Privacy Policy

TrustMark is committed to safeguarding the privacy of any data we hold.

We take the issue of privacy and security of data very seriously

TrustMark is committed to safeguarding the privacy of any data we hold. This Privacy Notice explains how we collect and use your data, what data we disclose and retain, and how we keep your personal information safe.

We may occasionally make changes to this policy, so please check this page from time to time to make sure you’re happy with any changes.

This privacy notice is provided by TrustMark (2005) Limited whose registered office as at Arena Business Centre, The Square, Basing View, Basingstoke, Hampshire (‘we’, ‘our’ or ‘us’)

This policy was last updated on 21st February 2024.

V1.1

About TrustMark and our responsibility for your personal data

TrustMark is a not-for-profit, social enterprise organisation. This means that our profits are reinvested into the TrustMark scheme to improve levels of services and enhancing consumer protection.

As part of our role as the only UK government-endorsed quality scheme for home improvements, we collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR), where we are a controller of your personal data, we are the organisation legally responsible for deciding how and for what purposes it is used. We are registered as a data controller with the Information Commissioner’s Office under registration number ZA460481.

We may not always be the data controller of your personal data. Where this is the case, we ensure that we comply with the instructions of the data controller and process your personal data in accordance with applicable laws and regulations.

Please read this privacy notice carefully as it contains important information on how and why we may collect, store, use and share personal data in connection with your use of our website. It also explains your rights in relation to your personal data and how to contact us or the Information Commissioner’s Office in the event you have a complaint.

What this notice applies to

This policy outlines our use of your personal data, including information we obtain from:

  • Our website trustmark.org.uk, which includes:
    • any searches you perform using the tradesperson directory
    • “Homeowner Portal” – The portal through which consumers may interact with Registered Businesses.
    • “Business Portal” – The portal through which Registered Businesses access and submit information to our data warehouse.
  • Our Home Improvement App
  • Social Media – any of our social media pages
  • Email correspondence with TrustMark
  • Telephone calls made directly to TrustMark or obtained via third party service providers engaged by us to answer telephone calls on our behalf.

This privacy notice outlines the legal basis for processing your personal data including;

  • For the purpose of hosting, operating and maintaining the TrustMark System on behalf of any other third party, including any government body or department;
  • Registering, verifying or maintaining your registration under the TrustMark System, which is provided to us directly by you or via your Scheme Provider;
  • when you contact us with a query, complaint, request or for any other reason;
  • when we are required to process the data provided to us by any other third party, including any publicly available registers or any data sources that we are required to obtain information from in order to verify your identity, address or contact information;
  • sharing with any third party to whom we are required to share data for the purposes of fulfilling a contractual, legal or regulatory obligation to you or to them; and
  • processing your personal data for our legitimate interests, the interests of the Scheme, any member of the Scheme or Scheme Provider.

Links to third parties

Throughout our website, we may link to other websites or platforms owned and operated by third parties, for the purposes of providing our services or the services of a Scheme Provider or governmental body. Those third parties may also gather and process information about you when you use their website and platforms. They do so in accordance with their own privacy policies or notices, which you should make yourself aware of by looking on their website or contacting them directly.

Personal information we collect about you

We may collect and use the following personal data about you, where applicable:

  • your name, address and contact information, including email address and telephone number and company details;
  • information to check and verify your identity, e.g. date of birth and where applicable, to verify your eligibility to register;
  • your gender or preferred pronouns;
  • details of any relevant property address and, if it is not your residential address, your relationship to that property (e.g. owner, occupier, manager etc.);
  • any other personal information provided to us by the Scheme Provider which is required to be processed for the purposes specified in this policy;
  • your account details, such as username and login details or any reference number or membership scheme number assigned to you;
  • details of any information, feedback or other matters you give to us, including via phone, email, post, social media or via our Home Improvements App;
  • your activities on, and use of, our website, including information about how you use our website and technology systems;
  • photos from any inspection which has been conducted by us or on behalf of us or the Scheme Provider in which your image or other information which identifies you may feature (though we do not seek to collect this information intentionally);
  • bank details, billing information, transaction and payment card or other payment method information (where applicable) when paying for lodgements or any other services we provide or administrate for others; and
  • any other information about the services that have been provided to you by us or any Scheme member, or information that any Scheme member has provided about you as part of the records we hold about a property.

For you to use the Homeowner Portal as a consumer, or the Business Portal as a registered member, you will be required to provide your personal data.

Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on your use of our website.

