Privacy Policy
Stelor Ltd

This Privacy Notice sets out what personal data Stelor Ltd holds regarding data processing activities and explains why and how we collect, store, and process personal data under the General Data Protection Regulation (the Regulation), together with our terms and conditions. This notice applies to customers, suppliers, visitors, and third parties (together referred to as “you”). Stelor Ltd is committed to ensuring that we process this information in a correct, fair, and lawful manner, respecting the legal rights, privacy, and trust of all individuals with whom we deal. We may update this Privacy Notice at any time.

Who is the controller?

Stelor Ltd is the controller for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you. We have appointed the Head of Human Resources as the Data Protection Lead, who will act as your first point of contact if you have any questions or concerns about data protection. In the absence of the Data Protection Lead, the point of contact is the Group Financial Controller or Head of IT.

What type of personal data do we hold about you?

Personal data means any information relating to a living individual who can be identified (directly or indirectly) by reference to an identifier (e.g. name, telephone number, email address). It can be factual (e.g. contact details such as customer number, business address) or information that may otherwise impact that individual in a personal or business capacity.

We hold and use various types of personal data about you, including, for example but not limited to, biographical details (e.g. name, address—business or personal depending on the details provided to us), job title, and business bank details. We may also hold other personal data such as CCTV images if you are visiting our premises.

We are also often provided with contact details belonging to end consumers, e.g., the customers of our customers. Generally, this is for online customers and the data collected is normally name, home address, telephone number, and email address. In this instance, Stelor Ltd is the Data Processor. We ensure we meet our obligations as a Data Processor in accordance with GDPR by outlining this in a specific Data Processor Agreement.

Data protection law divides personal data into two categories: ordinary personal data and special category data. Special category data relates to ethnic origin, physical or health conditions, biometric data, for example. Stelor Ltd will comply with applicable laws in respect of such processing. You are not obliged to provide us with your personal information; however, if you do not, we might not be able to carry out the services you have requested from us. This also applies to personal data belonging to others that is provided to us by you.

Why do we hold your personal data and on what legal grounds?

We hold your ordinary personal data for the purpose of the business relationship and contract, as per our terms and conditions, which is in our legitimate interest. Data protection law specifies the legal grounds on which we can hold and use personal data. Most commonly, we rely on one or more of the following legal grounds when we process your personal data: consent, legitimate interests, or contract. Where we process your data solely on the basis of consent, you are entitled to withdraw your consent at any time. This will not affect the lawfulness of processing before the withdrawal.

How do we use your data?

We use your personal data for the legitimate purpose of the business relationship to enable us to provide goods and services to our customers. Other examples include, but are not limited to:

  • Tracking website usage using Google Analytics to improve our website performance
  • Responding to email inquiries
  • Sending business information and marketing promotions and publications
  • Providing you with information about other services we offer that are similar to those you have already requested or inquired about
  • Notifying you of upcoming events
  • Notifying changes to terms and conditions

Who do we share your personal data with?

We will only share your personal data with third parties where we have an appropriate legal ground under data protection law which permits us to do so, or so that they can provide services such as financial or administrative services related to the operation of our business, for example, courier partners, and to any person (where necessary) in connection with their services, such as but not limited to legal representatives, debt recovery, or regulatory authorities. We will not share your personal data with businesses that are owned, either wholly or in part by Stelor Ltd, without your consent. We will take reasonable steps to ensure those third parties comply with their obligations under GDPR when they handle your personal information and ensure they are only authorized to use personal information for the limited purposes specified to them.

Data Security

We take our data security responsibilities seriously, ensuring we have the most appropriate organizational and technical measures to protect data. To ensure this, we have developed a Data Protection Policy that outlines our obligations under data protection and details how we will comply with these requirements. We may store your information in different places, for example, internal systems stored on our secure servers and in the cloud, on email, or paper filing systems.

Data Retention

We will not keep your personal data for longer than we need it for our legitimate purposes; however, we take into account the following criteria when determining the appropriate retention period for data: the amount, nature, and sensitivity of the personal data, the risk of harm from unauthorized use or disclosure, the purpose for which we process your personal data, how long it might be relevant for possible future legal claims, or any applicable legal, accounting, reporting, or regulatory requirements that specify how long certain records must be kept. More specifically, we will ensure we retain personal data in connection with any warranty periods for our goods and services. Retention periods may differ, and therefore we will retain personal data for the longest period.

Some of our external third-party suppliers are based outside the EEA, so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Your Rights

You have the right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it and to check we are processing it lawfully.

  • Request that we correct incomplete or inaccurate personal data we hold about you.
  • Request that we delete or remove personal data about you.
  • Request that we restrict our processing of your data.
  • Request that we transfer your personal data to you in a structured format.

If you would like to exercise any of these rights, please contact the Data Protection Lead in writing. Note that these rights are not absolute and, in some circumstances, we may be entitled to refuse some or all of your requests.

Marketing

If you have given us your contact details, we may use these (in accordance with any preferences you have expressed) to send you marketing communications by email, post, phone, SMS, and social media. Stelor Ltd has a legitimate interest to promote our products to you, unless you have asked us not to. Our terms and conditions now give you the opportunity to opt-in to marketing material by simply ticking the box. You can also unsubscribe at any time using the link at the bottom of our marketing emails. If you are currently opted-out of our marketing communications, you can choose to opt-in by contacting us directly. Any consent granted for marketing communications will not be shared between Stelor Ltd (Group) companies.

If you have any questions, you can contact the Data Protection Lead through the Human Resources Department. You have the right to make a complaint at any time. This should be made to the appropriate governing body of the country the business is located in. In the UK, this is the Information Commissioner’s Office (ICO). Further information can be found at www.gdpr.eu.