Data Protection Policy

Façade Creations Ltd Data Protection Policy

Introduction

Façade Creations Ltd is committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as all other applicable data protection laws. We also adhere to relevant provisions of the Companies Act 2006, particularly regarding proper record-keeping and security of company records. This policy outlines how Façade Creations collects, uses, stores, and safeguards personal data in line with our operations as a company specializing in the design, manufacture, and installation of bespoke aluminium façades. It covers personal data relating to our employees, clients, suppliers, website users, and other stakeholders, and explains the rights individuals have regarding their data.

Data Controller

Façade Creations Ltd is the “Data Controller” responsible for determining how and why personal data is processed in our organization. For any enquiries, requests, or concerns regarding personal data or this policy, please contact our data protection representative:

• Email: estimating@facadecreations.co.uk
• Postal Address: Façade Creations Ltd, 124 City Road, London, England, EC1V 2NX find-and-update.company-information.service.gov.uk

Roles and Responsibilities

Ultimate responsibility for data protection compliance at Façade Creations rests with our Director, Hashim Choksi, who oversees and enforces this Data Protection Policy. We have not appointed a formal Data Protection Officer (DPO) at this time, as we are not legally required to do so given the nature and scale of our processing. However, data protection responsibilities are covered internally by senior management. All employees receive basic GDPR and data protection training as part of their induction and ongoing training programs. Employees are expected to understand and follow this policy, and to report any potential data protection issues to management. Regular reviews and audits (see Review & Updates below) are conducted to ensure compliance and to address any gaps.

Definitions

For the purposes of this policy, the following definitions apply:

• Personal Data: Any information relating to an identified or identifiable individual (known as the “data subject”). This includes obvious identifiers such as a person’s name, contact details (email, phone, address), as well as identifiers like employee ID, IP address, or any information that can be linked to an individual.
• Processing: Any operation performed on personal data, whether automated or manual. Processing includes collection, recording, organizing, storing, altering, retrieving, using, disclosing, transmitting, combining, restricting, erasing, or destroying personal data.
• Data Subject: The individual whom the personal data is about. For example, our employees, clients, and website users can all be data subjects under this policy.
• Data Controller: The entity that determines the purposes and means of processing personal data (in this case, Façade Creations Ltd).
• Data Processor: A third party (other than our own employees) that processes personal data on behalf of the Data Controller, based on the Data Controller’s instructions. (For instance, a cloud service provider hosting our data may act as a Data Processor.)

Data Collection and Processing

We collect and process personal data only for specific, explicit, and legitimate purposes necessary for our business operations. Below is an overview of the types of personal data we handle and the purposes and legal bases for processing each type:

1. Employee (HR) Data – Purpose: To recruit, employ, and manage our personnel, and to fulfill legal obligations as an employer. This includes processing data for human resources administration, payroll, benefits, performance reviews, and workplace health and safety compliance.
   Data Categories: Employee personal details (name, contact information, date of birth, national insurance number), job application materials and employment records (CV, references, employment contracts, roles and dates of employment), payroll and bank details for salary payments, and any necessary certifications or right-to-work documents. We may also keep records of training, performance evaluations, and disciplinary proceedings as needed.
   Legal Basis: Contractual necessity (to fulfill the employment contract, e.g. paying salaries); Legal obligation (to comply with employment laws, tax requirements, and statutory record-keeping, such as HMRC payroll records and Companies Act 2006 requirements); and Legitimate interests (to efficiently manage our workforce and ensure business continuity, balancing these interests with employees’ rights).
2. Client and Project Data – Purpose: To manage relationships with our clients and deliver our façade design and installation services. This includes responding to enquiries, providing quotes, entering into contracts, executing projects, and meeting legal and contractual obligations (e.g. health and safety regulations, building regulations).
   Data Categories: Client contact details (individual names, job titles, business addresses, telephone numbers, email addresses); project-related information provided by clients (project requirements, specifications, site addresses); records of communications with clients; and contractual and financial details (quotes, contracts, invoices, payment records).
   Legal Basis: Contractual necessity (to take steps at the client’s request prior to entering a contract, and to perform our contracts for design, supply, and installation of façades); Legal obligation (compliance with laws such as construction regulations, building codes, tax laws related to client transactions); and Legitimate interests (ensuring effective project management, maintaining client relationships, and communicating with clients in the context of our business – e.g. providing project updates – in ways clients would reasonably expect). In limited cases, we may also rely on Consent – for example, if a prospective client signs up to receive marketing newsletters (see Marketing Communications below).
3. Supplier and Contractor Data – Purpose: To manage procurement of goods and services, coordinate with our subcontractors and suppliers, and fulfill our obligations to pay for and document these transactions. This covers data related to our vendors, subcontractors, consultants, and other third parties we work with on projects.
   Data Categories: Supplier or contractor contact details (contact person’s name, business name, address, email, phone); contracts and agreements; banking and payment information (account numbers, sort codes or IBAN, VAT or company numbers) needed for payments; and relevant qualifications or insurance details (e.g. evidence of professional indemnity insurance or certifications if required by our contractor vetting process).
   Legal Basis: Contractual necessity (to enter and perform contracts with our suppliers and subcontractors, e.g. issuing purchase orders, paying invoices); Legal obligation (for example, retaining records of transactions for tax and audit purposes, complying with anti-fraud or anti-bribery laws where applicable); and Legitimate interests (such as vetting suppliers for quality and reliability, ensuring project supply chain efficiency, and maintaining business continuity). These interests are balanced against any privacy impacts, and typically the data we collect in this context is business-oriented and not overly personal.
4. Marketing Communications Data – Purpose: To send updates, news, or marketing communications about our services to individuals who have opted to receive such information. This helps us promote our business and keep interested parties informed of our offerings (e.g. new façade solutions, project case studies, or events).
   Data Categories: Names and contact details (such as email address and company name) of clients or prospects who have expressed interest in our services or subscribed to our mailing list. We may also record communication preferences (e.g. opt-in consent records, preferred contact method) and interaction history (e.g. email open rates or event attendance, on an aggregate level).
   Legal Basis: Consent – We rely on explicit opt-in consent for all email marketing communications. Individuals are added to our marketing mailing list only if they have given us clear consent (for example, by ticking an opt-in box on a form or subscribing via our website). We do not send mass marketing emails without consent. Data subjects have the right to withdraw consent at any time. Each marketing email we send includes an unsubscribe link, and individuals can also contact us at any time to be removed from marketing lists. We will promptly honor opt-out requests.
5. Website User Data and Cookies – Purpose: To operate and improve our company website and understand how users interact with it. When you visit our website (www.facadecreations.co.uk), we collect certain data via cookies and similar technologies for functionality and analytics.
   Data Categories: We use cookies for essential site functionality (such as session management, which remembers your preferences or keeps you logged in if applicable) and for basic analytics. The analytics data (e.g. via Google Analytics) is typically aggregated and anonymized, helping us track website traffic and usage patterns without directly identifying individual visitors. We do not collect personally identifiable information through analytics cookies, and we do not use cookies for advertising purposes. If our website has contact or enquiry forms, the personal data you provide (e.g. name, email, phone, and enquiry details) will be used only to respond to your request (as part of Client Data above) and handled in line with this policy.
   Legal Basis: Legitimate interests – It is in our interest to ensure our website works well and to understand usage for improvement, in a manner that respects users’ privacy (analytics data is anonymized). We also rely on Consent where required by law (upon your first visit, we present a cookie notice seeking consent for non-essential cookies). You may disable non-essential cookies through your browser settings at any time; however, please note this may affect certain site functionalities.

Data Sharing and Transfers

We treat personal data as confidential and do not share it with third parties unless it is necessary to achieve the purpose for which the data was collected, or we are legally required to do so. When sharing is necessary, we apply the principle of data minimization, sharing only the information that is needed. The main instances in which we may share personal data include:

• Subcontractors and Suppliers: We share relevant data with our subcontractors, sub-consultants, and suppliers as needed for project execution. For example, we may provide a subcontractor with site access details or worker names for health & safety, or share client contact information with a delivery partner to coordinate a shipment. In all cases, third parties are only given data required for their specific task and are expected to handle it securely.
• Professional Advisors: We may share data with our insurers, accountants, lawyers, or other professional advisors. For instance, an insurer might receive details of a claim that includes personal data, or our accountants might see employee and contractor payment information when assisting with payroll or financial audits. These parties are either bound by professional confidentiality or by contractual agreements regarding data protection.
• Consultants and Business Partners: If we engage external consultants or joint venture partners on a project, we might need to share certain data (e.g. project team contact details, relevant experience profiles) to facilitate collaboration. Such sharing will be governed by non-disclosure agreements and data processing agreements as appropriate.
• Regulatory and Legal Requirements: We will disclose personal data to government bodies, regulators, law enforcement or courts if required to do so by law. For example, we might need to provide information to HM Revenue & Customs (HMRC) for tax purposes, to the Information Commissioner’s Office (ICO) if they are investigating a complaint, or to comply with a court order or subpoena. In all cases, we will verify the legitimacy of the request and share only the data necessary by law.

