Privacy Policy
As the operator of this website and the provider of the additional services to the Vulnerability Registration Service (VRS) members, Healthy Homes Solutions Ltd (HHS, us, we, our) is what is known as the “data controller” of personal data that it collects. This is because we decide why certain types of information are collected and how they are handled. As a data controller we are registered with the Information Commissioner’s Office, the authority in charge of data protection in the UK, under registration number ZA723327.
Looking after personal data is important to us, we want to give you as much information as possible about how we use your data and why. We also want you to know that you can reach out to us if you want to know more about how we look after your personal data, so please feel free to contact us at info@hhsvrs.org.
What is “personal data”?
“Personal data” means any information about you or that could be used to identify you. This includes your name and contact details, but also information about the device you’re using to access our site. There is more detail about the kinds of information that we use below.
What is “special category data”?
“Special category data” means information about you that is more sensitive, for example because it’s about your health, religion or ethnicity. In order to run our service, we have to process some health data. We may categorize vulnerabilities in this respect and offer a flag system for our users, but don’t collect any other specific details regarding the nature of our service user’s vulnerabilities. To the extent that we do process any health data, we will take extra measures to make sure that this is done safely and legally. We don’t process any other types of special category data.
What is “processing”?
When we talk about “processing”, this is just a legal term for using data and pretty much includes anything that we could do with your personal data. For example, “processing” includes collection, retrieval, organisation, storage, transfers and erasure.
What do we process your data for (purpose of processing) and on what legal basis?
In accordance with the UK`s Data Protection Act (“DPA”) and the General Data Protection Regulation (“GDPR”), the following legal basis, unless specifically described apply to the processing of your Personal Data:
- you have given your consent (Art. 6 para. 1 lit. a GDPR),
- the data is necessary for the fulfilment of a contract / pre-contractual measures (Art. 6 para. 1 lit. b GDPR),
- the data is necessary for the fulfilment of a legal obligation (Art. 6 para. 1 lit. c GDPR) or
- the data is necessary to protect the legitimate interests of our company, provided that your interests are not overridden (Art. 6 para. 1 lit. f GDPR).
How do we collect it?
For our service users, we either collect information from you when you register via the website or from a phone call one of our trusted partner firms where they are registering you on your behalf.
If you are visiting our website or are acting on behalf of one of our partner firms, then we will only collect data from you when you visit our site, or that you provide to us in connection with providing the service to others.
What types of personal data do we use and why?
We will collect different types of personal data for different reasons depending on who you are. But, we will only use your data where we have a real purpose and a legal basis for doing so. To help make it clear why we use different kinds of data and what the legal bases apply, we have put all of this information into the table below.
| Types of Personal Data | Purpose | Legal Basis | |
| Service users | • Names • Address (and length of residence) • Contact details (email address and telephone number) and preferred contact method • Gender • Date of birth • VRS registration number • Legal status • Information related to your financial, familial, legal or other personal circumstances |
To register you for the service and to manage your registration, including setting appropriate flags for your period of registration | Your consent |
| • Health data | To register you for the service | Your explicit consent | |
| Website users | • IP address • Website usage data (for more information about how this works please see our Cookie Notice below) |
To protect and improve our website | Our legitimate interest in operating our website |
| Partner firms | • Name • Employer • Work location • Work contact details (email and telephone number) • Contact history with us • Account login details and password |
To allow you to access the service or provide it to others and to manage our relationship with you To keep in touch with you regarding use of the service |
Our legitimate interest in providing and maintaining the service |
How does consent work?
For service users registering for our service, we will only process your data where we have your explicit consent to do so. Equally, we will only allow others to see your registration where you have explicitly consented to that. In any case where you have provided your consent, you can always withdraw it at any time by contacting us and letting us know.
However, it’s important for you to understand that withdrawing your consent does not affect the lawfulness of processing already done on that basis. Equally, if you do withdraw your consent, then we would have to remove you from the register meaning that unfortunately you would no longer be able to use our service.
Integration of third-party services and content
We use content or service offers of third-party providers on the basis of our legitimate interests in order to integrate their content and services (hereinafter uniformly referred to as “content”).
This always requires that the third-party providers of this content are aware of your Personal Data including your IP.
The following provides an overview of third-party providers and their content, together with links to their privacy policies, which contain further information on the processing of data and so-called opt-out measures, if any:
- Analytics and Tracking: Google Analytics by Google LLC
- Fonts: Google Font API by Google LLC
- eCommerce: WooCommerce by Automatic Inc
- Contact Form: Contact Form 7 by Google LLC
- Payments Processor: Stripe
- Content Management System: WordPress by Automatic Inc
- Audio / Video Media: YouTube by Google LLC
- Remarketing and Advertising: Facebook Pixel by Meta Platforms Ireland Ltd.
- Spam protection: reCAPTCHA by Google LLC
- Customer Relation Ship Management: Zoho
Marketing and Notifications: Twillio (SMS) and Mailchimp by Intuit Inc (E-Mail)
How we share information and data?
In the course of our business operations, we may disclose your personal data by transmission to third parties and, where applicable, to so-called third countries outside the UK and the EEA. Where we transfer data to third parties, we ensure a system of adequate protection mechanism and so-called “processing agreement” is signed with them. We will not disclose or otherwise distribute your personal data to third parties unless this:
- is necessary for the performance of our services,
- you have consented to the disclosure,
- or the disclosure of data is permitted by relevant legal provisions.
However, we are entitled to outsource the processing of your personal data in whole or in part to external service providers acting as processors within the framework of the DPA and GDPR. External service providers support us, for example, in the technical operation and support of the website, data management, the provision and performance of services, marketing, as well as the implementation and fulfilment of reporting obligations.
The service providers commissioned by us however will process your data exclusively in accordance with our instructions and we remain in accordance with the DPA and GDPR responsible for the protection of your data. Doing so we always make sure that service providers commissioned by us are carefully selected, follow strict contractual regulations, technical and organisational measures, and additional controls by us.
We may also disclose Personal Data to third parties if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or other legal investigations or proceedings at home or abroad or to fulfil our legitimate interests.
These are assisted by the following third parties:
- Healthy Homes Solutions Limited (Company Number 12216394)
- Totem Marketing Ltd (Company Number 07913949)
- Daida Limited (Company Number 13866438) Our Sister Company Daida for propensity modelling, statistics and industry help.
- Merinal Ltd (Company Number 06521381)
- Cadent Priority service register (PSR), this will only be shared upon customer consent for wanting to join the PSR.
- Telephone Preference Service (TPS), this will only be shared upon customer consent for wanting to join the TPS.
- Householder Club (HHC) – To process your request for a benefit checker / Grants checker.
- Dragon Fly Agency Ltd – We share data with this company for mailing purposes.
- Royal Mail – We share names and address details to allow them to deliver our marketing material letters, brochures and any other material needed e.g., Carbon monoxide monitors.
Connected for warmth, to qualify for you for the First-Time central heating grant.
Will you send my personal data to other countries?
All of the personal data we handle is stored in the UK, we’ll never send your data to recipients located in other countries.
How do we keep your data secure?
We have implemented appropriate technical and organisational measures to ensure that we are doing everything that we can be in order to protect the security of your data. We regularly review our internal policies, procedures and technical security to ensure that they remain appropriate to the risks of your data being compromised in any way.
How long will we keep your data?
Generally, we only keep your information for as long as necessary to achieve the purposes for which it was initially collected. However, if data has been collected in connection with contractual commitments, then we will store associated data for 6 years after the ending of the contractual relationship, at which time it will be reviewed and if no longer necessary then it will be permanently deleted.
In some cases, we may anonymise data for statistical purposes. Where we do this we make sure that you can’t be identified by the information we keep, meaning that it’s no longer personal data and can be kept for a longer period.
What is “automated decision making” and do we do it?
Automated decision making is where a decision is made about you or you are profiled without human involvement in that process, and where that has a legal or other significant effect on you. We don’t do any automated processing, so you never need to worry about decisions being made in this way.
Do you have rights and, if so, what are they?
We want you to know that you have rights under data protection laws in connection with our use of your data. These don’t apply in every case and can be complicated, but to help we have included some general information on what these rights mean in the table below.
Direct marketing in the context of a customer relationship
Insofar as you have also given us your separate consent to process your data for consulting, marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.
Advertising and Marketing
Insofar as you have also given us your separate consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.
You may give us your consent in a number of ways including by selecting a box on a form where we seek your permission to send you marketing information, or sometimes your consent is implied from your interactions or contractual relationship with us. Where your consent is implied, it is on the basis that you would have a reasonable expectation of receiving a marketing communication based on your interactions or contractual relationship with us.
Direct Marketing generally takes the form of e-mail but may also include other less traditional or emerging channels. These forms of contact will be managed by us, or by our contracted service providers. Every directly addressed marketing sent or made by us or on our behalf will include a means by which you may unsubscribe or opt out.
Updating your information
If you believe that the information, we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting us. For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can answer the above requests.
Keep in mind, we may reject requests for certain reasons, including if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another user. Also, we may not be able to accommodate certain requests to object to the processing of personal information, notably where such requests would not allow us to provide our service to you anymore.
Withdraw your consent
You may withdraw your consent and request us to stop using and/or disclosing your Personal Data for any or all of the Purposes by submitting your request to us using. Should you withdraw your consent to the collection, use or disclosure of your Personal Data, it may impact our ability to proceed with your transactions, agreements, or interactions with us. Prior to you exercising your choice to withdraw your consent, we will inform you of the consequences of the withdrawal of your consent. Please note that your withdrawal of consent will not prevent us from exercising our legal rights (including any remedies) or undertaking any steps as we may be entitled to at law.
Third Party Policies
Our website may, from time to time, contain links to and from the websites of our partner networks, business partners and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Data to these websites.
Social Media
We are present in social on the basis of our legitimate interest. If you contact us via those social media platforms, you should note that the chat history can neither be deleted by us nor by you. And that, in accordance with the DPA and GDPR, the relevant social media platform and we are jointly responsible for the processing of your data and enter into a so-called joint controller agreement. A Joint Controller Agreement itself if very legalistic and lengthy, but in a nutshell, it clarifies how the jointly responsible parties will fulfil the obligations arising from data protection laws that are applicable to them.
Further, your use of the relevant social media platform and its functions is your own responsibility, this applies in particular to the use of the interactive functions (e.g., commenting, sharing, rating). In addition, the relevant social media platform may use your data for market research, advertising purposes and to create profiles about your usage behavior and your interests. This allows, for example, advertisements to be placed within and outside the platforms that presumably correspond to your interests. we, as the provider of this policy, do not collect and process any data from your use of the relevant social media platform beyond the point of responding to your requests and if so intended, entering into a contract with you. For further information about the relevant social media platforms use of your Personal Data, please refer to their Privacy Policies.
The legal basis for the use of the relevant social media platform is our legitimate interest, your consent or, in the case of a (pre) contractual relationship with us, the initiation of a contractual service.
| What is my right? | What does that mean? |
| Access | You can ask that we provide copies of your personal data that we are processing |
| Rectification | If any of the data that we hold about you is inaccurate or incomplete, then you can ask us to fix that |
| To be forgotten | You can ask us to delete the data that we hold about you |
| Restriction of processing | Sometimes you can ask us to stop using your data in a certain way, for example if the data we hold is inaccurate and needs to be corrected before being used again |
| Object to processing | In some circumstances you can object to the way that we use your data |
| Data portability | Where we hold your data other than in paper files and processing is based on your consent, you can ask us to transfer your data to another data controller |
What if we update this notice?
We want to be able to provide you with the most accurate information about how we process your personal data and also accept that laws and regulations change over time. To make sure that we continue to provide the best information and so that we can be sure that we are complying with the law, we might need to change this notice from time to time and reserve the right to make those changes. However, if we do change any part of this notice and that affects you, then we will get in touch to let you know.
Questions or complaints?
If you have any questions at all about this notice or how we handle your personal data then you can always contact us at info@vrshhs.org. We hope that you never have cause to complain about the way we handle your data, but you can always do so by contacting the Information Commissioner’s Office (ICO) online here or by telephone at 0303 123 1113.
