Privacy Policy (UK GDPR / PECR)

1. Who we are

Controller: Planex Controls Ltd

Registered office: C/O Vantage Accounting 1 Cedar Office Park, Cobham Road, Wimborne, United Kingdom, BH21 7SB

ICO registration number: ZC028049

Opt-out & privacy requests: info@planexcontrols.com

This Privacy Policy explains how we process personal data in connection with our project controls and management consultancy services, including sourcing potential clients via lead-generation providers (e.g., Barbour ABI) and contacting job seekers whose details we source from job adverts, CV databases and other methods under legitimate interests to undertake business activities.

2. Scope

This policy applies to:

Prospective and existing business clients and their personnel.
Job seekers/candidates who apply to roles with us or whose details we source from third-party platforms.
Visitors to our website and recipients of our marketing communications.

3. What data we collect and where we get it

We collect and use personal data such as names, job titles, employer, business contact details (email, telephone, postal address), communications history, and information relevant to a potential project or role. For candidates we may additionally collect CVs, skills, career history, interview notes, right-to-work documentation, and referee details.

We obtain data from:

You directly (e.g., emails, calls, web forms, meetings, online events).
Public and commercial sources, including lead-generation providers (e.g., Barbour ABI), company websites, LinkedIn or other business networking sites, job boards and CV databases, and public registers.
Referrals and other third parties where lawful to do so.

Where we collect your data from sources other than you, we will provide you with this privacy information within one month or at the first communication, whichever is earlier, unless an exemption applies (Article 14 UK GDPR).

4. Purposes and lawful bases

We process personal data for the following purposes and lawful bases under the UK GDPR:

Lead generation and business development (B2B): legitimate interests – to grow our business by offering relevant services to professionals in organisations likely to need them. We conduct a balancing test to ensure our interests don’t override your rights and freedoms.
Direct marketing by email, phone and post:

Email/SMS to individual subscribers (e.g., sole traders/partnerships): consent or ‘soft opt-in’ where applicable; otherwise we will not send marketing without consent.
Email to corporate subscribers (e.g., limited companies, LLPs, public bodies): permitted without prior consent under PECR if we identify ourselves and include a clear, simple opt-out in every message. We still rely on legitimate interests under UK GDPR and honor opt-outs.
Live marketing calls: legitimate interests and PECR compliance. We screen numbers against TPS/CTPS and maintain our own ‘do-not-call’ list. We do not use automated calling systems for marketing without prior consent.
Postal marketing: legitimate interests; we honor Mail Preference Service and our own suppression list.

Pre-contract discussions, proposals and service delivery: necessary for entering into or performing a contract with a client or candidate.
Invoicing, accounting and tax: legal obligation.
Recruitment (our own hiring and candidate outreach): we rely on legitimate interests to assess suitability and to maintain a talent pool of relevant candidates for up to 12 months so we can contact you about roles that match your profile. You have the right to object at any time and we will stop this processing. We may rely on consent only where we wish to retain your details beyond the standard 12-month period or where consent is otherwise required by law.
Security, fraud prevention, and compliance: legitimate interests and/or legal obligation.

We will only use special category or criminal-conviction data in limited circumstances and with an appropriate lawful basis under Articles 9/10 UK GDPR (e.g., right-to-work checks).

5. PECR – electronic and telephone marketing

We comply with the Privacy and Electronic Communications Regulations (PECR). In practice this means:

Electronic mail (emails, texts, in-app messages):

Individuals: consent is required unless the ‘soft opt-in’ applies (existing customer relationship, similar products/services, and a clear opt-out offered at collection and in every message).
Corporate subscribers: we may send marketing without prior consent, provided we identify ourselves and include a simple, free opt-out in every message. We stop if you opt out.

Live calls: we do not call numbers registered with TPS/CTPS unless the subscriber has specifically consented to our calls. We maintain and respect an internal ‘do-not-call’ list.

Automated marketing calls or recorded messages: only with prior consent.

We keep suppression lists to ensure we don’t contact you again for marketing if you opt out.

6. Transparency and your choices

We provide privacy information at the point of data collection, or as soon as practicable afterwards if sourced from third parties. When we obtain data from third-party sources (e.g., CV databases, lead-gen providers), we provide this information within one month or at first contact, unless an exemption applies.

You can opt out of email marketing at any time using the unsubscribe link, or by contacting us. For phone and postal marketing, you can ask us not to contact you and we will add you to our suppression list. You can also object to talent-pool processing at any time by emailing info@planexcontrols.com.

7. Sharing your data

We may share personal data with:

Service providers acting as processors (e.g., CRM, email and marketing platforms, CV databases, cloud hosting, IT support).
Professional advisers (e.g., legal, accounting, insurance).
Public authorities where required by law.

We require processors to keep data secure and to process it only on our documented instructions. We do not sell personal data.

8. International transfers

Where we transfer personal data outside the UK (for example, because a cloud provider stores data overseas), we will ensure appropriate safeguards are in place, such as UK Addendum/IDTA to the EU Standard Contractual Clauses and transfer risk assessments.

9. How long we keep data

We keep:

B2B marketing and lead records: typically up to 24 months from the last meaningful interaction, unless you opt out sooner (in which case we retain minimal suppression data indefinitely to respect your choice).
Client matter files and financial records: usually 6–7 years to meet tax and accounting requirements.
Candidate/applicant data: we keep candidate-talent-pool data for up to 12 months under legitimate interests. We will stop sooner if you object/opt out. We only retain beyond 12 months where you have given consent or where law permits or requires longer (e.g., to establish, exercise or defend legal claims).

We will keep data longer where necessary to establish, exercise or defend legal claims.

10. Your rights

You have rights under the UK GDPR, including to request access, rectification, erasure, restriction, portability, and to object to processing (notably, an absolute right to object to direct marketing). Where we rely on consent, you may withdraw it at any time.

To exercise your rights, contact us using the details above. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

11. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where feasible, regular patching, least-privilege access, staff training, and processor due diligence.

12. Cookies and similar technologies

Our website may use cookies, pixels and similar technologies. Please see our separate Cookie Policy and consent mechanism for details of categories, purposes and how to manage your preferences.

13. Contact & updates to this policy

If you have questions about this policy or our data protection practices, contact us using the details above. We may update this policy from time to time; we will post the latest version on our website with the effective date.

Appendix A – Candidate/Job Seeker Privacy Notice (summary)

What we collect: CV, contact details, work history, skills/qualifications, interview feedback, right-to-work documentation, and references.

Why we use it: to assess suitability for roles, arrange interviews, maintain a talent pool, and comply with legal obligations (e.g., right-to-work).

Lawful bases: legitimate interests (recruitment and maintaining a 12-month talent pool); steps taken at your request before entering a contract; consent only for extended retention beyond 12 months or where legally required; legal obligation (e.g., right-to-work). You can object to talent-pool processing at any time.

Sources: directly from you; from job boards, CV databases and recruitment partners; and publicly available professional profiles where lawful.

How long we keep it: usually 12 months from last contact if not hired, unless you consent to a longer period or law requires longer.

Your choices: object/opt out of talent-pool processing at any time; unsubscribe from emails using the link in each message or email info@planexcontrols.com; request deletion (subject to legal limits); withdraw consent where we rely on it.

Appendix B – Email footer templates (opt-out wording)

B2B marketing emails to corporate subscribers:

“You’re receiving this message because we believe our services or a role may be relevant to your responsibilities at [Company]. If you don’t want to hear from us again, click Unsubscribe or email info@planexcontrols.com. We’ll stop immediately.”

Individuals/sole traders or soft opt-in:

“You’re receiving this because you bought or enquired about our services (soft opt-in) or you consented to hear about opportunities. You can unsubscribe at any time using the link below or by emailing info@planexcontrols.com.”

Job seeker outreach:

“We’re contacting you about potential roles that match your profile. If you’d prefer not to receive further messages, please reply ‘OPT OUT’ or email info@planexcontrols.com, and we’ll remove you from our list.”

Appendix C – Operational compliance checklist (for internal use)

Record and review a Legitimate Interests Assessment (LIA) for direct marketing and candidate sourcing.
Screen live call numbers against TPS/CTPS; maintain an internal ‘do-not-call’ list.
Include identity and easy opt-out in every marketing email; maintain a suppression list.
Provide Article 14 notices within one month when sourcing from third parties (e.g., Barbour ABI, CV databases).
Run Data Processing Agreements (DPAs) with processors; do transfer assessments where data leaves the UK.
Review retention rules; securely delete data when no longer needed.
Keep records of processing activities; train staff; review this policy at least annually.