Privacy Policy

Customer Privacy Notice

We Take Your Privacy Seriously

Rest assured - at GAP we’re 100% committed to protecting your privacy and security.

We’ve been in the business for well over two decades -  and are customers of hundreds of suppliers
ourselves. So we completely understand how important it is to respect the information you’ve given
us about yourself.

You’ll have heard by now about some new rules governing what can and can’t be done with
information about you.

They’re contained within the General Data Protection Regulation (GDPR)  -  and we’ve been studying
them for months to make sure we’re crystal clear about our obligations.

In anticipation of the changes, we’ve re-written the Customer Privacy Notice and our Data
Protection Policy to cut through the legal jargon and spell out exactly what we do with what you’ve
told us about yourself and your business.

In a nutshell, it all boils down to five GAP Privacy Pledges. We promise that we will:

1.  Only use the information you give us to improve the service we deliver

2.  Protect your data like it’s our own

3.  Only ever talk your language. No nonsense, no spam, and no cleverly worded sentences that
leave you baffled!

4.  Give you the power to decide what and how you hear from us

5.  Delete your information as soon as we no longer need it

This Customer Privacy Notice sets out  what personal data we, GAP, hold about you and how we
collect and use it. It applies to  all customers whether you’re another business buying our products
or a home owner using our websites.

We are required by data protection law to give you the information in this Privacy Notice.  It is
important that you read the Privacy Notice carefully, together with any other similar or additional
information that we might give you from time to time about how we collect and use your personal
data.

This Privacy Notice applies from 25 May 2018,  when the General Data Protection Regulation comes
into force. It does not give you any contractual rights. We may update this Privacy Notice at any
time.  

Who is the controller?

GAP Ltd (Partnership Way, Shadsworth Business Park, Blackburn, BB1 2QP) is the “controller” for
the purposes of data protection law. This means that we are responsible for deciding how we hold
and use personal data about you.
We also have a dedicated Data Protection Team that is committed to making sure GAP  is  looking
after all your information. If you have any queries, you can reach our Data Protection super-team on
privacy@gap.uk.com

So what is personal data?

Personal data means any information relating to a living individual who can be identified (directly or
indirectly) using the information you give us (e.g. name, job title, company address, email address,
mobile number etc.). It can be factual (e.g. contact details or date of birth), or an opinion about an
individual’s actions or behaviour.

Data protection law divides personal data into two categories: ordinary personal data and special
category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or
sexual orientation, or biometric or genetic data that is used to identify an individual is known as
special category data. (The rest is ordinary personal data).  But don’t worry;  we don’t collect special
category data from our customers!

What type of ordinary personal data do we hold about you and why?
We collect, hold and use the following types of ordinary personal data about you:

  • Publicly available  information about you, such as your business social media presence, numbers on vans, contact email.
  • Data including; name, address, email address, company registration number, company VAT number, your account activity, contact number etc.
  • We also record calls for quality and training purposes.
We hold and use this personal data so that we can:

  • Process your order/query and correspond with you about it.
  • Make sure you are receiving the quality of service you expect.
  • Invoice you for your order.
  • Chase outstanding payments.
  • Maintain your account with us.
  • Maintain any warranties.
In addition to this, there’s our marketing programme.

If you’ve said we can do so, we’ll send you marketing messages by email, text and snail mail to keep
you aware of what we’re up to and to help you see and find our products.

You can stop receiving marketing messages from us at any time, by:

  • Telling us not to talk to you any more via settings in your Account dashboard
  • Clicking on the ‘unsubscribe’ link in any email
  • Contacting us at privacy@gap.uk.com
Once you do this, we’ll update your profile to ensure that you don’t receive further marketing
messages. Please note though, that because GAP operates a large and complex number of marketing
projects and web sites, it might take a few days for all our systems to be updated. So you might get
messages from us while we process your request.

What are our legal grounds for using your ordinary personal data?

The new regulations set out specific reasons under which we can process this information about
you.

When we ask you for your details, we will use one or more of the following reasons as to why we are
asking for it:

  • We need it to take steps (at your request) in order to enter into a contract with you.
  • We need it to  comply with a  legal obligation,  e.g. the obligation  to provide the goods you have purchased.
  • It is necessary for our  legitimate interests  (or those of a third party) and your interests and your rights (we will cover these later!) do not override those interests (legitimate interest).
    For example, if you send us an enquiry through our Rockdoor website, it is in our legitimate interest to give you a call to follow up on the query.
How do we collect your data?
You provide us with most of the personal data about you that we hold and use, for example when
you come into our branches and give our friendly trade counter team your information.

