OFA Privacy Notice

Once For All Limited (“Once For All”) is a company incorporated and registered in England and Wales with company number 11188766 and its registered office at Midpoint, Alencon Link, Basingstoke, Hampshire, RG21 7PP.

We are part of the Onceforall Group of companies which include Fortius VA Limited, Bidwork Construction Software Ltd, The Builders’ Conference, and Builders Profile (UK) Limited. This is not an exhaustive list of entities in the group and is subject to change, however this policy applies to any entity of the Onceforall Group of companies.

Once For All is the Controller (registered with the ICO under number ZA333098) and responsible for processing your personal data as described in this privacy notice. This means we decide why we collect your data, how we collect it, what data is collected, how this data is going to be used and how this data is protected.

We respect your right to privacy and are committed to protecting it and complying with data protection law. We will always keep your personal data safe. We will be clear and open with you about why we collect your personal data and how we use it. Where you have choices or rights, we will explain them to you and respect your wishes.

E-mail: gdpr@onceforall.com

Our DPO Alex Hewitt, is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, our privacy practices or how we handle your personal data, please contact our DPO at gdpr@onceforall.com.

Personal data is information which identifies you as an individual. Some examples are outlined below: Personal data is anything which may identify you for example your name, address, bank account details, internet protocol (IP) address, username, or another identifier. Some personal data is unique to you and therefore requires greater protection. This data is referred to as special category data which includes information regarding your health, religious or philosophical beliefs, race, or ethnicity to provide a few examples.

We may collect and process the following types of data, dependent on your usage of our systems, including but not limited to the following:

• Identity data including your first name, last name, date of birth, title.

• Contact data including your billing address, email address and telephone number(s).

• Insurance Data including company name, address, and coverage values.

• Employment data including name, job title, company address, email and telephone number and details of your directors and executive officers;

• Experience and Qualification data including details of qualifications and certificates including but not limited to CSCS cards.

• Location data for example we may collect your location data from your IP address and telephone codes.

• Transaction data including details about payments to and from you and other details of services you have purchased from us.

• Financial Data includes bank account and payment card details, which will be stored by our payment processor.

• Technical data including IP address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our website.

• Profile data includes your email and password, the services you have used on our site, your use of social media functions on our website for authentication, feedback, survey responses and such information about your health as you provide to us.

• Usage data includes information about how you use our website and the services you use.

• Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

• Special Category Personal Data is personal data that needs more protection because it is sensitive, and we may collect this type of personal data from you while providing you with our services or during our interactions with you. For example, where you need to provide evidence as part of a question set in our service platform to allow us to meet our obligations to our customers.

• Aggregated Data We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. aggregated data could be derived from your Personal Data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this privacy notice.

• We will not process your special category personal data in order to aggregate it without a lawful basis to do so.

We use different methods to collect data from and about you, including:

• Personal Data provided directly by you. 

You may give us your personal data by filling in forms or surveys, on our website, or by corresponding with us by phone, email, chat or otherwise. This includes personal data you provide when you:

1. Making an enquiry regarding our services;

2. Purchase service from us; OFA Privacy Notice V4

3. Give us feedback or contact us.

• Information we receive from third parties 

We may receive personal data about you from various third parties, such as:

Device data from the following parties:

1. Analytics providers such as Google, Hotjar, and Crazy Egg

2. Advertising networks

3. Search information providers.

Contact, financial and transaction data from providers of technical, payment and delivery services, such as Stripe and Pay360.

Technical data and device data from the following parties:

1. Analytics providers such as Google Analytics, Hotjar, and Crazy Egg

2. Advertising networks such as Google and Facebook

3. Search information providers such as Google.

4. Providers collecting survey information, such as SurveyMonkey.

5. Reviews from providers such as Trustpilot

6. Data feeds from third party sites such as Companies House

Most of the personal data we process is provided to us directly by you for one of the following reasons:

• To meet our obligations to you;

• To contact you in relation to your purchase(s) or to notify of changes to our service or purchase;

• To provide you with general information or marketing information about our existing and new products and/or services;

• To enable other people or businesses to carry out work on our behalf; and/or

• To give us feedback or contact us.