How your personal information is collected

We collect personal information from you:

  • directly, when you enter or send us information, such as when you register for an account on our Homeowner Portal;
  • when you register as a member with a Scheme Provider who then provides that information to us;
  • when you contact us (including via email, phone, post, social media or via our website or Home Improvements app); send us feedback; and complete customer surveys; and
  • indirectly, such as your browsing activity while on our website which we collect indirectly from your device (e.g. your phone, laptop, tablet or any internet connected technology you use to view any part of our website) using the technologies explained in the section on ‘Cookies and other tracking technologies’ below

We also collect personal data about you from other sources as follows:

  • from Scheme Providers who administrate, manage and verify your membership to any Scheme and handle complaints from consumers and members;
  • from registered members of a Scheme who conduct surveys, assessments, contracted works, repairs or quotations on a property in which you live, own, occupy or are otherwise associated with; and
  • from third party data providers who provide public and non-public databases for the purposes of verifying your identity, address, bank details or other identity information.
  • From other bodies that contact us with your consent such as government departments, local authorities, consumer advocates, funders of retrofit or home improvement and advice agencies.

How and why we use your personal information - lawful basis for processing

Under data protection law, we can only use your personal data if we have a legal basis to do so, e.g.:

  • where you have given consent
  • to comply with our legal and regulatory obligations
  • for the performance of a contract with you or to take steps at your request before entering into a contract, or
  • for our legitimate interests or those of a third party.

A legitimate interest is when it is necessary for us to use your personal data for a business or commercial reason, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table below explains what we use your personal data for and why.

What we use your personal information for Our reasons
Creating, managing or maintaining your Scheme Provider/ business/ consumer  account or registration with us and providing our services to you or the Scheme Provider As necessary to perform our contract with you or to take steps at your request, or as necessary for our legitimate interests in performing our contractual responsibilities.
Verifying the completion and quality of the work conducted by Registered Businesses and the application of any funding applied to that work As necessary to comply with our legal, regulatory and contractual obligations.
Conducting checks to identify you and verify your identity or to help prevent and detect fraud. As necessary to comply with our legal, regulatory and contractual obligations.
Enforcing legal rights or to defend or undertake legal proceedings; and disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business. As necessary to comply with our legal and regulatory obligations, or for our legitimate interests, i.e. to protect our business, interests and rights.

Customising our website and its content to your preferences based on a record of your selected preferences or on your use of our website; and

Retaining and evaluating information on your recent visits to our website and how you navigate around our website for analytics purposes to make improvements to our website and to ensure it is working as intended.

where you have given your consent as gathered by the cookies consent tool on our website see ‘Cookies and other tracking technologies’ below; or

where we are not required to obtain your consent and it is required for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you.

You may withdraw your consent at any time by changing the cookies setting in your browser (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn).

Communications with you not related to marketing, including about changes to our terms or policies or changes to our services or other important notices As necessary to comply with our legal and regulatory obligations and/or for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you.
Communicating our services and those of selected third parties to existing and former Registered Businesses As necessary for our legitimate interests, i.e. to inform existing and former customers about our business and associated businesses.
Protecting the security of systems and data used to provide the services As necessary to comply with our legal and regulatory obligations and to ensure the security of systems and data. Where we do this to a standard that goes beyond our legal obligations, our reasons are for our legitimate interests, i.e. to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us.
Statistical analysis to help us understand our customers and their needs As necessary for our legitimate interests, i.e. to be as efficient as we can, to deliver the best service to you and to find ways of improving our data and services that would provide a benefit to our consumers.
Undertaking service improvements and developing new services to improve our offering. As necessary for our legitimate interests, i.e. to be as efficient as we can, to deliver the best service to you and to find ways of improving our services that would provide a benefit to our consumers.
During audit of our operations, services and systems by Scheme Providers, government bodies, certified accreditation assessors, funding organisations or their appointed auditors. As necessary for our legitimate interests, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards, and to demonstrate our compliance with our contractual obligations to Scheme Providers.
To share with third parties that will/may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a corporate transaction, restructuring, merger, acquisition, asset sale, initial public offering or in the event of our insolvency. Information will be anonymised where possible and only shared where necessary. As necessary to comply with our legal and regulatory obligations and/or for our legitimate interests, i.e. to protect, realise or grow the value in our business and assets.

 

How and why we use your personal information - data sharing

We may use your personal data to send you updates (by email or post) about our products and services and those of TrustMark Registered Businesses, including information about new products and services.

The legal basis on which we would process this information is by consent.

You have the right to opt out of receiving marketing communications at any time by contacting us (see the ‘How to Contact Us’ section below); or using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if you ask us to provide further products or services in the future, or if there are changes in the law, regulation, or structure of our business.

