Furness Internet — Data Protection & Privacy Policy
Effective date: 14 Nov 2018
Last updated: 12 Dec 2025
Controller: Furness Internet (“we”, “us”, “our”) is the data controller of personal data processed in connection with our products, services, websites, and network.
Contact:
- General privacy enquiries: data@furness.net
- Complaints: If you are unhappy with how we handle your data, you may contact the Information Commissioner’s Office (ICO) (Wycliffe House, Water Lane, Wilmslow, SK9 5AF; 0303 123 1113). [gov.uk]
1) Scope & Legal Basis
This policy explains how we collect, use, disclose, and protect personal data under:
- UK GDPR and the Data Protection Act 2018; and
- PECR (Privacy and Electronic Communications Regulations) for electronic marketing and cookies;
- with updates and guidance under the Data (Use and Access) Act 2025.
We follow the seven data protection principles: lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; accountability.
2) What Personal Data We Collect
We collect personal data necessary to deliver and support our services, including:
- Identity & professional details: company name, size and sector, contact names, job titles.
- Contact details: postal addresses, email addresses, telephone numbers.
- Account & service data: order records, delivery/installation details, support tickets, billing and payment information.
- Network & telemetry: IP addresses, device identifiers, email headers/metadata (for routing and security), and network usage logs generated on our infrastructure.
- Marketing & preferences: records of communication preferences, event registrations, and interest in our products.
- Risk & credit checks (where applicable): limited financial information from reputable third parties to assess credit terms.
- Website interaction data: cookies/analytics, consent choices, and log files.
We do not seek to collect special category data. Where such data is necessary (e.g., health accessibility needs for onsite work), we will apply enhanced safeguards and conditions.
3) How We Obtain Personal Data
- Directly from you (orders, emails, phone, support requests, web forms, event sign‑ups).
- Via our websites and network services (logs, security tools, cookies/analytics).
- From resellers and partners (where they lawfully share end‑user data with us).
- From third‑party sources (e.g., credit reference agencies) for risk management.
4) Purposes & Lawful Bases for Processing
We process personal data only when we have a lawful basis:
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide and support services | Order processing, provisioning, installation, customer support, invoicing | Contract (to perform or enter a contract); Legitimate interests (service quality) |
| Service improvement & analytics | Usage statistics, capacity planning, service reliability | Legitimate interests (improving and securing services)—balanced against your rights |
| Security & fraud prevention | Access controls, logs, threat detection, abuse investigations | Legitimate interests; Legal obligation (where applicable) |
| Direct marketing | Product updates, newsletters, event invites | Consent (email/SMS under PECR); Legitimate interests for B2B communications where permitted; always offer opt‑out |
| Credit & risk assessment | Assessing credit terms, fraud checks | Legitimate interests |
| Legal and regulatory | Tax records, responding to lawful requests | Legal obligation |
We will explain any additional conditions if we ever need to process special category or criminal offence data.
5) Data Minimisation, Accuracy & Retention
We collect only what is necessary, keep it accurate and up‑to‑date, and store it no longer than needed for the purposes stated:
| Data category | Typical retention |
|---|---|
| Customer account & contractual records | Contract term + 6 years (statutory limitation) |
| Billing & transactional data | 6 years (tax/audit) |
| