SUBSCRIBE AND SAVE 15% – LEARN MORE

Privacy Policy

Let’s start with introductions

Your personal information is collected and processed by Burgess Group PLC. The protection and integrity of your personal data is very important to us.

Company Registration

Our company registration details are:

Naturevito Ltd is a company incorporated in England and Wales.
Registration number 06758577
Registered office: Norfolk House, 24 Market Pl, Swaffham PE37 7QH

We’re protecting your data

This Policy has been adopted by Naturevito Ltd

In this Policy, “we”, “us”, “our” or “Controller” refers to Naturevito Ltd, or any organisation belonging to Naturevito Ltd, as appropriate.

We are committed to safeguarding your personal data. This Policy describes how we collect, use, disclose and process your personal data, and applies to personal data we collect about you.

This Policy supplements but does not supersede or replace any other consents you may have provided to us, or any other agreements or arrangements that you may have with us, in respect of your personal data.

A culture of privacy and data security

Data protection and privacy is ever-changing and enhancing the rights of our customers. As such, we review our uses of personal data and may amend this Policy from time to time to reflect changes in applicable laws or the way we handle personal data. Any updated Policy will supersede earlier versions and will apply to personal data provided to us previously.

You are encouraged to re-visit our Policy from time to time so that you are aware of our culture of privacy and relevant updates we have made to our Policy.

Personal data provided by you and others

What is personal data?

Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

You can voluntarily provide personal data

We collect personal data that you voluntarily provide to us. The personal data we collect will often depend on the purposes for which the personal data are collected and what you have chosen to provide.

You always have the choice not to provide us with personal data. If you have provided your consent for us to process your personal data, you also have the right to withdraw your consent by contacting our Data Protection Officer. However, if you do so, it may not be possible for us to fulfil the specific purposes for which we were given consent, it could include the provision of products and services you have requested.

Accuracy and completeness of personal data

It is important that the personal data we hold about you is accurate and up to date. We would ask you to inform us if there are any inaccuracies with the personal data that we have recorded about you and we will act to update your personal data as required.

In some situations, you will have the ability to update your own information, for example, if you were to create an account on our website. We see it as your responsibility to ensure that all personal data that you provide is accurate and complete, and to inform us of relevant changes to your personal data.

Personal data belonging to children

Our website and our services are not intended for children and we do not knowingly collect data relating to children. If you are under the age of 13, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request for the erasure of their personal data or for the minor to be unsubscribed from our mailing lists.

Categories of personal data we may collect

We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:

Identity Data

Data specifically related to identity may include, first name, maiden name, last name, marital status, title, date of birth, national insurance details and other recognised official identity documents.

Contact Data

The contact information for you and others could include, email addresses and telephone numbers, postal address details and social media handles.

Financial Data

To fulfil our services to you we process financial data which may include bank account information, direct debit information and payment card details, and there may be a requirement for us to collect, process and make a decision on other financial information, but we will let you know about this first.

Technical Data

In this technical age, there’s quite a bit of technical data around, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. Our website also gives us information about how you use our website.

Marketing and Communications Data

We make it our business to develop lasting relationships and to help with this we will be processing data about your preferences in receiving marketing from us and your communication preferences. But don’t worry, we’re not interested in bombarding you with marketing content, just timely and relevant information about services and products we care about and that we think are relevant to you. We put you in control, so you always have the option to decline this or opt-out at any point.

Special Categories of Personal Data

There may be instances where special categories of personal data are disclosed to us, but this is incidental and not part of an organised processing activity.

How we may collect personal data

Personal data you voluntarily provide to us

We collect personal data that is relevant to our relationship with you. Your personal data may be collected by us, directly or indirectly, for instance:

  • if you subscribe to our mailing lists;
  • if you attend events or meetings organised by us, or conducted at our offices, for example, sales events, promotional and marketing events, training sessions and social events;
  • when your images are captured by us via CCTV cameras while you are within the properties we operate and use, or when photographs or videos of you are taken when you attend events, meetings or training sessions organised by us;
  • when you use our services or enter into transactions with us, or express an interest in doing so, including services, products and transactions which you utilise in-person or electronically;
  • when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
  • when you voluntarily provide documents or information including your CV or;
  • when you submit your personal data to us for any other reason.

Personal data that has been provided by others

Depending on your relationship with us, we may also collect your personal data from third party sources, for example:

  • from your family members, friends or colleagues who provide your personal data to us on your behalf or;
  • from public agencies or other public sources, for example, the Electoral Register, Companies House.

Personal data that can be collected automatically

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We’ve structured our website in a way that asks for your consent for certain cookies, we value your privacy and data rights. For more details about the cookies we use, head over to our Cookie Policy.

External links on our website

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notices applicable to the website in question.

