We take data privacy and security very seriously. This policy is intended to help you understand why we are collecting this data, how we will use it, how we will protect it, and what control you have over how we use it, protect it and dispose of it.
Since 2018, all businesses must comply with the GDPR – regulations that cover the collection, processing and security of Personal Data. Personal data is any information about you which used alone, or combined with other information, would enable someone to identify you.
By that definition, we do not collect personal data, except where we have stored consent forms. Even so, we have strict policies around how we manage data and always seek consent from householders using a process that is intended to mirror most requirements of the GDPR.
What data are we collecting?
Purrmetrix uses environmental data from buildings to help landlords and tenants understand more about how well these buildings operate. This means our sensors will capture environmental data (typically temperature, humidity and CO2 measurements) and transmit it back to a web service where we visualise the data and calculate metrics of performance.
To do this, it is not necessary for us to know anything about you as a householder. We do not collect name, email details or any other personal data. We will collect a partial address for your home in some circumstances.
To provide some tests of the building performance it is also necessary to collect data on your energy consumption (electric and gas meter data). We can collect this from a smart meter, if you have one installed, or from meter reads.
Why do we need to collect this data?
As we are collecting data from your home we must be clear about why we are doing this. In this situation this data is collected for two reasons:
- Contract Basis We need the environmental data to allow us to supply services to our customers.
- Consent Basis You have given us consent to hold your data and process it to provide services that should improve the services your landlord can provide for you.
What do we do with the data from your house (how we process it)
The Company will only process environmental and energy data from your house for the following purposes:
- Providing access to records and analysis of environmental data for each site; this will include the original data and some calculations we perform on it
- Testing new calculations that we believe might be better ways to measure the performance of your house
- Complying with applicable law, guidelines and regulations or in response to a lawful request from a court or regulatory body.
How we manage your data
Your environmental data is held electronically as appropriate and is accessible by the customer who is requesting the testing and a limited number of Purrmetrix employees who require the information to enable them to assist in the running of the business.
Purrmetrix takes all reasonable precautions to prevent the loss, misuse or alteration of the data about your home. It is held on password protected computers or is accessed by password protected smart phones. Again only a limited number of authorised employees have access to this electronic information. Details of these and our other policies concerning security are available on request.
To ensure data cannot be identified, the databases used for storing environmental and energy data are kept separate from partial addresses, any location data or data that identifies our customer (your landlord). This anonymous data may be retained to help us develop further analyses and metrics for future customers.
Who do we pass data to?
As a general principal, the company does not share data with third parties. A limited exception may be made for certain performance metrics that are provided by our supply partners which require environmental and energy data for their calculation. In these cases the data is protected by confidentiality agreement and the data protection rules of our suppliers.
Your rights over personal and environmental data
The GDPR gives you a number of rights over personal data and the Company will comply so far as it is able, with any requests that you make in this respect.
These rights include:
- Right of access (sometimes also called a subject access request)
- You have the right to obtain confirmation from us that we are not processing your Personal Data.
- You have the right to obtain a copy of your Personal Data – this can help you check that we are not holding any identifiable data.
- Right of rectification
- You have the right to have Personal Data rectified if it is misleading or incorrect.
- Right to erasure (sometimes called the right to be forgotten)
- you have the right to have your Personal Data erased if:
- it is no longer needed for the purpose for which we originally collected or processed it.
- there is no overriding legitimate interest to continue this processing.
- we have processed the Personal Data unlawfully.
- we have to comply with a legal obligation.
- Right to restrict processing
- You have the right to restrict the way that we use your Personal Data.
- This is usually for a limited period e.g. if you have asked us to investigate the accuracy of the Personal Data that we hold, you may also request that we cease processing it.
- During this time, we will not process the Personal Data but will simply store it
- Right to data portability
- If we have a contractual relationship with you, or carry out processing by automated means, you have the right to request that we transfer your Personal Data to you or to another data controller in a structured, commonly use and machine readable format.
- This enables you to use and re-use your Personal Data across a number of different IT environments in a safe and secure way.
- Right to object
You have the right to request us to stop processing your Personal Data if:-
- it is used for direct marketing (the Company never uses your Personal Data for direct marketing).
- the lawful basis is legitimate interests. If there are legitimate grounds to continue processing the Personal Data which override your interests, the request will be refused.
If you wish to make a request in respect of any of these rights, you may contact us by post, e-mail, website request or by telephone or in person. We may then contact you to confirm the nature of the request and we may possibly ask you for ID to ensure that we do not disclose Personal Data to the wrong person.
We will then comply with your request within one month of receiving it or of receiving further details or ID if required. We will provide the information in whatever form you require but please note that we cannot give you remote access to our server. We will not charge a fee unless the request is manifestly unfounded or excessive or if you have previously requested and received the same information. We will not provide information about your Personal Data if the request comes from a third party (e.g. another professional or a relative) unless that third party provides evidence of its authority to make such a request on your behalf.
If you wish to lodge a complaint with a supervisory authority
If you have a complaint, we would very much hope that you would first raise it with us as we would welcome the opportunity to sort it out, however if we cannot do so or if you wish to raise the matter direct with the ICO, the contact details are set out below.
For queries about the content of this Privacy Information Notice or for further information or to make a request, please contact our Data Protection Officer, Chris Howell:
- e-mail: email@example.com
- telephone: 01223 967301
- by post:1 Old Pound Yard, High Street, Great Shelford, Cambridge CB22 5EH
If you wish to contact the ICO, the details are as follows:
- telephone: 0303 123 1113
- website: www.ico.gov.uk
- by post:
Information Commissioner’s Office,
Cheshire, SK9 5AF