Some of the personal data we hold and use about you is generated from internal sources. For
example,  we may make notes against your account on our internal CRM system to specify your
preferences.

Some of the personal data about you that we hold and use may come from external sources.  For
example: if you drive around with your number on a van!

Who do we share your personal data with?
We may share some of your data with the following people, the types of data and our legal grounds
for doing so are detailed below:

  • Where you make an enquiry on our Rockdoor website,  we may pass some of your information onto our trusted installers.
    We have a legitimate interest in sending your details to them so they can help you with your Rockdoor purchase.
    The data we share may include: name, address, contact number, email address etc.
  • We may share customer information with delivery companies when we need to send a product to you quickly.
    We use companies such as royal mail and DPD. We need to share your data with these companies to perform
    the contract we entered into with you.
  • A  big part of business operations is undertaking a spend analysis, this means that we share customer information with a Data company called More2.
    We have a legitimate business interest for sharing this information.
  • Every year we are audited by financial authorities, as part of this process they will have access to customer information to make
    sure we aren’t being fraudulent in our activities.This is a legal obligation that we have as part of our business operations.
  • We may share a customer’s details with county courts and debt collectors in the event that the customer fails to pay a debt owed to us.
  • In special circumstances at your request, we may share your personal data with suppliers and manufacturers.
    We only do this in special circumstances and we  will speak to you about it first!
  • We may share your information with the providers of the specialist systems we use to store and process your data. If we have system issues,
    these providers may require access to our systems and your data. Don’t worry, system errors very rarely happen and the information the
    system providers see is very limited. Examples of this include: SAP, Sage, Infopos, Access Dimensions etc.
  • We also invest in understanding how you came to find us on the internet. This means we share things like mouse-clicks and
    IP addresses with companies like inspectlet.com. We have a legitimate business interest in finding out this information as it
    helps to improve our websites.
  • When you place a Rockdoor order through a portal, this is  hosted by  a third party company who host all of our data. We are
    satisfied that  they have taken steps to ensure that this is secure and only the necessary GAP employees can see your
    personal data. We have a legitimate business interest in using their services and hosting platform.
  • If you choose to  request our email newsletter and explicitly give your consent for us to send you subsequent issues
    and other marketing material via our opt-in process, the email address that you submit to us will be stored in our database
    and also forwarded to Adestra who provide us with email marketing services. We consider Adestra to be a third party data processor.
  • We may share your information with our suppliers to tell you about  a  new branch opening or exciting offers. For example,
    we may share your company address with a printing supplier to send you information about a new branch opening.
Consequences of not providing personal data
If you do not wish to provide us with your information, that’s entirely your choice. Please bear  in
mind that if you don’t provide us with the information we require for the reasons we have stated,
we won’t be able to supply you with our fantastic products and services  and may not be able to
administer your GAP trading account, if you have one.

How long will we keep your personal data?
We hate saying goodbye, but we’ll only hold onto your information for as long as it’s needed to be
able to fulfil our contract to supply you and provide our services to you or (in the case of any contact
you may have with our Customer Care team) for as long as it’s necessary to provide support-related
communication or reporting.

If we think it’s reasonably necessary or if we’re required to meet legal or regulatory requirements,
resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep
hold of some of your information as required even after you have closed your Account  –  assuming
it’s no longer needed to provide services to you.

If you make a purchase from GAP and that product comes with a warranty, we would keep your
personal data for as long as that warranty applies. For example, if you purchase a Rockdoor, we
would keep you information for 10 years in line with your warranty.

When you make an enquiry through Rockdoor.com, we will seek your permission to pass your details
to one of  our  recommended installers. If  you are happy  for us  to do so and this doesn’t result in a
purchase, we will not keep your information for any longer  than 6 months after the date we pass
your details on. If after 6 months you are still in the process of deciding our receiving a quote, we
will leave your details in our system for a further 6 moths, meaning we will not keep your details any
longer than 12 months in total.

Your rights
The new regulations set out the rights that everyone has if a business is processing data about you,
they are:

  • The right to make a subject access request.  This enables you to receive certain information about how we
    use your data, as well as to receive a copy of the personal data we hold about you and to check that
    we are doing exactly what we say we are doing!
  • The right to request that we correct incomplete or inaccurate personal data  that we hold about you.
    This speaks for itself, if we have the wrong email address or phone number, you have the right to tell us to make it right!
  • The right to request that we delete or remove personal data  that we hold about you where we don’t have a good reason
    for keeping hold of it. You also have the right to ask us to delete or remove your personal data where you have exercised
    your right to object to processing (see below).
  • The right to object to our processing  your personal data where we are relying on our legitimate interest
    (or those of a third party), where we cannot give a good reason for processing the data about you.
  • The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the
    processing of personal data about you, for example if you want us to tell you how accurate the information is or you
    want to know why we are asking for this information.
  • The right to withdraw your consent to us using your personal  data. Alongside this, you also have the right
    to request that we delete or remove that data, if we do not have another good reason to continue using it.
  • The right to request that we transfer your personal data to another party, in respect of data that  you have provided where our
    legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using
    it (this is known as the right to “data portability”).
If, for whatever reason, you want to exercise any of these rights, please contact our Data Protection
Team on  privacy@gap.uk.com. Please be aware that these rights are not concrete and in some
circumstances we may be entitled to refuse some or all of your request.