We also receive personal data indirectly, from the following sources in the following scenarios:  Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

• Your consent. Please be aware that you can withdraw your consent at any time. You can do this by contacting us at gdpr@onceforall.com; and/or

• We have a contractual obligation. For example, where you have paid for a good or a service and it is necessary for us to process your information to provide you with those goods or services.

For administration purposes for example to;

1. Meet our obligations owed to you arising from any agreement entered into between you and us;

2. Take, or receive payment, deal with any transaction, respond to your queries, refund requests and/or mange any complaints; OFA Privacy Notice V4

3. To manage our relationship with you, which may include, notifying you of changes to our terms or our privacy notice;

4. Processing orders;

5. To ask you to leave a review, provide us with feedback on our products and/or services or take a survey;

6. To contact you regarding updates or informative communications related to the products, or services; and

7. To properly handle the information, you submit to us enabling us to respond effectively. We may also keep a record of these queries to inform any future communications between us and to demonstrate how we communicated with you throughout our contractual relationship.

• We have a legal obligation. For example, may be required to use your personal data to comply with laws. For example, if we are required to co-operate with a police investigation and/or comply with a court order. And/or

• We have a legitimate interest. When we rely on this, we will consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws.

Where we process personal data for our own legitimate business interest this relates to us managing our business to enable us to give you the best service/products and most secure experience, including:

1. When we respond to your queries and complaints;

2. To run our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise;

3. To make recommendations to you about services that may interest you;

4. To measure and analyse the effectiveness of the advertising we serve you;

5. Ensuring that our marketing is tailored to your interests and to keep our records up to date and to provide you with marketing as allowed by law;

6. To make suggestions and recommendations to you about goods or services that may be of interest to you and necessary for our legitimate interests;

7. When we capture your service reviews, for example when you buy goods and services from us, we may follow it up with an enquiry about your experience of the service to help us gauge customer satisfaction;

8. To use data analytics to improve our products/services, marketing, customer relationships and experiences;

9. To define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy;

10. To study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy;

11. To enforce or apply our website terms of use, our policy terms and conditions, or other contracts; and/or

12. To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and/or described within our terms and conditions.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

We may use your information to provide you with information regarding our services and goods we think will be of interest to you.

You can choose to opt out of us using your personal data for in this way for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via email gdpr@onceforall.com.

We may share your personal data with the following organisations that help us manage our business and deliver our products, applications, or services, or where we are legally obliged to share information, including with:

1. With any member of our Group of companies meaning our subsidiaries, our ultimate holding company and its subsidiaries as defined by s. 1159 of the Companies Act 2006;

2. Business partners, our employees, contractors’ consultants, agents, and professional advisors; insurance providers;

3. Third parties carrying out services on our behalf, including billing, sales, marketing agencies, analytics, data storage, validation, security, fraud prevention and legal services;

4. GRCI Law for data privacy services;

5. Stripe for payment processing;

6. Third-party service providers to assist us with client insight analytics, such as Google Analytics, Hotjar, and Crazy Egg (whose privacy policy can be found at https://www.crazyegg.com/privacy).

7. Third parties to which we outsource certain services including but not limited to couriers, IT systems or software providers, Software development providers, IT support service providers, and document and data storage providers;

8. Third-party platforms to manage and deliver customer relationship management (CRM);

9. Third parties in the event of any merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets (including without limitation in connection with any bankruptcy or similar proceedings);

10. Other organisations for the purposes of fraud/crime protection and investigation;

11. Courts of law and government, regulatory authorities or third parties to the extent required by law, court order or a decision rendered by a competent public authority and for the purpose of law enforcement;

12. Other third parties where we have asked for your consent; and/or

13. Certification bodies appointed by Build UK as part of the Common Assessment standard

14. Certification bodies and auditors appointed by SSIP.

As a general principle, we share personal data in order to facilitate or improve our services or offers. We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.