Façade Creations does not sell personal data to any third parties for marketing or other purposes.

International Transfers: As a UK-based business, we primarily store and process data within the UK. However, we use some reputable cloud-based services (for example, Microsoft 365 for email and document storage, Google analytics tools, Xero for accounting) which may involve storing data on servers outside the UK. Whenever personal data is transferred outside of the UK (or European Economic Area) – for instance, to data centers in the United States or elsewhere – we ensure that legal safeguards are in place. These safeguards may include Standard Contractual Clauses (SCCs) or reliance on an adequacy decision by the UK government, and we ensure our service providers are certified or contractually committed to GDPR-equivalent data protection standards. We carefully vet third-party providers for their data protection compliance, and only use internationally recognized firms with strong security practices. Our aim is that personal data receives the same level of protection no matter where it is processed.

Data Security

Façade Creations takes appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, or alteration. We continually review and enhance our security practices in line with industry standards. Key measures we have in place include:

• Secure Storage: Personal data in electronic form is stored on secure, access-controlled systems. We employ encryption for sensitive data at rest and in transit (for example, our databases and laptops employ disk encryption). Servers are password-protected and firewall-protected, and cloud storage (e.g. SharePoint/OneDrive within Microsoft 365) is encrypted and monitored. Paper records containing personal data are kept in locked cabinets or secure office areas with restricted access.
• Access Controls: We restrict access to personal data strictly to authorized personnel who need it for their job duties. Different levels of access are granted based on role (principle of least privilege). For example, HR data is accessible only to authorized HR and management staff; project data is accessible to the project team and relevant administrators. All employees are required to use strong, unique passwords for company systems, and multi-factor authentication is enabled wherever feasible for remote access.
• Secure Communication: When we transmit personal data to third parties (such as sending payroll information to our accountant or sharing project data with a subcontractor), we use secure channels. Emails are sent via encrypted TLS connections by default, and we use password protection or encryption for files that contain particularly sensitive data. We discourage the use of insecure channels for any transfer of personal information.
• Physical Security: Our offices are secured to prevent unauthorized entry – access to offices and file storage areas is restricted to staff (using keys or access cards), and visitors are escorted. Documents or devices containing personal data are not left unattended in public areas. We also employ shredding for disposal of any paper documents that contain personal data, and have a clean-desk policy to minimize exposure of sensitive paperwork.
• Device and IT Security: All company laptops and devices are configured with up-to-date antivirus/anti-malware software and are regularly patched with the latest security updates. We maintain an IT asset management process to track company devices and ensure secure disposal when devices are decommissioned. Portable drives or USB storage with personal data are encrypted or avoided where possible.
• Third-Party Services: We use trusted cloud and IT service providers (such as Microsoft and Xero) to support our business. Before engaging any provider that will handle personal data, we assess their security certifications and privacy policies to ensure they meet GDPR standards. We sign Data Processing Agreements with such providers to ensure they commit to protecting the data on our behalf.
• Monitoring and Testing: We conduct regular security audits and risk assessments of our systems. Employee access rights are reviewed periodically to ensure only necessary access is retained. We also provide ongoing training to staff on cybersecurity best practices (such as recognizing phishing attempts and safeguarding information).

By implementing the above measures, we strive to maintain a high level of security and reduce the risk of data breaches or unauthorized data disclosure.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to satisfy any legal, accounting, or reporting requirements. Retention periods are determined based on the type of data and the applicable legal/regulatory obligations. Our general retention policies are as follows:

• Employee (HR) Records: We retain employee personal data for up to 6 years after employment ends, in line with UK statutory limitation periods for employment claims and HMRC requirements. This includes keeping basic identification details, employment contracts, and payroll records for six years post-termination. Certain records may be held longer if required (for example, pension scheme information or injury records might be kept for a longer period under specific regulations), but we will not keep full HR files indefinitely.
• Financial Records: Financial records that may contain personal data (e.g. invoices, payment records, expense reports) are kept for 6 years after the end of the financial year to comply with HMRC tax regulations and the Companies Act 2006 record-keeping requirements. This ensures we have documentation in case of audits or financial inquiries. After 6 years, such records are securely disposed of unless a longer retention is legally required for specific items.
• Project and Client Files: Project-related documents (which may include client correspondence, contracts, project plans, etc.) are retained for the duration of the project and typically for 6 to 10 years after project completion. The exact period depends on contractual obligations and liability considerations – for example, contracts often specify that certain records be kept for a number of years. In the construction industry, a 6-12 year period is common (12 years if under seal). We have adopted 10 years as a general guideline for major project files to cover potential latent defect liability periods. These files are archived securely and only accessed if needed for reference or legal reasons.
• Enquiries and Prospective Client Data: If an individual makes an enquiry but does not proceed to a contract with us, we will retain the enquiry correspondence and their contact details for up to 2 years from the last interaction. This is to allow us to follow up on potential business or understand past communications. After 2 years of inactivity (or immediately upon request), we delete or anonymize enquiry data. For individuals who consented to receive marketing communications, we will retain their details until they unsubscribe or withdraw consent, at which point we promptly remove them from our active mailing lists (while maintaining a suppression list to ensure we honor no-contact requests).
• Other Categories: CCTV footage (if we ever employ CCTV at our premises) would typically be kept for a short period (e.g. 30 days) unless needed for an investigation. Recruitment (job applicant) data for candidates we do not hire is usually kept for up to 6 months, unless the candidate consents to a longer retention for future opportunities.

In all cases, when a retention period has elapsed, we will either securely delete the personal data or anonymize it (so that it can no longer be associated with an individual). Secure deletion may involve permanent erasure of electronic files using appropriate software tools and shredding of physical documents. We maintain a data retention schedule and periodically review the data we hold, to ensure we are not keeping personal data longer than necessary.

Individual Rights

Data subjects (individuals whose data we hold) have a number of rights under the UK GDPR. Façade Creations respects and upholds these rights. In summary, individuals have the right to:

• Right of Access: You can request confirmation of whether we are processing your personal data, and if so, request a copy of the personal data we hold about you, as well as information about how we use it. This is commonly known as a “Subject Access Request.” We will provide the information in a concise and transparent manner, normally within one month of receiving a valid request.
• Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. Upon verification, we will rectify the inaccuracies promptly.
• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances – for example, if the data is no longer needed for the purposes it was collected, or if you withdraw consent and we have no other legal basis for processing. This is sometimes called the “right to be forgotten.” Please note that this right is not absolute; we may need to retain certain information where we have a legal obligation or overriding legitimate interest to do so (we will inform you if that is the case).
• Right to Restrict Processing: You can ask us to limit the processing of your data under certain conditions. For instance, if you contest the accuracy of the data or have objected to our processing (see below), you may request restriction while the issue is being resolved. When processing is restricted, we will continue to store your data but will not use or share it except in limited circumstances (such as with your consent or for legal claims).
• Right to Object: Where we process your personal data based on legitimate interests, you have the right to object to that processing. If you lodge an objection, we will stop processing the data in question unless we can demonstrate compelling legitimate grounds for the processing that override your rights, or the processing is for the establishment, exercise, or defense of legal claims. You also have an unconditional right to object to your personal data being used for direct marketing purposes – if you object, we will cease such use immediately.
• Right to Data Portability: Where you have provided data to us and the processing is carried out by automated means on the basis of your consent or for performance of a contract, you have the right to request a copy of that data in a common machine-readable format, and/or to have it transferred to another data controller (where technically feasible). This right primarily applies to data you actively provided. We will assist with such requests to the extent possible.

To exercise any of these rights, please contact us at estimating@facadecreations.co.uk with details of your request. We may need to verify your identity to ensure we don’t disclose data to the wrong person, and in some cases, we may ask for clarification about the scope of your request (for example, if you have had multiple interactions with us). We will respond to all valid requests as soon as possible, and no later than one month from receipt. If we need more time (up to a further two months for complex requests), we will inform you of the extension and the reasons for it. In general, we charge no fee for handling requests, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (providing justification).

Data Breach Procedure

Despite our robust security measures, a data breach (incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data) could still potentially occur. Façade Creations has established a clear Data Breach Response Plan to ensure such incidents are handled swiftly and effectively. Our procedure is as follows:

1. Detect and Contain: Employees are trained to report any suspected data breach (e.g. lost device, suspicious system activity, or mistaken email to an incorrect recipient) immediately to management. Once a potential breach is reported or detected, we will work quickly to contain it – for example, isolating a compromised system, recalling wrongly sent emails, or changing access credentials to prevent further unauthorized access. We also start a log of the incident, timing, and actions taken.
2. Assess: The responsible team (led by senior management and IT, and including our data protection lead) will investigate and assess the scope and severity of the breach. We determine what personal data is involved, how many individuals are affected, the potential consequences for those individuals, and whether the data has been recovered or is still exposed. This risk assessment is done promptly, as it informs our next steps regarding notification.
3. Notification: If the breach is likely to result in a risk to the rights and freedoms of individuals (for example, risk of identity theft, financial loss, personal safety, or other significant harm), we will notify the UK Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by law. Our notification to the ICO will include details of the nature of the breach, categories and approximate number of individuals and records concerned, likely consequences, and measures taken or proposed to address it. If the 72-hour deadline passes and we haven’t gathered all this information, we will submit an initial notification and follow up with more details when available. Additionally, if the breach is likely to result in a high risk to the affected individuals (e.g., leaked sensitive information that could lead to fraud or harm), we will also inform those individuals without undue delay in clear terms about what happened and any steps they should take to protect themselves. We will provide guidance to affected persons on mitigating any adverse effects (such as resetting passwords, watching for suspicious activity, etc.). If the breach does not pose significant risks (for example, if data was encrypted or promptly recovered), we may not need to notify individuals, but we still document the incident internally.
4. Review and Prevent: After dealing with the immediate incident, we will conduct a post-breach review to fully understand the cause and identify any areas for improvement. We will take any necessary remedial actions to prevent similar incidents in the future, such as revising procedures, enhancing security measures, or providing additional staff training. All breaches and near-misses are logged in our internal breach register, along with details of our response and outcomes, in accordance with our accountability obligations.

We regard any data breach as a serious matter. By following this procedure, we aim to minimize harm to individuals and learn from incidents to strengthen our data protection measures continuously.

Review & Updates

We keep this Data Protection Policy under regular review to ensure it remains up-to-date with changing laws and our business operations. At a minimum, the policy is reviewed annually. Reviews will also be triggered in the event of significant changes – for example, if new data processing activities are introduced, if there are regulatory changes, or if we have an important finding from a data protection audit or breach investigation.

Updates to the policy will be approved by the company’s leadership. The Director (Hashim Choksi) is responsible for formally approving any revisions and for monitoring ongoing compliance with this policy across the organization. When changes are made, the revised policy will be posted on our website and the “last updated” date will be adjusted accordingly. For substantive changes, we may also notify employees or other affected individuals directly (for instance, via email or an internal memo) especially if the changes impact how we handle their data or their rights.

We also conduct periodic data protection audits and compliance checks (internally or with the help of external advisors) to ensure that our actual practices align with this policy. Any findings from such audits will be used to improve our processes and may result in policy updates or additional training.

By regularly reviewing and updating our policy and practices, Façade Creations reaffirms our commitment to high standards of data protection and adapts proactively to new developments.

ICO and Complaints

We want individuals to have confidence in how we handle personal data. If you have any concerns or complaints about our data protection practices, we encourage you to contact us directly so we can address the issue. In addition, you have the right to lodge a complaint with the UK’s supervisory authority for data protection, which is the Information Commissioner’s Office (ICO). The ICO can be contacted through their website (ico.org.uk) or by phone.

We include information about individuals’ right to contact the ICO in our privacy notices (e.g. on our website and in contractual data protection clauses). We will fully cooperate with the ICO in the event of any investigation. Of course, we hope to resolve any concerns by working with you directly – your trust is extremely important to us.

Contact Us

If you have questions about this Data Protection Policy, or wish to exercise any of your data protection rights, please do not hesitate to contact us:

Email: estimating@facadecreations.co.uk
Postal: Data Protection Enquiries – Façade Creations Ltd, 124 City Road, London, EC1V 2NX, United Kingdom

We will be happy to assist you and will endeavor to respond promptly to all legitimate requests.

Façade Creations Ltd – Registered in England & Wales (Company No. 16267073)
Last Updated: October 2025