Privacy Policy

This Privacy Policy outlines how we, One Stop Building Products Ltd, collect, store, and use information when you interact with our website, https://onestopbuildingproducts.co.uk, or otherwise provide personal data to us.

Summary

Our commitment is to protect your privacy. This summary offers a high-level overview of our Privacy Policy, which you should read in full for a comprehensive understanding.

Data Controller

Data Controller: One Stop Building Products Ltd
Contact: [sales@onestopbp.co.uk, 0208 6298291]

Information We Collect

• When you visit our website: Information such as IP address, browser type, and the pages you view, captured through cookies and similar technologies.
• When you contact us: Details like your name, email address, and any other information you choose to provide.
• When you place an order: Information including name, address, payment details, and purchase history.

How We Use Your Information

Your data is used to:

• Fulfill orders and manage your account.
• Enhance our website, products, and customer experience.
• Communicate promotional offers (where permitted).
• Perform administrative tasks and meet legal obligations.

Disclosure of Your Information

Your information may be shared:

• With third-party service providers (e.g., payment processors and delivery partners).
• As required by law or to protect our rights.
• Do we sell your information? No, except as part of a business sale or merger.

Retention of Information

We retain data only as long as needed for business, legal, and tax obligations. For specific retention details, see the full policy below.

Cookies and Tracking Technologies

We use cookies, including essential, analytical, and targeting cookies, to enhance your experience. Learn more in our Cookie Policy.

Transfers Outside the EEA

In certain cases, we may transfer your data outside the European Economic Area, always ensuring appropriate safeguards are in place.

Automated Decision-Making & Profiling

We may use profiling tools like web analytics and targeting cookies to personalise ads and understand user behavior.

Your Rights

You have rights to:

• Access your information and know how it’s used.
• Correct inaccurate information.
• Request deletion of your data.
• Object to certain processing activities.
• Withdraw your consent at any time.

Sensitive Information

We do not collect sensitive personal information. Please refrain from submitting such data.

Changes to Our Privacy Policy

We may update this policy periodically. Check this page for the latest version.

Email

When you send an email to the email address displayed on our website we collect your email address and any other information you provide in that email (such as your name, telephone number and the information contained in any signature block in your email). Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). Legitimate interest(s): responding to enquiries and messages we receive and keeping records of correspondence.
Legal basis for processing: necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the General Data Protection Regulation). The reason why necessary to perform a contract: where your message relates to us providing you with goods or services or taking steps at your request prior to providing you with our goods and services (for example, providing you with information about such goods and services), we will process your information in order to do so).

Transfer and storage of your information

We use a third-party email provider to store emails you send us. Our third party email provider is Klaviyo and Shopify Online Store. [Emails you send us will be stored within the European Economic Area on our third-party email provider’s servers.

Contact form

When you contact us using our contact form, we collect name, email address, telephone number We also collect any other information you provide to us when you complete the contact form. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). Legitimate interest(s): responding to enquiries and messages we receive and keeping records of
correspondence. Legal basis for processing: necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the General Data Protection Regulation). The reason why necessary to perform a contract: where your message relates to us providing you with goods or services or taking steps at your request prior to providing you with our goods and services (for example, providing you with information about such goods and services we offer, we will process your information in order to do so.

Transfer and storage of your information

Messages you send us via our contact form will be stored within the European Economic Area on our third-party email provider’s Gsuite ( Google ) and Klaviyo servers in UK 

Phone

When you contact us by phone, we collect your phone number and any information provide to us during your conversation with us. We do record phone calls. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation) Legitimate interest(s): responding to enquiries and messages we receive and keeping records of correspondence. 

Legal basis for processing: necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the General Data Protection Regulation). The reason why necessary to perform a contract: where your message relates to us providing you with goods or services or taking steps at your request prior to providing you with our goods and services (for example, providing you with information about such goods and services), we will process your information in order to do so).

Transfer and storage of your information

Information about your calls, such as your phone number and the date and time of your call, is processed by our third-party telephone service provider BT. [Their privacy policy is available here: https://www.productsandservices.bt.com/privacy-policy/.

Post

If you contact us by post, we will collect any information you provide to us in any postal communications you send us. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation) Legitimate interest(s): responding to enquiries and messages we receive and keeping records of correspondence.

Legal basis for processing: necessary to perform a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the General Data Protection Regulation). Reason why necessary to perform a contract: where your message relates to us providing you with goods or services or taking steps at your request prior to providing you with our goods and services, we will process your information in order to do so.

Information we collect when you interact with Our website

We collect and use information from individuals who interact with particular features of our website in accordance with this section and the section entitled Disclosure and additional uses of your information.