You can opt out of us using your personal data for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via gdpr@onceforall.com. From time to time, we may share personal data and other information that we have collected about you:

1. To get help run our business, and deliver our products and services to you;

2. Where we are legally required to do so, such as in response to court orders or legal process, or to establish, protect or exercise our legal rights or to defend against legal claims or demands;

3. Where we are acquired by or merged with another entity (in which case we will require such entity to assume our obligations under this privacy notice or inform you that you are covered by a new privacy notice);

4. If we believe it is necessary in order to investigate, prevent or act regarding illegal activities, fraud, or situations involving potential threats to the rights, property or personal safety of any person, or other such circumstances; and/or

5. If we believe it is necessary to investigate, prevent or act regarding situations that involve abuse of our infrastructure or the Internet in general (such as voluminous spamming, denial-of-service attacks, or attempts to compromise the security of the website infrastructure), or to otherwise protect our assets or rights.

In general, we will store your personal data within the UK. However, there may be circumstances where we may send personal data outside of the country generally for, but not limited to, reasons relating to processing and storage by our service providers. For example, we may have Cloud storage providers or software development teams with data storage facilities in the US, Europe, or other countries.

When we do this, we will ensure it has an appropriate level of protection and the transfer is made in line with Data Protection Law. Often, this protection is set out under a contract with the organisation that receives that information. You can find more details of the protection given to your information when it is transferred overseas by contacting us at gdpr@onceforall.com.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties that have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We periodically test the security of our systems to check for vulnerabilities.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information.

All information you provide to us is stored encrypted in rest and in transit. Any payment transactions will be managed by our third-party payment processors and will be encrypted.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

You should be aware that information about your use of this website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your Internet traffic.

Our website may contain links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties.

We are not responsible for the content or practices of those websites, plugins, or services. The collection use and disclosure of your personal data will be subject to the privacy notices of these third parties and not this Privacy Notice. We urge you to read the privacy and cookie notices of the relevant third parties.

We do not target children, and our website is not intended to attract children. Accordingly, our online services that collect Personal Data are not directed at and should not be accessed by individuals under the age of 18 years, and we request that such individuals do not provide any personal data to us.

Minors must obtain express consent from parents or legal guardians before accessing or providing any personal data. If notified by a parent or guardian, or discovered by other means, that a minor under the age of 18 has provided their Personal Data to us, we will delete the minor’s data that is in our possession.

We will keep your Personal Data in line with our data retention policy for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Under data protection law, you have rights including:

• Your right to be informed - We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal data and our use of it.

• Your right of access - You have the right to ask us for copies of your personal data. This right always applies. There are some exemptions, which means you may not always receive all the information. When you request this data, this is known as making a data subject access request (DSAR). In most cases, this will be free of charge; however, in some limited circumstances, for example repeated requests for further copies, we may apply an administration fee.

• Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

• Your right to erasure - You have the right to ask us to erase your personal data in certain circumstances. We have the right to refuse to comply with a request for erasure if we are processing the Personal Data for one of the following reasons:

1. To exercise the right of freedom of expression and information.

2. To comply with a legal obligation.

3. To perform a task in the public interest or exercise official authority.

4. For archiving purposes in the public interest, scientific research, historical research, or statistical purposes.

5. For the exercise or defence of legal claims.

• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:

1. The accuracy of the Personal Data is contested.

2. Processing of the Personal Data is unlawful.

3. We no longer need the Personal Data for processing, but the Personal Data is required for part of a legal process.

4. The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

• Your right to object to processing - You have the right to object to processing in certain circumstances. You can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you, or your legitimate interests (or those of a third party).

• Your right to data portability - This right only applies if we are processing information based on your consent or for the performance of a contract and the processing is automated.

Please contact us at gdpr@onceforall.com if you wish to make a request.

In most circumstances, you do not need to pay any charge for exercising your rights. We have one calendar month to respond to you.

To exercise your rights or get more information about exercising them, please contact us using the details above and providing us with enough information to identify you.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

If you have any concerns about our use of your personal data, we hope we can resolve any query or concern you may have in relation to our processing of your personal data and ask that you contact us in the first instance at gdpr@onceforall.com.

You can however, at any time, contact the Information Commissioners Office (ICO) if you unhappy with how we process your personal data or if you are unhappy with our response to your complaint using the contact details below:

ICO website

Helpline number: 0303 123 1113 

ICO postal address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF