Xpress Cylinder Spares (referred to in this document as ‘Xpress Cylinder Spares’, ‘data controller’, ‘we’, ‘our’ or ‘us’), are committed to protecting and respecting your privacy and the security of your personal data. We aim to be clear and transparent about what we do with the personal data we collect. (‘Personal data’ means any information relating to an identifiable person). This policy:
- Sets out how we process your personal data. (‘Processing’ means anything we do with your data, and includes collecting, using, storing and deleting it);
- Sets out where we might send your personal data to others, how we protect it and your privacy rights;
- Only applies to our website, and if you leave our website, you will be subject to the policy of that other website provider.
Who we are and how to contact us
Xpress Cylinder Spares are online unvented cylinder parts supplier.
We specialise in the supply of unvented cylinder spares and components within the hot water industry.
In respect of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, the data controller is Xpress Cylinder Spares, PO Box 13334, Blackpool, FY1 9JW
The personal data we collect from you
We may collect personal data from you in the following circumstances, when you:
- Fill in a form on our site www.xpresscylinderspares.co.uk. This includes information provided at the time of registering to use our site, subscribing to a service, requesting further services and completing the Contact Form;
- Visit our site, we may automatically collect traffic data, location data, weblogs, browser, usage and other communications data;
- Report a problem with our site;
- Contact us by phone;
- Become a customer. This may include: your name, postal address, email address, phone number, job title, reference information (e.g. invoice number) and any other information you give us;
- Register a product warranty online or through our call centre;
- Interact with us via social media;
- Join a loyalty scheme;
- Complete any surveys we send to you.
IP Addresses and Cookies
Click here www.xpresscylinderspares.co.uk/cookies-policy.html if you would like more detailed information about how these cookies work and our policy regarding the information they collect.
How we use your personal data including legal basis
When you contact us using the Contact Form, we may store your personal data. The legal basis for this is ‘legitimate interest’. Where we process your personal data under this basis, we perform an assessment that balances your rights and freedoms alongside our interests, to ensure that what we do with your personal data is what you would reasonably expect.
Products and Services
There are three legal bases under which we process personal data for product and services:
- When you buy, and / or register a product. The legal basis for this is ‘performance of a contract’;
- After the expiry of a warranty for example, we may also keep your personal data under the basis of ‘legal obligation’ re’ gas safety, and health and safety regulations;
- Where we keep your personal data for the purpose of product recall requirements, the basis is ‘vital interests’.
We may send you marketing messages by email, text message (sms), telephone or post about us and our products and offers. For email and SMS messages, the legal basis is consent. If you want us to stop sending you information by email or SMS, you can opt out at any time by selecting the ‘unsubscribe’ link on any email or sms we send you. You can also email us at email@example.com or write to us at:
Data Protection Officer,
Xpress Cylinder Spares,
PO Box 13334,
We may ask you to complete surveys for research purposes. The legal basis for these ranges from: Legitimate interest, performance of a contract, legal obligation and consent. Where consent is relied on, the method will be opt in, and you have the right to withdraw your consent at any time.
How we share your personal data
We may disclose your information to third parties if we:
- Sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of those assets;
- Have a duty to disclose your personal data to comply with any legal obligation. This includes sharing information with other organisations for the purposes of fraud prevention.
We are required to have written contracts in place with any third parties we use to process your personal data. This is to ensure that third party processors only act on the documented instructions of the data controller, and to ensure that both parties understand their responsibilities, especially in regard to safeguarding personal data.
Third parties we share your personal data with are listed below:
- Google Analytics
Where we store your personal data
Some data that we collect listed below, is transferred and stored outside the EEA. All other personal data is processed within the EEA.
Processed outside the EEA:
- Google Tag Manager (website analytics) – EU-US Privacy Shield.
How long we keep your personal data for
This depends on the type of personal data and what it is used for. We only keep personal data for as long as we have a legal basis to do so, and we adhere to the principle of data minimisation. This means that we only keep the minimum amount of information necessary for specific processing.
- We keep personal data you provide by filling in forms on our site unless or until you unsubscribe. If you unsubscribe, we retain minimal information about you to ensure that we know you have unsubscribed;
- Financial transaction data is kept for a maximum of seven years. This is due to legal obligations in relation to accounting and tax;
- Where there is a contract between us, and in case of any legal action, personal data is retained for 8 years after the end of the contract.
How we secure personal data
We use a combination of physical, technical and organisational controls to safeguard your personal data. We are also committed to regularly testing, assessing and evaluating the strength of our controls environment.
- Personal data is stored on secure servers;
- Payment transactions such as card transactions are encrypted using SSL technology;
- Emails are scanned for malware and viruses;
- Data sent between our website and your browser is protected using industry standard protocol such as Transport Layer Security;
- Data processed by third parties is safeguarded by contracts containing audit rights of inspection and warranties;
- Personal data is stored within secured networks, and is only accessible by a limited number of people. Access rights and other policies and procedures forming part of our Information Security Management System (ISMS) further secure your information.
Where you have a password that enables you to access certain parts of our site, you are responsible for keeping the password safe, and we advise not disclosing your password to anybody else.
Our security procedures mean that we may occasionally request proof of i.d. before we are able to disclose personal information to you.
Unfortunately, the transmission of information via the Internet is not always secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once received however, we will use our procedures and security to prevent unauthorised access.
You have certain rights (detailed below) under data protection law, and you can make requests to us about any personal data we hold about you. Requests can be in writing or verbal, and can be made to any part of our organisation. It will help us to complete your request more effectively however if you contact us at firstname.lastname@example.org
We will also need to verify your identity. The Information Commissioner (ICO) have a page on their website that includes a template for a letter which can be used when sending requests to us (https://ico.org.uk/your-data-matters/your-right-of-access). We will respond within one month from the date of the request, and will not ordinarily charge a fee. If further copies are required, and / or the request is deemed excessive however, we may charge a reasonable fee. Your rights:
Postal address of the ICO:
Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Policy last updated:6th August 2018