We take privacy and the protection of personal information seriously. This privacy notice sets out details about how we gather, use and share personal information and about individual privacy rights. How we use personal information depends upon the context in which it is made available to us.

Our Data Protection Officer (DPO) provides help and guidance to make sure we apply good practice standards to protecting personal information. Our DPO can be reached by email at dpo@donaldson-timber.co.uk if you have any questions about how we use personal information.

The privacy policy is issued by and on behalf of the James Donaldson Group. The James Donaldson Group is made up of different legal entities, details of which can be found here.

When we say "we", "us" or "our" in this privacy policy, we are referring to the relevant company in the James Donaldson Group responsible for processing your data.

Please note our DPO represents the James Donaldson Group as a whole, and any enquiries about how personal data is used by any Group entity should be directed to the DPO. We do share personal data with other subsidiaries within the Group.

We use a variety of personal information depending on the circumstances under which personal information is made available to us.

We may use personal information in the following circumstances:

• where you are opening a trade credit account with us, we will collect the names, dates of birth and personal addresses of the owners of the business opening the account. We may also need to conduct credit checks against the owners and/or the business they represent. This may involve us processing personal information that is provided to us by credit reference agencies. More information about this is set out in paragraph 10 below;
• if you are ordering goods via our websites at timbercut4u.co.uk, www.mgmtimber.co.uk or www.buzzhomeoffice.co.uk we will collect names, billing address, delivery address, order details and payment information (including debit or credit information) about you;
• we collect names, email addresses, phone numbers, CV's and any other information provided to us by job applicants applying for a role with us;
• we hold the names, job titles, employer details and professional contact details for various business contacts, including client contacts and supplier contacts; and
• when you visit our websites, we collect some technical information about your visit using cookies. More information about our use of cookies is available in our Cookies Policy;
• we hold the names, addresses and bank account details of shareholders in order to maintain our share register, pay dividends and send notices of meetings;
• we hold the names, addresses and bank account details of loan account holders in order to maintain loan account records, send out statements and process withdrawal instructions; and
  we may use names, postal addresses and email addresses for marketing purposes.

We may use your personal information for the following purposes:

• to perform our contract with you to deliver the goods you have ordered from us and process your payment;
• to allow us to process your trade credit application and to provide you (or the business you represent) with goods and services;
• to allow us to run checks for identification and creditworthiness, whether via credit reference agencies or checking the Electoral Register and other databases which contain publicly available information about judgements, bankruptcy and repossessions;
• to allow us to manage your trade credit account;
• to allow us to ask for your feedback, assess customer satisfaction and to improve our overall operations;
• to communicate with you by sending you information about our products and services that we think may be of interest to you. We will not send you marketing communications if you have not given us your consent to do this, or if you have given us your consent and then changed your mind and unsubscribed;
• to validate your information to check that the data we hold about our customers is accurate, consistent and up to date; and
• to comply with any legal or regulatory obligations to which we are subject.

We will only use your personal information where it is permitted by law and where:

• we need to use your personal information to perform a contract with you (e.g. where you are a consumer or where you are a sole trader representing yourself);
• we need to use your personal information to comply with our legal or regulatory obligations;
• you have given us consent to use your personal information (if consent is needed we will ask for this from you separately); and
• it is in our legitimate business interests to be able to comply with our obligations and exercise our rights under our contract with the corporate entity you represent, and there is no disadvantage to you or risk to your personal information.

If you do not provide us with the personal information we request from you, or if you do not allow us to process your personal information that we may obtain from other sources (such as credit reference agencies), we may not be able to offer you our products or services, or continue to administer any services that you have with us.

We may share your personal information with:

• other members of our corporate group, for example your personal information may be held on group-wide IT systems;
• our service providers who process and store data on our behalf (such as our IT service providers);
• our professional advisers;
• our insurers;
• any guarantor to a credit agreement with us;
• credit reference agencies;
• law enforcement, taxation and legal authorities;
• claims handling agencies; and
• debt recovery agencies.

We may also share your personal information with third parties in the event that:

• our business or substantially all of its assets are acquired by a third party;
• if we are under a duty to disclose or share your personal information;
• in order to comply with any legal or regulatory obligation;
• in order to enforce or apply any contract with you (or the business you represent); or
• to protect our rights, property, or the safety of our employees, customers or others.

We keep your personal information for as long as we need to for the purposes we have set out above. Usually, we will retain your information for 5 or 6 years after the termination of our contract with us as may be required by law, unless there is an exceptional business purpose in which this time period needs to be extended. If you would like to see a copy of our retention policy, please contact our DPO.

We will treat all of your personal information in strict confidence and we will take all reasonable steps to keep your personal information secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information. If you would like more information about the security measures we use to protect your data, please contact our DPO.

We do not transfer your personal data outside of the European Economic Area. If this changes, we will update this notice and announce this change on our main website homepage.

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies. We may also make periodic searches at credit reference agencies to manage your account with us.

To do this, we will supply your personal information to credit reference agencies and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. Credit reference agencies will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

• assess your creditworthiness and whether you can afford to take the product;
• verify the accuracy of the data you have provided to us;
• prevent criminal activity, fraud and money laundering;
• manage your account(s);
• trace and recover debts; and
• ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information may be supplied to other organisations by credit reference agencies.

When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. Credit reference agencies will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.

The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the credit reference agencies can be obtained from our DPO.

Data protection laws give you a number of rights as set out below. If you would like to exercise any of your rights, please contact our DPO in writing.

• Access: you may request access to a copy of your personal information.
• Withdraw Consent: where our processing of your personal information is based on your consent, you can withdraw your consent at any time.
• Rectification: you may ask us to rectify any inaccurate information we hold about you.
  Erasure: you may ask us to delete the personal information we hold about you, where there is no reason for us to continue to hold your information.
• Portability: you may ask us to provide you with the personal information that we hold about you in a structured, commonly used, machine readable format, or you can ask us to send your information in this format to another controller.
• Object: you may object to our processing of your personal information.
• Restriction: you can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.

If you are not happy with the way in which we process your personal information, or the way in which we handle any request by you to exercise your privacy rights, you may make a compliant to the ICO by visiting their website at https://ico.org.uk/concerns/ or on 0303 123 1113.

We may modify this notice from time to time, so please review it regularly. We will let you know if we make any material changes to this notice by means of an announcement on our website homepage or, if appropriate, by contacting you directly.