TrustMark is committed to safeguarding the privacy of any data we hold. This Privacy Notice explains how we collect and use your data, what data we disclose and retain, and how we keep your personal information safe.

We may occasionally make changes to this policy, so please check this page from time to time to make sure you’re happy with any changes.

This privacy notice is provided by TrustMark (2005) Limited whose registered office as at Arena Business Centre, The Square, Basing View, Basingstoke, Hampshire (‘we’, ‘our’ or ‘us’)

This policy was last updated on 21st October 2024.

V1.2

TrustMark is a not-for-profit, social enterprise organisation. This means that our profits are reinvested into the TrustMark scheme to improve levels of services and enhancing consumer protection.

As part of our role as the only UK government-endorsed quality scheme for home improvements, we collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR), where we are a controller of your personal data, we are the organisation legally responsible for deciding how and for what purposes it is used. We are registered as a data controller with the Information Commissioner’s Office under registration number ZA460481.

We may not always be the data controller of your personal data. Where this is the case, we ensure that we comply with the instructions of the data controller and process your personal data in accordance with applicable laws and regulations.

Please read this privacy notice carefully as it contains important information on how and why we may collect, store, use and share personal data in connection with your use of our website. It also explains your rights in relation to your personal data and how to contact us or the Information Commissioner’s Office in the event you have a complaint.

This policy outlines our use of your personal data, including information we obtain from:

• Our website trustmark.org.uk, which includes:
  • any searches you perform using the tradesperson directory
  • “Homeowner Portal” – The portal through which consumers may interact with Registered Businesses.
  • “Business Portal” – The portal through which Registered Businesses access and submit information to our data warehouse.
• Our Home Improvement App
• Social Media – any of our social media pages
• Email correspondence with TrustMark
• Telephone calls made directly to TrustMark or obtained via third party service providers engaged by us to answer telephone calls on our behalf
• Surveys and consultations

• For the purpose of hosting, operating and maintaining the TrustMark System on behalf of any other third party, including any government body or department;
• Registering, verifying or maintaining your registration under the TrustMark System, which is provided to us directly by you or via your Scheme Provider;
• when you contact us with a query, complaint, request or for any other reason;
• when we are required to process the data provided to us by any other third party, including any publicly available registers or any data sources that we are required to obtain information from in order to verify your identity, address or contact information;
• sharing with any third party to whom we are required to share data for the purposes of fulfilling a contractual, legal or regulatory obligation to you or to them; and
• processing your personal data for our legitimate interests, the interests of the Scheme, any member of the Scheme or Scheme Provider.

Throughout our website, we may link to other websites or platforms owned and operated by third parties, for the purposes of providing our services or the services of a Scheme Provider or governmental body. Those third parties may also gather and process information about you when you use their website and platforms. They do so in accordance with their own privacy policies or notices, which you should make yourself aware of by looking on their website or contacting them directly.

We may collect and use the following personal data about you, where applicable:

• your name, address and contact information, including email address and telephone number and company details;
• information to check and verify your identity, e.g. date of birth and where applicable, to verify your eligibility to register;
• your gender or preferred pronouns;
• details of any relevant property address and, if it is not your residential address, your relationship to that property (e.g. owner, occupier, manager etc.);
• any other personal information provided to us by the Scheme Provider which is required to be processed for the purposes specified in this policy;
• your account details, such as username and login details or any reference number or membership scheme number assigned to you;
• details of any information, feedback or other matters you give to us, including via phone, email, post, social media or via our Home Improvements App;
• your activities on, and use of, our website, including information about how you use our website and technology systems;
• photos from any inspection which has been conducted by us or on behalf of us or the Scheme Provider in which your image or other information which identifies you may feature (though we do not seek to collect this information intentionally);
• bank details, billing information, transaction and payment card or other payment method information (where applicable) when paying for lodgements or any other services we provide or administrate for others; and
• any other information about the services that have been provided to you by us or any Scheme member, or information that any Scheme member has provided about you as part of the records we hold about a property.

For you to use the Homeowner Portal as a consumer, or the Business Portal as a registered member, you will be required to provide your personal data.

Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on your use of our website.

