Privacy Policy
EPMAXX (The “Company”)
PRIVACY POLICY
EPMaxx Ltd (Company, We, Our, Us) is an environmental performance company incorporated in England and Wales providing EPC testing, advisory and retrofitting service to residential landlords and commercial property owners. We are committed to safeguarding the privacy and confidentiality of the personal data entrusted to us, and have implemented policies and controls to ensure the security of your personal data. This Privacy Policy relates solely to our processing of personal data where administration and related services of our business are delivered. In the event that additional processing is required, we may issue a further supplementary privacy notice specifically in relation to that processing.
This Privacy Policy is addressed to the following categories of data subjects:
(a) our shareholders;
(b) our beneficial owners;
(c) our directors;
(d) staff located at our affiliates;
(e) third party supplier contacts; and
(f) our customers.
The Company’s website may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that the Company does not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third party websites.
Purpose
The purpose of this Privacy Policy is to allow you to understand what personal data the Company will collect (or which will be collected on its behalf), how we will use it, and who may access it.
By providing your personal data to us, whether via our website, in person, in writing, via one of our service providers or over the phone, you acknowledge the processing set out in this Privacy Policy. Further notices highlighting certain uses we wish to make of your personal data together with the ability to opt in or out of selected uses may also be provided to you when we collect personal data from you.
Personal data that the Company collects
The Company only collects the personal data that we determine is required for the purposes set out at below: Purposes for which we use your personal data, below. We may collect:
Information you provide to the Company. Personal data that you provide to the Company, such as when contacting us using the email or physical address(es) listed on our website, including your name, email address, bank account details (where required) and other contact details;
KYC and due diligence information. Information obtained by third party screening providers and publicly available information and background screening, where required by law or applicable financial regulations;
Our correspondence. If you contact us, we will typically keep a record of that correspondence. You will be informed in the event that any call is being recorded. If you object to this, you can end the call at that point and utilise an alternative method of communication should you prefer;
Such as information about your operating system, browser, software applications, geolocation, security status and other device information in order to improve your experience, to protect against fraud and manage risk;
Marketing and communications information. Including your preferences for receiving marketing from us and our third parties and your communication preferences; and
Details of your visits to the Company’s website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
Purposes for which we use your personal data
When the Company collects your personal data, we may use or disclose it for the following purposes. Below each purpose the Company notes the “lawful basis” that allows that use of your personal data. An explanation of the scope of the “lawful bases” can be found at Annex A to this Privacy Policy.
To understand who our shareholders/ beneficial owners are and undertake reporting and analysis. Our corporate records contain information in respect of shareholders/beneficial owners including names and addresses, account designations and the amount of shares held. We share this information with our authorised brokers to undertake reporting analysis.
Lawful bases: legitimate interests (to understand our shareholder demographic and undertake reporting and analysis); legal obligations; legal claims (where applicable).
To assist in the maintenance of our share register we may process your personal data to set-up, maintain and update the register of our members, to prepare and issue share certificates, to receive and deal with transfers, probates, powers of attorney, changes of address, and all similar documents normally needed to maintain the register, to deal with telephone enquiries for shareholders, to maintain and update dividend and interest payment instructions and account details, to make dividend payments, to deliver Annual Report and Accounts and Interim Reports, to assist with proxy voting and to enable you to use online platforms which enable you to vote by proxy and access and manage your shareholdings.
Lawful bases: legitimate interests (to manage your shareholding); legal obligations, contractual necessity; legal claims (where applicable)
For administrative purposes we may process your personal data to arrange for payment of directors fees, deal with queries, pay dividends, organise and minute all meetings, liaise with directors regarding meetings and board packs, assist with the arrangement of travel, accommodation and directors’ requirements for board and committee meetings, maintain and keep a register of declared interests, advising directors and monitoring directors’ interests and conflicts.
Lawful bases: legitimate interests (to make corporate decisions and ensure that our directors are engaged and consulted appropriately); legal obligations; legal claims (where applicable).
To comply with legal or regulatory requirements, or as otherwise permitted by law we may process your personal data to comply with our regulatory requirements (for example, to comply with KYC, anti-money laundering or insider dealing requirements) or dialogue with our regulators or to defend or prosecute claims which may include disclosing your personal data to third parties, the court service, fraud agencies and/or regulators or law enforcement agencies. This may involve background checks including screening against PEP, sanctions and/or anti-money-laundering databases on a periodic basis.
It is possible that special categories of personal data (e.g. political opinions, religious beliefs, ethnicity) and/or data relating to criminal convictions or offences may be received as a result of these background checks where such information has been made public or is relevant to the necessary checks.
Lawful bases: legal obligations; legitimate interests (to cooperate with law enforcement and regulatory authorities); legal claims (where applicable). Where special categories of personal data or data relating to criminal convictions or offences is processed, we will rely on substantial public interest (fraud prevention) or legal claims, as applicable.
To inform you of changes to notify you about changes to the Company’s services and products;
Lawful bases: legitimate interests (to notify you about changes to the Company’s services)
To provide you with marketing materials to provide you with updates and offers, where you have chosen to receive these . We may also use your information for marketing our own products and services to you by post, email, SMS, and phone and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out in the Contact Us section below.
Lawful bases: consent, legitimate interest where are not required to rely on consent (to keep you updated with news in relation to our products and services)
To re-organize or make changes to the Company’s business in the event that the Company:
(i) is subject to negotiations for the sale of the Company’s business or part thereof to a third party;
(ii) is sold to a third party; or
(iii) undergoes a re-organisation,
we may need to transfer some or all of your personal data to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. The Company may also need to transfer your personal data to that re-organised entity or third party after the sale or re-organisation for them to use for the same purposes as set out in this policy;
Lawful bases: legitimate interests (in order to allow the Company to change its business); legal claims (where applicable).
To communicate effectively with you and conduct the Company’s business to conduct the Company’s business (including dealing with customers’ queries relating to energy performance advice and energy performance retrofitting), including to respond to your queries, to otherwise communicate with you (and keep a record of that communication, including recordings of telephone conversations relating to your shareholding), or to carry out our obligations arising from any agreements entered into between you and the Company.
Lawful bases: contract performance; legitimate interests (to enable the Company to perform its obligations and provide its services to you, for the purposes of maintaining service standards and, if applicable, for the prevention, detection, investigation and prosecution of fraud); legal claims (where applicable)
Sharing your personal data (and transfers outside of the UK or EEA)
The Company will only use or disclose your personal data for the purpose(s) for which it was collected and as otherwise identified in this Privacy Policy.
Sharing outside of the Company: personal data may be provided to third parties, including our administrators, legal advisors, auditors, financial advisors, regulatory authorities or other self-regulatory organisations (when required to satisfy the legal or regulatory requirements of governments), regulatory or law enforcement authorities (where required or in cases of suspected criminal activity or contravention of law), or to comply with a court order or for the protection of our assets.
Transfers outside of the UK or the EEA: Your personal data may be accessed by suppliers or other persons in, transferred to, and/or stored at, a destination outside the UK or the EEA in which data protection laws may be of a lower standard than in the UK or the EEA. The Company will, in all circumstances, implement appropriate safeguards to protect the personal data as set out in this Privacy Policy, including by way of data transfer agreements incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data or by data controllers and processors in jurisdictions without adequate data protection laws.
Where the Company transfers personal data from inside the UK or the EEA to outside the UK and the EEA, the Company may be required to take specific additional measures to safeguard the relevant personal data. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions. In countries which have not had these approvals (see the full list here http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm), The Company will establish legal grounds justifying such transfer, such as EU Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements.
Retention of your personal data
The Company’s retention periods for personal data are based on business needs and legal requirements. The Company retains your personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, the Company may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When personal data is no longer needed, the Company either irreversibly anonymises the data (and the Company may further retain and use the anonymised information) or securely destroys the data.
Safeguarding your personal data
The Company uses physical, electronic and procedural safeguards to protect against unauthorised use, access, modification, destruction, disclosure, loss or theft of your personal data in the Company’s custody or control.
The Company has agreements and controls in place with third party service providers requiring that any information the Company provides to them must be safeguarded and used only for the purpose of providing the service the Company has requested the company to perform.
Security over the internet
No data transmission over the internet or website can be guaranteed to be secure from intrusion. However, the Company maintains commercially reasonable physical, electronic and procedural safeguards to protect your personal data in accordance with data protection legislative requirements.
All information you provide to the Company is stored on our or our subcontractors’ secure servers and accessed and used subject to the Company’s security policies and standards. You are responsible for complying with any other security procedures of which you have been notified by the Company.
Changes to this Privacy Policy
From time to time, the Company may, without giving notice, make changes to this Privacy Policy. Where these changes are significant, we will take reasonable steps to bring these to your attention.
Your Rights
If you have any questions in relation to this Privacy Policy or in relation to the Company’s use of your personal data, you should first contact the Company at the email address provided in the Contact Us section below.
Under certain conditions, you may have the right to require the Company to:
(a) provide you with further details on the use the Company makes of your information;
(b) provide you with a copy of information that you have provided to the Company;
(c) update any inaccuracies in the personal data the Company or its service providers hold;
(d) delete any personal data that the Company no longer has a lawful ground to use;
(e) where processing is based on consent, to withdraw your consent so that the Company stops that particular processing;
(f) object to any processing based on the legitimate interests ground unless the Company’s reasons for undertaking that processing outweigh any prejudice to your data protection rights;
(g) object to receiving marketing communications from the Company by contacting us as set out in the Contact Us section below; and
(h) restrict how the Company uses your information while a complaint is being investigated.
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and the Company’s interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, the Company will check your entitlement and respond in most cases within a month.
If you are not satisfied with the Company’s use of your personal data or the Company’s response to any exercise of these rights you have the right to complain to your local data protection regulator. The relevant regulator is listed here.
Information Commissioner's Office Wycliffe House
Water Lane Wilmslow
Cheshire SK9 5AF
Email: dataprotectionfee@ico.org.uk Telephone: 0303 123 1113
Contact Us
If you have any questions or concerns about our privacy practices, the privacy of your personal data or you want to change your privacy preferences, please contact the Company at its office (for the attention of the Company Secretary), EPMaxx, 3rd Floor, 207 Regent Street, London, W1B 4NE.
ANNEX A: Table of Lawful Bases
Use of personal data under applicable data protection laws must be justified under one of a number of legal “grounds” and the Company is required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available is set out below. The Company notes the grounds that it uses to justify each use of your information next to the use in the “Purposes for which we use your personal data” section of this Privacy Policy.
These are the principal legal grounds that justify our use of your information:
Consent: where you have consented to the Company’s use of your information. You may withdraw your consent by contacting us at the email address provided in the Contact Us section of this website.
Contract performance: where your information is necessary to enter into or perform the Company’s contract with you.
Legal obligation: where the Company needs to use your information to comply with its legal obligations.
Legitimate interests: where the Company uses your information to achieve a legitimate interest and the Company’s reasons for using it outweigh any prejudice to your data protection rights.
Legal claims: where your information is necessary for the Company to defend, prosecute or make a claim against you, the Company or a third party.