E-Newsletter

When you sign up for our e-newsletter on our website or opt to receive news, offers from us by entering their name and email address and clicking subscribe or ticking a box at checkout indicating that they would like to receive your e-newsletter.
Legal basis for processing: your consent (Article 6(1)(a) of the General Data Protection Regulation). Consent: you give your consent to us sending you our e-newsletter by signing up to receive it using the steps described above.
Transfer and storage of your information We use a third-party service to send out our e-newsletter and administer our mailing list, Klaviyo

Registering on our website

When you register and create an account on our website, we collect the following information: insert name, email address, telephone number and any other information you provide to us when you complete the registration form.

Information we collect when you place an order on our website

We collect and use information from individuals who place an order on our website in accordance with this section and the section entitled Disclosure and additional uses of your information. 

Information collected when you place an

Order
Mandatory information When you place an order for goods or services on our website, we collect your name, email address, billing address, shipping address, telephone number, company name (if applicable), VAT number (if applicable).
If you do not provide this information, you will not be able to purchase goods or services from us on our website or enter into a contract with us.

Legal basis for processing: necessary to perform a contract (Article 6(1)(b) of the General Data Protection Regulation).

The reason why necessary to perform a contract: we need the mandatory information collected by our checkout form to establish who the contract is with and to contact you to fulfil our obligations under the contract, including
sending you receipts and order confirmations. 

Legal basis for processing: compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

Legal obligation: we have a legal obligation to issue you with an invoice for the goods and services you purchase from us where you are VAT registered and we require the mandatory information collected by our checkout form for this purpose. We also have a legal obligation to keep accounting records, including records of transactions

Processing your payment
After you place an order on our website you will need to make payment for the goods or services you have ordered. In order to process your payment, we use a third-party payment processor Shopify Payments & PayPal.

Transfer and Storage of Your Information

Payment Processing
We use Shopify, located in the UK, as a third-party payment processor. Information related to the processing of your payment is stored within the European Economic Area (EEA) on the third-party payment processor’s servers in the UK.
Legal Basis for Processing: Necessary to perform a contract (Article 6(1)(b) of the General Data Protection Regulation).
Reason for Processing: To fulfill your contractual obligation to pay for the goods or services you have ordered from us.

Marketing Communications

At checkout, you will have the option to opt in or out of receiving marketing communications from us regarding similar goods and services. If you choose not to opt out, we may send you marketing communications about products or services similar to those you have purchased.
You can unsubscribe or opt-out from receiving these communications at any time.

Legal Basis for Processing: Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate Interest: Direct marketing and advertising our products and services.

Transfer and Storage of Information:
We use third-party providers, including Klaviyo and Shopify, to manage our mailing list. Information you submit when subscribing to our e-newsletter will be stored within the EEA on the servers of our third-party mailing list providers located in the UK.

Web Beacons and Similar Technologies
We may use web beacons (small graphic files) in our emails to assess the level of engagement, such as delivery rates, open rates, and click-through rates. These technologies will only be used if you have consented to their use.

Information Collected or Obtained from Third Parties

We may receive information about you from third parties, such as affiliates, business partners, or publicly available sources. This information may include your name, contact details, and any additional information provided by the third party.

Legal Basis for Processing:

• Contractual Necessity (Article 6(1)(b) of the General Data Protection Regulation): We process information from third parties when it is necessary to perform a contract or take steps at your request to enter into a contract with you.
• Consent (Article 6(1)(a) of the General Data Protection Regulation): If you have asked a third party to share your information with us, we process your data based on your consent.
• Legitimate Interests (Article 6(1)(f) of the General Data Protection Regulation): In certain circumstances, we may process information based on our legitimate interests, such as investigating legal rights or performance of obligations under subcontracts.

If we receive incorrect information from a third party, or if we do not have a legal basis for processing that information, we will delete it.

Publicly Accessible Sources
In certain cases, we may obtain information about you from publicly accessible sources, such as the electoral register, Companies House, business directories, social media, or media publications.
Legal Basis for Processing:

• Contractual Necessity (Article 6(1)(b) of the General Data Protection Regulation): To verify or complete information required to provide services to you.
• Legitimate Interests (Article 6(1)(f) of the General Data Protection Regulation): To pursue potential legal claims or investigate suspected legal infringements.

Our Use of Automated Decision-Making and Profiling

We use automated decision-making and profiling on our website, although this does not have any legal effect on you or similarly significantly affect you. You have the right to object to the use of automated decision-making and profiling as described in this section. You can opt out by managing your cookies preferences in the relevant section below. Additionally, if you do not want us to process your actual IP address (usually assigned by your Internet Service Provider) when you visit our website, you can use a Virtual Private Network (VPN) or a free service such as Tor.

Automated Decision-Making

Automated decision-making refers to decision-making by technological means (e.g., machines) without human involvement. We use automated decision-making for display advertising. Specifically, we automate the display of advertisements containing our products and services on other websites you visit, based on the fact that you have previously visited our website.

Logic Involved: By automatically displaying advertisements to individuals who have visited our website, we can achieve greater efficiencies and cost savings compared to manual advertisement placements.

Significance and Consequences: Cookies will be used to recognise that you have visited our website and display advertisements to you, unless you block such cookies. These cookies will collect information about your online behavior, such as pages you visit and links you click.

Profiling

Profiling refers to any form of automated processing of your information to evaluate personal aspects, such as your performance, economic situation, health, preferences, interests, behavior, location, or movements.

Use of Profiling for Web Analytics:
We use Google Analytics to collect information about your location (based on your IP address) and your behaviour on our website (such as pages visited and items clicked on). We only process this information from cookies if you have consented to us setting cookies on your device.

Logic Involved: By analysing and categorising visitor data, such as location and behaviour, we gain insights into user preferences, enabling us to improve our website, products, and marketing strategies.

Disclosure and Additional Uses of Your Information

This section explains the circumstances under which we disclose your information to third parties and any additional purposes for which we may use your information.

Disclosure to Service Providers

We use various third-party service providers to help run our business and assist us in processing your information. These include:

• Telephone Providers: Such as BT 
• Email Providers: Such as Gsuite, Klaviyo, and Shopify.
• Hosting Providers: Such as Shopify.

Your information will be shared with these service providers when necessary to provide you with the services you have requested, such as accessing our website or ordering goods and services.

Legal Basis for Processing:

• Legitimate Interests (Article 6(1)(f) of the General Data Protection Regulation): We may share your information with these third parties to allow us to manage and operate our business efficiently.
• Contractual Necessity (Article 6(1)(b) of the General Data Protection Regulation): We may share information with our service providers to fulfill our obligations under a contract or to take steps at your request before entering into a contract.

The section on the Disclosure of Information to Other Third Parties outlines situations where your information may be shared with external parties such as Google Inc. through the use of services like Google Analytics. Below is a summary of the key points from the provided text:

1. Google Analytics: Information (including IP addresses and cookies) is shared with Google on an anonymised basis to improve Google Analytics services. You can control the data shared with Google through the browser plugin to opt out of Google Analytics.
2. Legal Obligations: Your information may also be shared with authorities, such as in cases of suspected criminal activity or to enforce legal rights. This is done in accordance with legal requirements or for the legitimate interest of preventing fraud, ensuring legal compliance, and protecting rights.
3. Third-Party Service Providers: Information is shared with service providers (e.g., email providers, hosting, and telephone providers) to facilitate the functioning of the business. Legal bases for such sharing are typically legitimate interests and performance of contracts.
4. Retention Periods: The document explains how long various types of data are retained, such as order details (6 years for tax purposes) and correspondence, as long as needed to resolve inquiries.
5. Security Measures: The document reassures that appropriate security measures are in place to protect your information, including limiting access and ensuring that information is anonymised when possible.
6. Transfers Outside the EEA: Information, such as that collected by Google Analytics, is stored outside the European Economic Area (EEA), particularly in the United States. Safeguards, like Google's self-certification under the EU-U.S. Privacy Shield, are used to ensure that data transfers comply with GDPR.
7. Rights of Individuals: You are informed of your rights, such as requesting access to or deletion of your data, restricting processing, withdrawing consent, and objecting to the processing of your information.
8. Sensitive Personal Information: The policy states that sensitive personal information (e.g., health, religion, or political beliefs) should not be submitted to the site. If it is, you are deemed to have consented to its processing under GDPR regulations.

The Changes to Our Privacy Policy section outlines how updates to the privacy policy are handled, especially in response to either minor or major changes.

1. Minor Changes: When small updates are made, the Privacy Policy will be revised with a new effective date, and the updated practices will govern the handling of your information from that date onwards.
2. Major Changes: If substantial changes occur—such as new purposes for processing your data—the company will notify you by email or post a notice on the website. They will inform you of the changes and obtain your consent where necessary before using your data for a different purpose than it was originally collected.
3. Children's Privacy: The policy emphasises compliance with the Children's Online ––Privacy Protection Act (COPPA), ensuring that no information is knowingly collected from individuals under 18. If they become aware of receiving such information, they will obtain parental consent or delete it from their records.
4. Do Not Track (DNT) Disclosures: The company does not respond to Do Not Track signals sent by web browsers, as they use standard technologies like pixel tags and web beacons to monitor visitor activity. Information on how to opt-out of such tracking can be found in the website’s cookies policy.
5. Copyright, Credit, and Logo: The Privacy Policy is based on a GDPR-compliant template, and the company holds the copyright for the policy. The logo indicates adherence to the GDPR Privacy Policy template provided by GDPR Privacy Policy.