We collect personal information from you:

• directly, when you enter or send us information, such as when you register for an account on our Homeowner Portal;
• when you register as a member with a Scheme Provider who then provides that information to us;
• when you contact us (including via email, phone, post, social media or via our website or Home Improvements app); send us feedback; and complete surveys and consultation; and
• indirectly, such as your browsing activity while on our website which we collect indirectly from your device (e.g. your phone, laptop, tablet or any internet connected technology you use to view any part of our website) using the technologies explained in the section on ‘Cookies and other tracking technologies’ below

We also collect personal data about you from other sources as follows:

• from Scheme Providers who administrate, manage and verify your membership to any Scheme and handle complaints from consumers and members;
• from registered members of a Scheme who conduct surveys, assessments, contracted works, repairs or quotations on a property in which you live, own, occupy or are otherwise associated with; and
• from third party data providers who provide public and non-public databases for the purposes of verifying your identity, address, bank details or other identity information.
• From other bodies that contact us with your consent such as government departments, local authorities, consumer advocates, funders of retrofit or home improvement and advice agencies.

Under data protection law, we can only use your personal data if we have a legal basis to do so, e.g.:

• where you have given consent
• to comply with our legal and regulatory obligations
• for the performance of a contract with you or to take steps at your request before entering into a contract, or
• for our legitimate interests or those of a third party.

A legitimate interest is when it is necessary for us to use your personal data for a business or commercial reason, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table below explains what we use your personal data for and why.

We may use your personal data to send you updates (by email or post) about our products and services and those of TrustMark Registered Businesses, including information about new products and services.

The legal basis on which we would process this information is by consent.

You have the right to opt out of receiving marketing communications at any time by contacting us (see the ‘How to Contact Us’ section below); or using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if you ask us to provide further products or services in the future, or if there are changes in the law, regulation, or structure of our business.

We will never sell your personal data or share it with other organisations for marketing purposes.

We routinely share personal data with:

• third parties we use to help deliver our products and services to you, e.g. payment service providers and identity verification database providers;
• other third parties we use to help us run our business, e.g., marketing agencies or website hosts and website analytics providers;
• quality assurance providers for the purposes of making appointments to review installation work;
• government agencies and building services for processing consumer funding applications or obtaining information about property performance and other relevant information;
• supply chain parties engaged by your installer or representative for providing advice, design or installation guidance;
• authorities appointed by law - Government appointed bodies, agencies, regulators and departments;
• auditors appointed by us, any Scheme Provider or any party for whom we perform a contractual service;
• funding organisations in order that they can verify that the any work which has been funded by them has been completed; and
• third parties engaged by us whom we are satisfied take appropriate measures to protect your personal information and upon whom we impose contractual obligations to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above may occasionally also share personal data with:

• external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations and any sharing will be necessary for the purpose of completing the audit;

academic or research organisations with a legitimate interest;

• professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
• law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations; and

We will not keep your personal information for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal data. We retain backups of our data which includes personal data, for a period of 6 years from when it was last modified plus up to 1 further year. This is because data is deleted in bulk at set times of the year and not necessarily on the anniversary date of its last modification.

Where we can do so, we will aim to remove any personal data that is not required for processing. However, where your personal data is associated with the record of a property, it may be retained for as long as the property record is required by reference to the basis on which it was collected, which may be indefinitely.

Countries outside the UK have differing data protection laws, some of which may provide lower levels of protection of data privacy.

We do not routinely transfer personal information outside of the European Economic Area (EEA). However, some services that we use may operate outside of the UK and EEA and therefore it may sometimes be necessary for us to transfer your personal data to countries outside the UK. In those cases, we will comply with applicable UK laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the EEA where:

• in the case of transfers subject to UK data protection law, the UK government maintains a list of particular countries which ensure an adequate level of protection of personal data (known as an ‘adequacy regulation’). These are listed on the ICO website. We rely on adequacy regulations for transfers to those countries and specifically for transfers to the United States of America, only to commercial organisations who participate in the EU-US Data Privacy Framework, and who have self-certified as being compliant with the UK Extension to the framework.
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
• a specific exception applies under relevant data protection law.

Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) an agreement including legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These help us recognise you and your device and store some information about your preferences or past actions and to understand and improve the way in which you use our website.

For further information on cookies, our use of them, when we will request your consent before placing them and how to disable them.

According to applicable data protection law, you have the following rights, which you can usually exercise free of charge:

For further information on each of those rights, you may find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR.

We have put in place appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Please contact us if you have any queries or concerns about our use of your personal data using the contact details given below. We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner in the UK. The UK’s Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

We may change this privacy notice from time to time. When we make significant changes, we will take steps to inform you, for example when you visit our website, when you log in via the Homeowner or Business portal, or via email which will contain a link to view the updated policy on our website

You can contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

When contacting us please:

• provide enough information to identify yourself (e.g. your full name, address and any username or Scheme membership number) and any additional identity information we may reasonably request from you, and
• where relevant, let us know which right(s) you want to exercise and the information to which your request relates.

Our contact details are shown below: