Privacy policy
Privacy notice for customers and prospective customers
1. The Purpose of this privacy notice
1.1. Boston Sleep Company Limited is committed to protecting the privacy and security of the personal data that it holds.
1.2. This privacy notice describes how we collect and may use personal data prior to, during and after
your relationship with us in accordance with the General Data Protection Regulation (GDPR).
1.3. We are required under data protection legislation to notify you of the information contained in this
privacy notice.
1.4. It is important that you read this notice, together with any other privacy notice we may issue on
specific occasions, so that you are aware of how we are or may use and why we are or may use
your data.
1.5. Boston Sleep Company Limited may update this notice at any time.
2. Data controller
2.1. Boston Sleep Company Limited is a “data controller”. This means that we are responsible for
deciding how we hold and use personal data about you. Any of its directors can be contacted in
relation to this privacy notice.
3. Data privacy manager
3.1. We have appointed a Data Privacy Manager to oversee compliance with this privacy notice.
3.2. The privacy manager is Russell Parsons.
3.3. If you have any questions about this privacy notice or how we handle your personal data, please
contact the Data Privacy Manager:
Email: russell@bostonsleepcompany.co.uk
4. Data protection principles
4.1. Data protection law says that the personal data we hold about you must be:
4.1.1. used lawfully, fairly and in a transparent way.
4.1.2. collected only for valid purposes that we have clearly explained to you and not used in
any way that is incompatible with those purposes.
4.1.3. relevant to the purposes we have told you about and limited only to those purposes.
4.1.4. accurate and kept up to date.
4.1.5. kept only as long as necessary for the purposes we have told you about.
4.1.6. kept securely.
5. What data we hold about you
5.1. ‘Personal data’ is any information about an individual from which that person can be identified. It
does not include data where the identity has been removed, known as anonymous data. For the
purposes of this Data Privacy Notice you are either and individual or you are employed by our
commercial customer or you are, for example, an individual sole trader. Personal data also
includes information that you provide to us about other individuals within your employer’s
organisation.
5.2. Where relevant and appropriate we may collect, store and use the following categories of
personal data about you:
5.2.1. Personal contact information including your name, title, postal addresses, telephone
numbers (including mobile numbers) and email addresses.
5.2.2. Business contact information including your job title, postal addresses, telephone
numbers (including mobile numbers) and email addresses.
5.2.3. Personal bank account details, for example, if you are a sole trader.
5.3. Where we are a “data processor” only, meaning we process personal information on behalf of
you or your employer as the data controller, we will only process data in accordance with your
instructions.
6. Special categories of data
6.1. ”Special categories” of information are more sensitive personal information and is information
relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade
union membership, genetic data, biometric data, health data, sex life and sexual orientation and
criminal convictions and offences.
6.2. We do not anticipate collecting any special categories of information. If the position changes we
will inform you.
7. How we use data about you
7.1. We will only use your personal data when permitted to do so.
7.2. Most commonly, we will use your personal data in the following circumstances:
7.2.1. Where we need to perform the contract we have entered into with your employer or you
where, for example, you are a sole trader.
7.2.2. Where we need to comply with a legal obligation.
7.2.3. Where it is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests.
7.2.4. We may also use your personal data in the following situations, which are likely to be
rare:
7.2.4.1. Where we need to protect your interests (or someone else’s interests).
7.2.4.2. Where it is needed in the public interest or for official purposes.
7.3. We may only process special categories of personal data in the following circumstances:
7.3.1. with explicit consent.
7.3.2. the processing is needed to protect your interests (or someone else’s interests, for
example, your employer) and you are not capable of giving your consent.
7.3.3. the processing relates to personal data which you have made public .
7.3.4. the processing is necessary for establishing, exercising, or defending legal claims.
7.4. We need all the categories of data referred to in this privacy notice to allow us to:
7.4.1. discuss your employer’s requirements with you and provide details about the services
we can provide to your employer (or to you where, for example, you are a sole trader).