We will never sell your personal data or share it with other organisations for marketing purposes.

Who we share your personal information with

We routinely share personal data with:

  • third parties we use to help deliver our products and services to you, e.g. payment service providers and identity verification database providers;
  • other third parties we use to help us run our business, e.g., marketing agencies or website hosts and website analytics providers;
  • quality assurance providers for the purposes of making appointments to review installation work;
  • government agencies and building services for processing consumer funding applications or obtaining information about property performance and other relevant information;
  • supply chain parties engaged by your installer or representative for providing advice, design or installation guidance;
  • authorities appointed by law - Government appointed bodies, agencies, regulators and departments;
  • auditors appointed by us, any Scheme Provider or any party for whom we perform a contractual service;
  • funding organisations in order that they can verify that the any work which has been funded by them has been completed; and
  • third parties engaged by us whom we are satisfied take appropriate measures to protect your personal information and upon whom we impose contractual obligations to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above may occasionally also share personal data with:

  • external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations and any sharing will be necessary for the purpose of completing the audit;

academic or research organisations with a legitimate interest;

  • professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations; and

How long your personal information will be kept

We will not keep your personal information for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal data. We retain backups of our data which includes personal data, for a period of 6 years from when it was last modified plus up to 1 further year. This is because data is deleted in bulk at set times of the year and not necessarily on the anniversary date of its last modification.

Where we can do so, we will aim to remove any personal data that is not required for processing. However, where your personal data is associated with the record of a property, it may be retained for as long as the property record is required by reference to the basis on which it was collected, which may be indefinitely.

Transferring your personal information outside of the UK

Countries outside the UK have differing data protection laws, some of which may provide lower levels of protection of data privacy.

We do not routinely transfer personal information outside of the European Economic Area (EEA). However, some services that we use may operate outside of the UK and EEA and therefore it may sometimes be necessary for us to transfer your personal data to countries outside the UK. In those cases, we will comply with applicable UK laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the EEA where:

  • in the case of transfers subject to UK data protection law, the UK government maintains a list of particular countries which ensure an adequate level of protection of personal data (known as an ‘adequacy regulation’). These are listed on the ICO website. We rely on adequacy regulations for transfers to those countries and specifically for transfers to the United States of America, only to commercial organisations who participate in the EU-US Data Privacy Framework, and who have self-certified as being compliant with the UK Extension to the framework.
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
  • a specific exception applies under relevant data protection law.

 

Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) an agreement including legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These help us recognise you and your device and store some information about your preferences or past actions and to understand and improve the way in which you use our website.

For further information on cookies, our use of them, when we will request your consent before placing them and how to disable them.

Your Rights

According to applicable data protection law, you have the following rights, which you can usually exercise free of charge:

Access to a copy of your personal data

The right to be provided with a copy of your personal data, known as a data subject access request

Correction (also known as rectification)

The right to require us to correct any mistakes in your personal data

Erasure (also known as the right to be forgotten)

The right to require us to delete your personal data—in certain situations

Restriction of use

The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data

Data portability

The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or to require us to transmit that data to a third party—in certain situations

To object to use

The right to object:

—at any time to your personal data being used for direct marketing

—in certain other situations to our continued use of your personal data, e.g. where we use your personal data for our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims.

Not to be subject to decisions without human involvement

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. However, we do not make any such decisions.

The right to withdraw consents

If you have provided us with consent to use your personal data you have a right to withdraw that consent easily at any time. You may withdraw consent by contacting us as set out below. Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

For further information on each of those rights, you may find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR.

Keeping your personal information secure

We have put in place appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

Please contact us if you have any queries or concerns about our use of your personal data using the contact details given below. We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner in the UK. The UK’s Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

Changes to this notice

We may change this privacy notice from time to time. When we make significant changes, we will take steps to inform you, for example when you visit our website, when you log in via the Homeowner or Business portal, or via email which will contain a link to view the updated policy on our website

How to contact us

You can contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

When contacting us please:

  • provide enough information to identify yourself (e.g. your full name, address and any username or Scheme membership number) and any additional identity information we may reasonably request from you, and
  • where relevant, let us know which right(s) you want to exercise and the information to which your request relates.

 

Our contact details are shown below:

TrustMark (2005) Limited,

Arena Business Centre,

The Square,

Basing View,

Basingstoke, RG21 4EB

 

Policy version: 21st February 2024

 

Telephone number: 0333 555 1234

Email: dataprotection@trustmark.org.uk