Last updated: 17 September 2025

This Privacy Policy sets out how Mr Sander® (referred to as "We", "Us", or "Our") collects, uses, discloses, and protects your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA). We are committed to safeguarding your privacy and ensuring transparency in our data processing activities.

We are the data controller for the personal data we process about you. Our registered office is at St Martins House, 1 Lyric Square, London W6 0NB. If you have any questions about this Privacy Policy or our data practices, please contact us at [insert email address, e.g., [email protected]] or by post at the above address.

By using our website (https://mrsander.co.uk/) (the "Website") or our services (collectively, the "Service"), you consent to the processing of your personal data as described in this Policy.

## 1. Interpretation and Definitions

Words with initial capital letters have the meanings defined below, whether in singular or plural form.

- **Affiliate**: An entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
- **Company**: Mr Sander®, St Martins House, 1 Lyric Square, London W6 0NB.
- **Cookies**: Small files placed on your device by a website, containing details of your browsing history and other uses.
- **Device**: Any device that can access the Service, such as a computer, mobile phone, or tablet.
- **Personal Data**: Any information relating to an identified or identifiable individual.
- **Service**: The Website and any related services provided by Us, including floor sanding consultations, quotes, and bookings.
- **Service Provider**: Any natural or legal person who processes data on Our behalf to facilitate or improve the Service.
- **Usage Data**: Data collected automatically from your use of the Service, such as IP address, browser type, and visit duration.
- **You**: The individual or legal entity accessing or using the Service.

## 2. Types of Data We Collect

### 2.1 Personal Data
We may collect the following personal data when you interact with our Service, such as requesting a quote, contacting us, or creating an account:

- Contact details: First name, last name, email address, phone number.
- Location details: Address, postcode, city, and region.
- Other information: Any details you provide in communications or forms.

We do not collect special category data (e.g., health, racial origin) unless explicitly provided by you for a specific purpose, such as accessibility requirements for our services.

### 2.2 Usage Data
Automatically collected data includes:

- Device information: IP address, browser type/version, operating system, unique device identifiers.
- Interaction data: Pages visited, time and date of visits, time spent on pages, referral sources.

If accessing via mobile, we may collect mobile device type, unique ID, and mobile OS.

### 2.3 Tracking Technologies and Cookies
We use cookies and similar technologies (e.g., web beacons, tags, scripts) to enhance your experience, analyse usage, and improve our Service. Types include:

- **Essential Cookies**: Necessary for the Service to function (e.g., session management).
- **Analytics Cookies**: To measure website performance and user behaviour (e.g., via Google Analytics). Under the DUAA 2025 amendments to ePrivacy rules, we may use these for low-risk purposes like website improvement without prior consent, but we provide clear information and an opt-out option here: [link to cookie settings or banner].
- **Marketing Cookies**: To track browsing for targeted ads, with your consent where required.

You can manage cookies via your browser settings. Refusing cookies may limit Service functionality. For details, see our Cookie Policy [link if separate].

We do not use automated decision-making that produces legal or similarly significant effects on you.

## 3. How We Use Your Personal Data

We process your personal data for the following purposes, with the specified legal bases under Article 6 of the UK GDPR (as amended):

- **To provide and maintain the Service**: Including processing quotes, bookings, and communications. *Legal basis*: Performance of a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f)) in efficient service delivery.
- **To contact you**: Responding to enquiries or sending updates. *Legal basis*: Consent (Article 6(1)(a)) or legitimate interests.
- **Marketing**: Sending promotional materials about our services, where you have opted in. *Legal basis*: Consent or soft opt-in for existing customers under ePrivacy rules.
- **Analytics and improvement**: To understand usage and enhance the Service. *Legal basis*: Legitimate interests, including recognized interests under DUAA 2025 (e.g., network security).
- **Compliance and legal obligations**: To meet regulatory requirements or defend claims. *Legal basis*: Legal obligation (Article 6(1)(c)) or legitimate interests.

We only process data as necessary and compatible with the original collection purpose. If further processing is required, we will inform you unless exempt (e.g., for research under DUAA amendments).

## 4. Disclosure of Your Personal Data

We may share your data with:

- **Service Providers**: For hosting, analytics (e.g., Google), payment processing, or marketing tools, bound by data processing agreements.
- **Affiliates**: For internal administrative purposes, under legitimate interests (intragroup transfers recognized under DUAA).
- **Business transfers**: In mergers or acquisitions, with notice to you.
- **Legal requirements**: To comply with laws, prevent harm, or respond to authorities (e.g., crime prevention, a recognized legitimate interest without balancing test under DUAA).

We do not sell your data.

## 5. International Transfers

If we transfer data outside the UK, we ensure adequate protection under Chapter V of the UK GDPR (as amended by DUAA). We use the "data protection test" to assess if the recipient country's standards are not materially lower than UK levels. For example, we rely on UK adequacy regulations, standard contractual clauses, or other safeguards. Currently, our primary processors are UK or EU-based, covered by UK adequacy decisions.

## 6. Data Retention

We retain personal data only as long as necessary for the purposes outlined, or as required by law:

- Contact and quote data: Up to 6 years post-interaction for legal claims.
- Usage data: Up to 2 years for analytics.
- Marketing data: Until you withdraw consent.

Data is securely deleted or anonymised thereafter.

## 7. Security of Your Data

We implement appropriate technical and organisational measures to protect your data, including encryption, access controls, and regular audits, in line with UK GDPR Article 32.

## 8. Your Data Protection Rights

Under the UK GDPR, you have the following rights:

- Access: Request a copy of your data.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion in certain circumstances.
- Restriction: Limit processing.
- Objection: Object to processing based on legitimate interests or marketing.
- Portability: Receive data in a portable format.
- Withdraw consent: Where processing relies on consent.

Additionally, under Section 164A of the DPA 2018 (as amended by DUAA), you have the right to complain directly to us about our data processing. We will acknowledge, investigate, and respond within one month. Contact us at [privacy email]. If unsatisfied, you can complain to the Information Commissioner's Office (ICO) at www.ico.org.uk.

To exercise rights, contact us. We may verify your identity and respond within one month (extendable for complex requests). No fee usually applies, but we may charge for manifestly unfounded requests.

For Data Subject Access Requests, we conduct reasonable and proportionate searches, as per DUAA guidance.

## 9. Children's Privacy

Our Service is not directed at children under 13. We do not knowingly collect their data without parental consent. If aware, we delete it.

## 10. Links to Other Sites

Our Service may link to third-party sites. We are not responsible for their privacy practices. Review their policies.

## 11. Changes to This Privacy Policy

We may update this Policy, notifying you via email or Website notice. Continued use constitutes acceptance. Check periodically.

## 12. Contact Us

For questions, contact:

Mr Sander® 
St Martins House
1 Lyric Square 
London 
W6 0NB

By email: [email protected]
By visiting this page on our website: https://mrsander.co.uk/contact-us/
By phone number: 020 7381 9408

We have not appointed a Data Protection Officer as we do not meet the criteria under UK GDPR Article 37, but our privacy team handles all matters.

This Policy complies with UK data protection laws as of September 2025, incorporating DUAA amendments for simplified compliance and innovation.