7.4.2. carry out services for your employer and perform the contract that we enter into with
your employer (or you where, for example, you are a sole trader).
7.4.3. to pursue legitimate interests of our own or those of third parties (including your
employer), provided your interests and fundamental rights do not override those
interests.
7.5. Some of the grounds for processing will overlap and there may be several grounds which justify
our use of your personal data.
7.6. If you do not provide data when requested, we may not be able to contact you, perform the
contract we have entered into with your employer or you if, for example, you are a sole trader,
and we may be prevented from complying with our legal obligations.
7.7. We will only use your personal data for the purposes for which we collected it, unless we
reasonably consider that we need to use it for another reason and that reason is compatible with
the original purpose.
7.8. If we need to use your personal data for an unrelated purpose, we will notify you and we will
explain the legal basis which allows us to do so or seek your consent.
7.9. Please note that we may process your personal data without your knowledge or consent, in
compliance with the above rules, where this is required or permitted by law.
7.10. The situations in which we will process your personal data are listed below.
7.10.1. Administering the contract we have entered into with your employer or you if, for
example, you are a sole trader, including performance of the contract and invoicing.
7.11. In limited circumstances we may approach you for your written consent to allow us to
process certain particularly sensitive information in exceptional circumstances. If we do so, we
will provide you with full details of the information that we would like and the reason we need it, so
that you can carefully consider whether you wish to consent. It is not a condition of any contract
with us that you agree to any request for consent from us and you have the right to refuse to give
your consent.
7.12. Additional safeguards will be put in place when processing special categories of data,
including but not limited to the use of encryption.
8. Automated decision-making
8.1. Automated decision-making takes place when an electronic system uses personal data to make
a decision without human intervention. We do not envisage that any decisions will be taken about
you using automated means. We will notify you if this position changes.
9. Data sharing
9.1. We may have to share your data with third parties.
9.2. Third-parties include:
9.2.1. Couriers – Hermes or another.
9.2.2. Accountant.
9.3. Where we are able to do so, we will require third parties to:
9.3.1. respect the security of your data and have appropriate security measures in place.
9.3.2. treat it in accordance with the law.
9.3.3. use your personal data for specified purposes.
9.3.4. use your personal data in accordance with our instructions.
9.4. We may also need to share your personal data with a regulator or to otherwise comply with the
law.
9.5. We do not anticipate transferring your data outside the EU.
10.Data security
10.1. We have in place appropriate security measures to prevent your personal data from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we
limit access to your personal data to those who have a business need to know and they will only
process your personal data on our instructions and they are subject to a duty of confidentiality.
10.2. Details of the measures may in place may be obtained on request from the Data Privacy
Manager.
10.3. In the event of a suspected data security breach we will notify the Information
Commissioner’s Office (‘ICO’), the applicable regulator and you where we are required to do so.
11.Data retention
11.1. We will only retain your personal data for as long as necessary to fulfil the purposes for
which we collected it, including for the purposes of satisfying any legal and regulatory
requirements. The retention period for personal data is determined by a number of factors,
including:
11.1.1. the amount, nature and sensitivity of the personal data.
11.1.2. the potential risk of harm from unauthorised use or disclosure of the personal data.
11.1.3. the purposes for which we process your personal data.
11.1.4. whether we can achieve purposes through other means.
11.1.5. any legal and regulatory requirements.
11.2. In some circumstances we may anonymise your personal data so that it can no longer be
associated with you, in which case we may use such information without further notice to you.
11.3. Once your employer or you if, for example, you are a sole trader cease to be a client of
ours (or you cease to be employed) we will retain and securely destroy your personal data in
accordance with best practice, applicable laws and regulations.
12.Rights of access, correction, erasure, and restriction
12.1. Under certain circumstances you have the right to:
12.1.1. Request access to your personal data (commonly known as a “data subject access
request”). This enables you to receive a copy of the personal data we hold about you
and to check that we are lawfully processing it.
12.1.2. Request correction of the personal data that we hold about you. This enables you to
have any incomplete or inaccurate information we hold about you corrected.
12.1.3. Request erasure of your personal data. This enables you to ask us to delete or remove
personal data where there is no good reason for us continuing to process it. You also
have the right to ask us to delete or remove your personal data where you have
exercised your right to object to processing (see below).
12.1.4. Object to processing of your personal data where we are relying on a legitimate
interest (or those of a third party) and there is something about your particular situation
which makes you want to object to processing on this ground. You also have the right to
object where we are processing your personal data for direct marketing purposes.
12.1.5. Request the restriction of processing of your personal data. This enables you to ask
us to suspend the processing of personal data about you, for example if you want us to
establish its accuracy or the reason for processing it.
12.1.6. Request the transfer of your personal data to another party.
12.1.7. Withdraw consent at any time where you have provided your consent to the collection,
processing and transfer of your personal data for a specific purpose. To withdraw your
consent, please contact the Data Privacy Manager. Once we have received notification
that you have withdrawn your consent, we will no longer process your data for the
purpose or purposes you originally agreed to, unless we have another legitimate basis
for doing so in law.
12.1.8. Complain to the ICO: the ICO is the UK supervisory authority for data protection
issues.
12.2. If you want to review, verify, correct or request erasure of your personal data, object to the
processing of your personal data or request that we transfer a copy of your personal data to
another party, please contact the Data Privacy Manager in writing.
12.3. You will not have to pay a fee to access your personal data (or to exercise any of the other
rights). However, we may charge a reasonable fee if your request for access is clearly unfounded
or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
12.4. We may need to request specific information from you to help us confirm your identity and
verify your right to access the data (or to exercise any of your other rights). This is another
appropriate security measure to ensure that personal data is not disclosed to any person who
has no right to receive it.
13.Changes to this privacy notice
13.1. We reserve the right to update this privacy notice at any time. The current version of this
privacy notice will be available on our website.
13.2. We will provide you with a new privacy notice when we make any substantial updates.
13.3. If you have any questions about this privacy notice, please contact the Data Privacy Manager.
1. The Purpose of this privacy notice
1.1. Boston Sleep Company Limited is committed to protecting the privacy and security of the personal data that it holds.
1.2. This privacy notice describes how we collect and may use personal data prior to, during and after
your relationship with us in accordance with the General Data Protection Regulation (GDPR).
1.3. We are required under data protection legislation to notify you of the information contained in this
privacy notice.
1.4. It is important that you read this notice, together with any other privacy notice we may issue on
specific occasions, so that you are aware of how we are or may use and why we are or may use
your data.
1.5. Boston Sleep Company Limited may update this notice at any time.
2. Data controller
2.1. Boston Sleep Company Limited is a “data controller”. This means that we are responsible for
deciding how we hold and use personal data about you. Any of its directors can be contacted in
relation to this privacy notice.
3. Data privacy manager
3.1. We have appointed a Data Privacy Manager to oversee compliance with this privacy notice.
3.2. The privacy manager is Russell Parsons.
3.3. If you have any questions about this privacy notice or how we handle your personal data, please
contact the Data Privacy Manager:
Email: russell@bostonsleepcompany.co.uk
4. Data protection principles
4.1. Data protection law says that the personal data we hold about you must be:
4.1.1. used lawfully, fairly and in a transparent way.
4.1.2. collected only for valid purposes that we have clearly explained to you and not used in
any way that is incompatible with those purposes.
4.1.3. relevant to the purposes we have told you about and limited only to those purposes.
4.1.4. accurate and kept up to date.
4.1.5. kept only as long as necessary for the purposes we have told you about.
4.1.6. kept securely.
5. What data we hold about you
5.1. ‘Personal data’ is any information about an individual from which that person can be identified. It
does not include data where the identity has been removed, known as anonymous data. For the
purposes of this Data Privacy Notice you are either and individual or you are employed by our
commercial customer or you are, for example, an individual sole trader. Personal data also
includes information that you provide to us about other individuals within your employer’s
organisation.
5.2. Where relevant and appropriate we may collect, store and use the following categories of
personal data about you:
5.2.1. Personal contact information including your name, title, postal addresses, telephone
numbers (including mobile numbers) and email addresses.
5.2.2. Business contact information including your job title, postal addresses, telephone
numbers (including mobile numbers) and email addresses.
5.2.3. Personal bank account details, for example, if you are a sole trader.
5.3. Where we are a “data processor” only, meaning we process personal information on behalf of
you or your employer as the data controller, we will only process data in accordance with your
instructions.
6. Special categories of data
6.1. ”Special categories” of information are more sensitive personal information and is information
relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade
union membership, genetic data, biometric data, health data, sex life and sexual orientation and
criminal convictions and offences.
6.2. We do not anticipate collecting any special categories of information. If the position changes we
will inform you.
7. How we use data about you
7.1. We will only use your personal data when permitted to do so.
7.2. Most commonly, we will use your personal data in the following circumstances:
7.2.1. Where we need to perform the contract we have entered into with your employer or you
where, for example, you are a sole trader.
7.2.2. Where we need to comply with a legal obligation.
7.2.3. Where it is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests.
7.2.4. We may also use your personal data in the following situations, which are likely to be
rare:
7.2.4.1. Where we need to protect your interests (or someone else’s interests).
7.2.4.2. Where it is needed in the public interest or for official purposes.
7.3. We may only process special categories of personal data in the following circumstances:
7.3.1. with explicit consent.
7.3.2. the processing is needed to protect your interests (or someone else’s interests, for
example, your employer) and you are not capable of giving your consent.
7.3.3. the processing relates to personal data which you have made public .
7.3.4. the processing is necessary for establishing, exercising, or defending legal claims.
7.4. We need all the categories of data referred to in this privacy notice to allow us to:
7.4.1. discuss your employer’s requirements with you and provide details about the services
we can provide to your employer (or to you where, for example, you are a sole trader).
7.4.2. carry out services for your employer and perform the contract that we enter into with
your employer (or you where, for example, you are a sole trader).
7.4.3. to pursue legitimate interests of our own or those of third parties (including your
employer), provided your interests and fundamental rights do not override those
interests.
7.5. Some of the grounds for processing will overlap and there may be several grounds which justify
our use of your personal data.
7.6. If you do not provide data when requested, we may not be able to contact you, perform the
contract we have entered into with your employer or you if, for example, you are a sole trader,
and we may be prevented from complying with our legal obligations.
7.7. We will only use your personal data for the purposes for which we collected it, unless we
reasonably consider that we need to use it for another reason and that reason is compatible with
the original purpose.
7.8. If we need to use your personal data for an unrelated purpose, we will notify you and we will
explain the legal basis which allows us to do so or seek your consent.
7.9. Please note that we may process your personal data without your knowledge or consent, in
compliance with the above rules, where this is required or permitted by law.
7.10. The situations in which we will process your personal data are listed below.
7.10.1. Administering the contract we have entered into with your employer or you if, for
example, you are a sole trader, including performance of the contract and invoicing.
7.11. In limited circumstances we may approach you for your written consent to allow us to
process certain particularly sensitive information in exceptional circumstances. If we do so, we
will provide you with full details of the information that we would like and the reason we need it, so
that you can carefully consider whether you wish to consent. It is not a condition of any contract
with us that you agree to any request for consent from us and you have the right to refuse to give
your consent.
7.12. Additional safeguards will be put in place when processing special categories of data,
including but not limited to the use of encryption.
8. Automated decision-making
8.1. Automated decision-making takes place when an electronic system uses personal data to make
a decision without human intervention. We do not envisage that any decisions will be taken about
you using automated means. We will notify you if this position changes.
9. Data sharing
9.1. We may have to share your data with third parties.
9.2. Third-parties include:
9.2.1. Couriers – Hermes or another.
9.2.2. Accountant.
9.3. Where we are able to do so, we will require third parties to:
9.3.1. respect the security of your data and have appropriate security measures in place.
9.3.2. treat it in accordance with the law.
9.3.3. use your personal data for specified purposes.
9.3.4. use your personal data in accordance with our instructions.
9.4. We may also need to share your personal data with a regulator or to otherwise comply with the
law.
9.5. We do not anticipate transferring your data outside the EU.
10.Data security
10.1. We have in place appropriate security measures to prevent your personal data from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we
limit access to your personal data to those who have a business need to know and they will only
process your personal data on our instructions and they are subject to a duty of confidentiality.
10.2. Details of the measures may in place may be obtained on request from the Data Privacy
Manager.
10.3. In the event of a suspected data security breach we will notify the Information
Commissioner’s Office (‘ICO’), the applicable regulator and you where we are required to do so.
11.Data retention
11.1. We will only retain your personal data for as long as necessary to fulfil the purposes for
which we collected it, including for the purposes of satisfying any legal and regulatory
requirements. The retention period for personal data is determined by a number of factors,
including:
11.1.1. the amount, nature and sensitivity of the personal data.
11.1.2. the potential risk of harm from unauthorised use or disclosure of the personal data.
11.1.3. the purposes for which we process your personal data.
11.1.4. whether we can achieve purposes through other means.
11.1.5. any legal and regulatory requirements.
11.2. In some circumstances we may anonymise your personal data so that it can no longer be
associated with you, in which case we may use such information without further notice to you.
11.3. Once your employer or you if, for example, you are a sole trader cease to be a client of
ours (or you cease to be employed) we will retain and securely destroy your personal data in
accordance with best practice, applicable laws and regulations.
12.Rights of access, correction, erasure, and restriction
12.1. Under certain circumstances you have the right to:
12.1.1. Request access to your personal data (commonly known as a “data subject access
request”). This enables you to receive a copy of the personal data we hold about you
and to check that we are lawfully processing it.
12.1.2. Request correction of the personal data that we hold about you. This enables you to
have any incomplete or inaccurate information we hold about you corrected.
12.1.3. Request erasure of your personal data. This enables you to ask us to delete or remove
personal data where there is no good reason for us continuing to process it. You also
have the right to ask us to delete or remove your personal data where you have
exercised your right to object to processing (see below).
12.1.4. Object to processing of your personal data where we are relying on a legitimate
interest (or those of a third party) and there is something about your particular situation
which makes you want to object to processing on this ground. You also have the right to
object where we are processing your personal data for direct marketing purposes.
12.1.5. Request the restriction of processing of your personal data. This enables you to ask
us to suspend the processing of personal data about you, for example if you want us to
establish its accuracy or the reason for processing it.
12.1.6. Request the transfer of your personal data to another party.
12.1.7. Withdraw consent at any time where you have provided your consent to the collection,
processing and transfer of your personal data for a specific purpose. To withdraw your
consent, please contact the Data Privacy Manager. Once we have received notification
that you have withdrawn your consent, we will no longer process your data for the
purpose or purposes you originally agreed to, unless we have another legitimate basis
for doing so in law.
12.1.8. Complain to the ICO: the ICO is the UK supervisory authority for data protection
issues.
12.2. If you want to review, verify, correct or request erasure of your personal data, object to the
processing of your personal data or request that we transfer a copy of your personal data to
another party, please contact the Data Privacy Manager in writing.
12.3. You will not have to pay a fee to access your personal data (or to exercise any of the other
rights). However, we may charge a reasonable fee if your request for access is clearly unfounded
or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
12.4. We may need to request specific information from you to help us confirm your identity and
verify your right to access the data (or to exercise any of your other rights). This is another
appropriate security measure to ensure that personal data is not disclosed to any person who
has no right to receive it.
13.Changes to this privacy notice
13.1. We reserve the right to update this privacy notice at any time. The current version of this
privacy notice will be available on our website.
13.2. We will provide you with a new privacy notice when we make any substantial updates.
13.3. If you have any questions about this privacy notice, please contact the Data Privacy Manager.