Specific purposes and legal basis for processing your information

Lawful basis

We will always have a lawful basis for processing personal data, and we have methodically assessed our purposes and legal bases. Here is a breakdown of our purposes and the lawful bases: –

Processing activity

Data category

Our lawful basis

Specific purpose, safeguarding and the respect of individual’s data rights

Individual communication via email, post or telephone Contact data Performance of a contract In order to fulfil the service or product that you have enquired about, where we have been contracted to fulfil a service or product and to facilitate our relationship with you, your business or colleagues. You can of course ask us not to contact you, but it’s likely to affect our ability to fulfil our obligations to you.
CRM system data capture, storage and analysis. Identity, Contact & Financial data Legitimate Interest We collect and store information about our engagements with customers, which may include personal data belonging to staff, customers and other third parties. It is in our legitimate interest to process data in our CRM systems to ensure the smooth operation of our business, effective planning and an efficient customer experience. You may request access to, the rectification of or erasure of details we have stored about you.
Customer service tickets Identity, Contact, Technical data Performance of a contract We collect, process and store information for the specific purpose of fulfilling our services, which may include personal data belonging to staff, customers and other third parties. We process data in this way to ensure the smooth operation of our business, effective planning and to deliver a great customer experience. You may request access to, the rectification of or erasure of details we have stored about you, where appropriate.
Training and other corporate events Identity, Contact, Special category health data Performance of a contract / Consent The information you provide will be used to communicate with you about your attendance at the event and to follow-up on your experience post-event. The personal information we may process could include your name, job title and employer, address and phone number, email address, dietary requirements, access requirements. We will ask for your consent to process health-related data.
Email marketing to other businesses Identity & Contact data Legitimate Interests Where we are looking to have, or we already have a business to business relationship with you or your organisation, we will look to provide you with interesting and relevant services, products and projects. You are more than welcome to opt-out of receiving our marketing information by using the Unsubscribe feature in our emails or by contacting us.
Email marketing to consumers Identity & Contact data Legitimate Interest Where we would like to let our customers know about our services, products or projects we will obtain the consent of those individuals. It’s important to make clear that consumers have the right to withdraw consent at any time or to opt-out of direct marketing.
Postal marketing to businesses and consumers Identity & Contact data Legitimate Interest We only ever aim to provide customer or potential customers with well designed, relevant and interesting products and so our marketing material should be the same. We’re not fans of spam, so we won’t be spamming anyone with lots of unnecessary postal marketing material. Recipients may ‘opt-out’ of postal marketing via the contact details provided. In any case, we will make it our business to check the Mail Preference Services before undertaking marketing materials.
Telephone marketing to other businesses Identity & Contact data Legitimate Interest We’re not fans of nuisance phone calls, so we won’t be spamming anyone with lots of unnecessary calls. Recipients may ‘opt-out’ of telephone marketing by either letting our team members know or by contacting us at any point. In any case, we will make it our business to check the Telephone Preference Services before undertaking marketing activities.
Images and film footage Identity Data Consent & Legitimate interest We may take photographs and / or video footage at our offices or at an event we host, which could capture personal data of staff, customers, visitors and other third parties. We will always notify participants when a photographer or filmmaker is present at our offices or events. There is a legitimate interest in processing personal data in a crowd setting, but we may also as for consent when an individual is clearly identifiable from the photograph or video footage and where photos are to be published alongside a name or other personal identifier. You have the right to withdraw consent at any time or to opt-out of this processing activity. We will respect the wishes of anyone who signals their desire not to have their image taken. Images or footage recorded as part of our mobile job processing is not intended to capture personal data.
Collection/analysis of statistical information about website usage Technical & Usage data Consent To manage and improve how people engage with our public-facing channels. The information we collect tells us about how you use our website, what links you follow and tells us what you’re most interested in.
Account Administration Identity, Contact & Financial data Performance of a Contract We may disclose your personal data to third parties who provide services to us, including our service providers and data processors (providing services such as hosting and maintenance services, analysis services, e-mail messaging services, delivery services, handling of payment transactions, marketing, and professional services).

Specific third parties we share your information with include: –

WooCommerce to help us process your orders.

Stripe to help us process your payments.

We use fulfilment partners to help us process your orders.

We have logistics partners that help us deliver your orders.

Security and Safety Identity, Contact, Technical & Usage data Legal Obligation & Legitimate Interest We may process personal data for the specific purposes of security and safety. This is in connection with the buildings that we own and/or rent, or events organised by us or conducted at the buildings we own and/or use, and through the systems that we operate throughout the organisation. Personal data may include door access logs or visitor’s logs.
Customer engagement metrics Identity, Contact, Technical & Usage data Legitimate interest We may contact you during and after the fulfilment of the services you request from us.

We may engage with you to understand how well we’ve done or if there are areas we could improve on. We have a team of Customer Service staff that will review the feedback requests, and we also use some technical methods to automatically assess the nature of the feedback we receive.

When you provide consent to processing

Where you have given your consent for us or a 3rd party of ours to process your data, you can withdraw your consent at any time. Where consent has been used as the lawful basis for processing data, the information we provide about our processing activities will be fair, transparent, and unambiguous and you will have the power to decide whether you give consent.

Where legitimate interest is the most appropriate lawful basis

When processing your personal information is a legitimate interest of ours or a third-party, we undertake legitimate interest assessments to ensure that our processing is not overridden by the interests, rights and freedoms that you have been afforded by data protection legislation.

Use permitted under applicable laws

We may also collect, use, disclose and process your personal data, without your knowledge or consent, where this is required or permitted by law.

Using your personal data to contact you

When we contact or send you information for the purposes described above, we may do so by post, email, SMS, telephone or such other means provided by you. If you do not wish to receive any communication or information from us or wish to restrict how we may contact or send you information, you can let us know by contacting our Data Protection Officer.

Data being transferred outside of the EEA

In the provision of our services to you, we use data processors that are outside of the European Economic Area (EEA).

The General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms wherever we transfer personal information to a country that is outside the EEA, known as “third countries”. Approved transfer mechanisms that are utilised include, transfers safeguarded using contracts with model clauses and transfers based on an existing adequacy agreement between the EU and the receiving third country.

We take extra steps to ensure comprehensive due diligence of the data processing activities of our data processors.

If you would like any more information, please get in touch by contacting our Data Protection Officer, details can be found at the start of this Privacy Policy.

The security of your personal data

Unauthorised access

We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Specific access

We limit access to your personal data to those employees, agents, contractors and other third parties who have been authorised to access your personal data.

Vulnerabilities

We have put in place procedures to deal with any suspected personal data breach and will notify you and the appropriate supervisory authority of a breach where we are legally required to do so.

However, we cannot guarantee that our systems or applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities.

We also cannot guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.

How long we keep personal data

Our retention schedules

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data are available and you can request more details of that by contacting our Data Protection Officer.

By law, we may have to keep certain information about our customers and this data will be held solely and securely for those legal purposes.

You have rights when it comes to your personal data

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

Right of access

You have the right to request a copy of the information that we hold about you. Access to a copy of your personal information is often known as a Subject Access Request, is usually free of charge and we have a one-month time period with which to respond.

If requests for information are particularly complex or you have submitted multiple requests, the law permits an extension to the one-month timeline of up to two further months. It is also permitted to apply a fair administration fee for access requests that are deemed manifestly unfounded or excessive or if further copies of data are requested.

Finally, the law allows an organisation to refuse a Subject Access request where the request is deemed to be manifestly unfounded or excessive. Any such decision would need to be made on a case by case basis.

Right of rectification

You have a right to review and correct data that we hold about you that is inaccurate or incomplete.

Right to be forgotten

In certain circumstances, you can ask for the data we hold about you to be erased from our records. As detailed within data protection law, a request to be forgotten is not an absolute right and will be assessed on its merits.

Right to restriction of processing

In certain conditions, you can exercise a right to restrict the processing of personal data. In particular, where we don’t have to process the data to meet a contractual or other legal requirements, or where we are using the data for direct marketing.

Right of portability

You have the right to have the data that you have provided to us, for the fulfilment of a contract or where you have provided your consent, transferred in a structured and machine-readable format to another organisation.

Right to object

You have the right to object to certain types of processing, for example where we process your personal data for marketing purposes, this is an absolute right. You will be able to object to or opt-out of any marketing message we send you.

Right to object to automated processing, including profiling

You also have the right to object to processing that is automated and involves decision making likely to have a legal effect on you.

Right to lodge a complaint

In the event that we refuse your request under these rights of access, we will provide you with a reason as to why. You have the right to complain and we have provided a specific section on this below.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

You can request access to your personal data

At your request, and for the specific right of access that you have, we can confirm what information we hold about you and how it is processed. There are elements of the information below contained within this Privacy Notice and we would refer you to the relevant sections. Otherwise, you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of our business or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information about automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide to access my data?

We will assess the information we process on your behalf, and if we are unable to verify your identity through existing security checks, we may request additional identification that could include: –

Passport, driving licence, birth certificate, utility bill from the last 3 months.

What to do when things don’t go as planned

We hope it would never come to this, but if there was ever an occasion where you wanted to make a complaint about how your personal data is being processed by us or third parties, or how your complaint has been handled; you have the right to lodge a complaint directly with the supervisory authority.

UK’s Supervisory Authority

The UK’s supervisory authority is the Information Commissioners Office.

Postal Address:

Information Commissioner
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Web: https://ico.org.uk/make-a-complaint/

Telephone: 0303 123 1113

Do get in touch if you’d like more information about this privacy policy

If you have any queries about this Policy, please feel free to get in touch with Naturevito Ltd and we will do our best to answer your questions.

This Privacy Policy is effective from September 2020.

footer-foliage