GAP Web Sites

GAP web sites also collect and use personal information. We do so as follows:

Tracking Site Visits
Like most websites, this site uses Google Analytics (GA) to track user interaction. We use this data to
study the number of people using our site, to better understand how they find and use our web
pages and to see their journey through the website.

Although GA records data such as your geographical location, device, internet browser and
operating system, none  of this information personally identifies you to us. GA also records your
computer’s IP address which could be used to personally identify you but Google do not grant us
access to this. We consider Google to be a third party data processor.

GA makes use of cookies, details of which can be found on Google’s developer guides. FYI our
website uses the analytics.js implementation of GA.

Cookies
Cookies are very small harmless files that most websites put on to your computer when you roam
their pages, to help  the site run efficiently and make your user experience more enjoyable. Most
Cookies are critical to a website’s performance and your enjoyment of it. We have reviewed and
adjusted our Cookie Notice to meet the requirements of GDPR.

In addition to GA’s use of Cookies, this web site uses:

  • Essential Cookies to help them run smoothly and allow the contents of a shopping basket to be
    transferred from the basket to an order whilst also identifying whether or not the visitor is a trade
    Account customer
  • Information Cookies to gather anonymous information to assess how customers are using the
    website. This will then help us to improve certain pages of our site which may currently be poorly
    designed or unclear for the user. Information Cookies also highlight the most visited pages or broken links
  • Helpful Cookies to help you when you return to the website. For example, they will save information such
    as name and address for when/if you are looking to make a repeat purchase and so make it a quicker and
    easier process for you
  • Third Party Cookies to monitor and record your typical browsing habits whilst working in the background so
    only relevant ads are displayed
The basic rule is that we must:

  • Tell you Cookies are in place and being used to monitor and record your usage of our websites. (Consider yourself told)
  • Explain what the cookies are doing and why. (Tick)
  • Get your consent to store a Cookie on your device. (You’ll have seen the pop up when you landed on our sites)
As long as we do this the first time  we set Cookies, the rules say we don’t have to repeat it every
time you visit our website.

That said we accept that that devices may be used by different people. So bearing in mind that there
could be more than one user of your device, we plan to repeat the process at suitable intervals.

You can read our entire Cookie Notice on our website.

Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages
within this website.

IP Addresses
In addition to Google Analytics, this website may collect information (held in the public domain)
attributed to the IP address of the computer or device that is being used to access it. The
information is supplied to us from Whoisvisiting.com. Whoisvisiting.com is a service offered by
Whoisdata Limited. The Whoisvisiting system does not use your IP address to identify you, the
individual, in any way. No cookies are used by the Whoisvisiting system. The Whoisvisiting system
will only lookup information when  a static IP address is being used. When a device is assigned a
static IP address, the address does not change.

Contact forms and email links
Should you choose to contact us using the contact form on our Contact us page or via email links,
none of the data that you supply will be stored by this website or passed to/be processed by any of
the third party data processors. Instead the data will be collated into an email and sent to us over
the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by TLS (sometimes
known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography
before being sent across the internet. The email content is then decrypted by our local computers
and devices.

Email newsletters and promotional flyers
Your email address will remain within our and  Adestra’s database until you specifically request
removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any
email newsletters that we send you or by requesting removal via an email to privacy@gap.uk.com
When requesting removal via email, please send your email to us using the email account that is
subscribed to the mailing list.

If you are under 16 years of age you MUST obtain parental consent before joining our email
newsletter.

While your email address remains within our and Adestra’s database, you will receive periodic
marketing communications from us.

Pseudonymisation is a recent requirement of the GDPR which many web application developers are
currently working to fully implement. We are committed to keeping it as a high priority and will
implement it on this website as soon as we are able to.

If you have any questions or concerns about how your personal data is being used by us, you can
contact our Data Protection Team on privacy@gap.uk.com  

If you aren’t happy with how GAP are processing your data, you also have the right to make a
complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority
for data protection issues. Details of how to contact the ICO can be found on their website:
https://ico.org.uk