Privacy policy

Why This Policy Exists

This data protection policy ensures Trovex:

  • Complies with data protection law and follows good practice

  • Protects the rights of staff, customers and partners

  • Is open about how it stores and processes individuals' data

  • Protects itself from the risks of a data breach

Data Protection Law

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 describe how organisations must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Seven Data Protection Principles

Personal data must be:

  1. Processed lawfully, fairly and transparently — with a valid lawful basis and clear communication to data subjects

  2. Collected for specified, explicit and legitimate purposes — and not processed in a manner incompatible with those purposes

  3. Adequate, relevant and limited — to what is necessary for the purposes for which it is processed (data minimisation)

  4. Accurate and kept up to date — with every reasonable step taken to ensure inaccurate data is erased or rectified without delay

  5. Kept no longer than necessary — for the purposes for which it is processed

  6. Processed securely — with appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage

  7. Subject to accountability — the controller must be able to demonstrate compliance with all principles

Lawful Bases for Processing

Trovex will only process personal data where we have a valid lawful basis to do so. These include:

  • Consent — the individual has given clear consent for us to process their personal data for a specific purpose

  • Contract — processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract

  • Legal obligation — processing is necessary for us to comply with the law

  • Vital interests — processing is necessary to protect someone's life

  • Legitimate interests — processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests

Policy Scope

This policy applies to:

  • The head office of Trovex

  • All branches of Trovex

  • All staff and volunteers of Trovex

  • All contractors, suppliers and other people working on behalf of Trovex

It applies to all data that the company holds relating to identifiable individuals.

This can include:

  • Names of individuals

  • Postal addresses

  • Email addresses

  • Telephone numbers

  • IP addresses and device identifiers

  • Online behaviour and preferences

  • Any other information relating to individuals

Cookies and Similar Technologies

What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us understand how visitors use our site, improve user experience, and measure the effectiveness of our marketing.

How We Use Cookies

We use cookies and similar technologies for the following purposes:

Essential Cookies

These are necessary for the website to function properly. They cannot be disabled.

Analytics and Performance Cookies

We use the following services to understand how visitors interact with our website:

  • Google Analytics (GA4) — helps us understand website traffic and user behaviour. Data collected includes pages visited, time on site, and general location (country/region level).

  • Google Tag Manager (GTM) — manages the deployment of tracking scripts on our website.

  • Microsoft Clarity — provides heatmaps and session recordings to help us understand how users interact with our site. This may include mouse movements, clicks and scrolling behaviour.

Marketing and Advertising Cookies

We use cookies to measure the effectiveness of our advertising:

  • Google Ads — tracks conversions from our advertising campaigns. Account ID: AW-11441115233

Future Cookie Usage

We may implement additional cookies and tracking technologies in the future for purposes including but not limited to: personalisation, social media integration, remarketing, and enhanced analytics. This policy will be updated accordingly, and where required, consent will be obtained before such cookies are deployed.

Managing Your Cookie Preferences

When you first visit our website, you will be presented with a cookie banner allowing you to:

  • Accept all — consent to all cookies

  • Manage cookies — choose which categories of cookies to accept

  • Decline all — reject all non-essential cookies

You can change your cookie preferences at any time by clicking "Cookie Preferences" in the website footer.

You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

Third-Party Data Processing

The analytics and advertising services listed above are provided by third parties. When you consent to these cookies, data may be processed by:

  • Google LLC (USA) — covered by EU-US Data Privacy Framework

  • Microsoft Corporation (USA) — covered by EU-US Data Privacy Framework

For more information about how these third parties process data, please refer to their respective privacy policies.

Data Protection Risks

This policy helps to protect Trovex from data security risks, including:

  • Breaches of confidentiality — for instance, information being given out inappropriately

  • Failing to offer choice — all individuals should be free to choose how the company uses data relating to them

  • Reputational damage — the company could suffer if hackers successfully gained access to sensitive data

  • Regulatory penalties — failure to comply with UK GDPR can result in significant fines

Responsibilities

Everyone who works for or with Trovex has some responsibility for ensuring data is collected, stored and handled appropriately.

People, Risks and Responsibilities

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

Kevin Dunham, Managing Director is ultimately responsible for ensuring that Trovex meets its legal obligations.

