVIEW of this Policy and Commitments to Privacy at TASC Holdings Ltd

At TASC Holdings Ltd (“we”, “us”, “our”), we regularly collect and use personal data about customers who contact us by telephone and complete our online form situated on our website. Personal data is any information that can used to identify you as an individual. The protection of your personal data is very important to us, and we understand our responsibilities to handle your personal data with care, to keep it secure and to comply with legal requirements.

The purpose of this privacy policy is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible and have labelled sections to make it easy for you to find the information that is most relevant to you.

Please read this Policy carefully. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any contract that you have with us or any rights you might have available under applicable data protection laws.

We will make changes to this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will make sure that you are aware of any significant changes by posting a notice on our website so that you are aware of the impact to the data processing activities before you continue to engage. We encourage you to regularly check back and review this policy so that you will always know what information we collect and how we use it.

Contents
1. WHO is responsible for looking after your personal data?
2. WHAT personal data do we collect?
3. WHEN do we collect your personal data?
4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?
5. Who do we SHARE your personal data with?
6. Direct Marketing
7. Profiling
8. International Transfers
9. How long do we keep your personal data?
10. What are your rights?
11. Contact and complaints

1. WHO is responsible for looking after your personal data?

TASC Holdings Ltd is a British-based Plumbing and Heating company, with a registered office at  3 Kings Court, Sandycroft, Deeside, CH5 2FG, which operates the supply and installation of plumbing and heating systems including underfloor heating and renewable energy. We also specialise in the supply and application of floor screed services. We only carry out our services throughout the United Kingdom. Our business is about providing customers with a professional, high standard service whilst designing efficient heating systems that will reduce their carbon footprint and lower energy bills.

TASC Holdings Ltd is responsible for collecting information about you and is known as a Data Controller. There will be a single point of contact for TASC Holdings Ltd Data Controller who can be contacted using the details set in Section 11 below.

2. WHAT personal data do we collect?

In relation to potential customers, historic customers and current customers we collect the following data:
• Information that you provide by filling in our contact form on our website.
• Details of any concerns if you contact us with a query, issue or complaint.
• Details of transactions for goods and services supplied by us.
• Your name, address, telephone number and email address to contact you with details or changes about your project.

This includes the collection of contact details over the telephone or via another method of enquiry such as calling into the office or at a trade show event.

We also use cookies through our website – they are small text files that are placed on your machine to help our website provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. However, you may prefer to disable cookies on our website. The most effective way to do this is to disable cookies in your current web browser.

3. WHEN do we collect your personal data?

Customers
• We will collect information from you directly when you complete our online contact form on our website.
• We will collect information from you directly when you contact us by telephone regarding details of your project.
• We will collect information from you directly when we show an interest in our goods and services via a trade show exhibition or by walking into our office.

We will not knowingly collect any personal data about you indirectly or without your consent. We will never purchase personal information from a 3rd party source.

4. What PURPOSES do we USE your personal data for and what is the LEGAL BASIS?

We will use your personal data to:
• ensure that content from our website is presented in the most effective manner for you and for your computer.
• provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
• carry out our obligations arising from any contracts entered between you and us.
• notify you about changes to our service.

We may also send you marketing materials (where we have appropriate permissions as explained in more detail below under Section 6). This process is likely to include profiling, and more information is provided at Section 7 of this Policy about this. We will also need to use your personal data for purposes associated with our legal and regulatory obligations.

We must establish a legal ground to use your personal data, so we will make sure that we only use your personal data for the purposes set out in this Section 4 where we are satisfied that:

• our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you, or
• our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with ICO requirements), or
• our use of your personal data is necessary to support ‘Legitimate Interests’ that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights. Where required under separate laws, for example the Privacy and Electronic Communications Regulations, we will also ensure that you have opted in to send you marketing materials – see Section 6 below for more details.

Before collecting and/or using any special categories of data we will establish an additional lawful ground to those set out above which will allow us to use that information. This additional exemption will typically be:
• your explicit consent;
• the establishment, exercise or defence by us or third parties of legal claims; or
• a specific exemption provided under local laws of EU Member States and other countries implementing the GDPR.

5. Who do we SHARE your personal data with?

We may share your data with third parties, to help manage our business and deliver services. These third parties include:

• service providers, who help manage our IT and back office systems, and assist with our Customer Relationship Management activities,
• our regulators, which include the ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
• solicitors and other professional services firms (including our auditors).
Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser.
We will never sell or provide your personal details to any 3rd party that would breach any Data Protection requirements.

6. Direct Marketing

We may use your personal data to send you direct marketing communications about our goods and services including promotions or any new products which we think you may be interested in. This will be in the form of email or post.

Where we require explicit opt-in consent for direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. Otherwise, for non-electronic marketing or where we can rely on the soft opt-in exemption under the Privacy and Electronic Communications Regulations, we will be relying on our Legitimate Interests for the purposes of GDPR as further detailed in Section 4.

You have a right to stop receiving direct marketing at any time – you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using the details in Section 11.

We also use your personal data for customising or personalising advertisements, offers and content made available to you based on your visits to and/or usage of our attraction websites or other mobile applications, platforms or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This constitutes ‘profiling’, and more information is provided at Section 7 of this Policy about this.

7. Profiling

‘Automated Decision Making’ refers to a decision which is taken through the automated processing of your personal data alone – this means processing using, for example, software code or an algorithm, which does not involve any human intervention. We do not carry out any automated decision making, however we do carry out profiling using automated processing to tailor marketing materials for a specific customer.

Where we have permissions to send a customer marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. In certain circumstances it will be possible to infer certain information about you from the result of profiling, which could include special categories of personal data, but we will not do this unless we have obtained your explicit consent to do so.

8. International Transfers

We may share your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests we will either:
• only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or
• ensure that transfers outside the European Union are subject to an appropriate legal safeguard – for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR and/or the EU – U.S. Privacy Shield for the protection of personal data transferred to the US.

9. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. All our records are kept for a minimum of 6 years, however our MCS related installations require a minimum of 10 years under the MCS legislation.
Where we are required to do so to meet legal, regulatory, tax or accounting requirements, we will retain your personal data for longer periods of time, but only where permitted to do so, including so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.

Where your personal data is no longer required, and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised, and the Personal Data is no longer used by the business.

10. What are your rights?

You have several rights in relation to your personal data. In summary, you have the right to request: access to your data; rectification of any mistakes in our files; erasure of records where no longer required; restriction on the processing of your data; objection to the processing of your data; data portability; and various information in relation to any automated decision making and profiling or the basis for international transfers. You also have the right to complain to your supervisory authority.

To exercise your rights, you can contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
• Identity. We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request.
• Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances.
• Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated, or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
• Exemptions. Local laws, including in the UK, provide for additional exemptions, to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.

11. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:

David Richards
TASC Holdings Ltd
3, Kings Court
Sandycroft
Deeside
CH5 2FG

Tel: 01244 752218
dave@tascltd.co.uk

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time. In the UK, the supervisory authority for data protection is the ICO https://ico.org.uk/ We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.