Kevin Dunham is responsible for:

  • Keeping the board updated about data protection responsibilities, risks and issues

  • Reviewing all data protection procedures and related policies, in line with an agreed schedule

  • Arranging data protection training and advice for the people covered by this policy

  • Handling data protection questions from staff and anyone else covered by this policy

  • Dealing with requests from individuals to see the data Trovex holds about them (also called 'subject access requests')

  • Checking and approving any contracts or agreements with third parties that may handle the company's sensitive data

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards

  • Performing regular checks and scans to ensure security hardware and software is functioning properly

  • Evaluating any third-party services the company is considering using to store or process data

  • Approving any data protection statements attached to communications such as emails and letters

  • Addressing any data protection queries from journalists or media outlets

  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles

General Staff Guidelines

  • The only people able to access data covered by this policy should be those who need it for their work

  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers

  • Trovex will provide training to all employees to help them understand their responsibilities when handling data

  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below

  • Strong passwords must be used and they should never be shared

  • Personal data should not be disclosed to unauthorised people, either within the company or externally

  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of securely

  • Employees should request help from their line manager if they are unsure about any aspect of data protection

Data Storage

Paper Storage

  • Paper records should be kept in a secure place where unauthorised people cannot see them

  • When not required, paper or files should be kept in a locked drawer or filing cabinet

  • Employees should make sure paper and printouts are not left where unauthorised people could see them

  • Data printouts should be shredded and disposed of securely when no longer required

Electronic Storage

  • Data should be protected by strong passwords that are changed regularly and never shared between employees

  • If data is stored on removable media, these should be kept locked away securely when not being used

  • Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services

  • Servers containing personal data should be sited in a secure location, away from general office space

  • Data should be backed up frequently. Those backups should be tested regularly

  • Data should never be saved directly to laptops or other mobile devices without encryption

  • All servers and computers containing data should be protected by approved security software and a firewall

Data in Use

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended

  • Personal data should not be shared informally. In particular, it should never be sent by unencrypted email

  • Data must be encrypted before being transferred electronically

  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data

Data Accuracy

  • The more important it is that the personal data is accurate, the greater the effort Trovex should put into ensuring its accuracy

  • It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible

  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets

  • Staff should take every opportunity to ensure data is updated

  • Trovex will make it easy for data subjects to update the information Trovex holds about them

  • Data should be updated as inaccuracies are discovered

Data Retention

Trovex will not keep personal data for longer than is necessary. Data retention periods will be determined based on:

  • Legal or regulatory requirements

  • Contractual obligations

  • Legitimate business needs

When data is no longer required, it will be securely deleted or anonymised.

International Data Transfers

Personal data will not be transferred outside the United Kingdom unless:

  • The destination country has been deemed adequate by the UK Government

  • Appropriate safeguards are in place (such as Standard Contractual Clauses)

  • The transfer is covered by an approved certification scheme or binding corporate rules

  • One of the specific exceptions in UK GDPR applies

Your Rights

All individuals whose personal data is held by Trovex are entitled to:

  1. Right to be informed — know what data we collect and how we use it

  2. Right of access — request a copy of the personal data we hold about you

  3. Right to rectification — request correction of inaccurate or incomplete data

  4. Right to erasure — request deletion of your personal data in certain circumstances

  5. Right to restrict processing — request that we limit how we use your data

  6. Right to data portability — receive your data in a structured, commonly used format

  7. Right to object — object to processing based on legitimate interests or for direct marketing

  8. Rights related to automated decision-making — not be subject to decisions based solely on automated processing that significantly affect you

Subject Access Requests

If you wish to exercise any of your rights, please contact us by email at: kevin.dunham@trovex.com

  • Subject access requests are free of charge (unless the request is manifestly unfounded or excessive)

  • We will respond to your request within one month of receiving it

  • We may request proof of identity before processing your request

  • If your request is complex, we may extend the response time by a further two months, but we will inform you within the first month

Data Breaches

In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, Trovex will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach

  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms

  • Document all breaches, including those not reported to the ICO, along with the facts, effects and remedial action taken

Disclosing Data for Other Reasons

In certain circumstances, UK GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Trovex will disclose requested data. However, we will ensure the request is legitimate, seeking assistance from the board and from the company's legal advisers where necessary.

Contact Us

If you have any questions about this policy or our data protection practices, please contact:

Kevin Dunham
Managing Director & Data Controller
Email: kevin.dunham@trovex.com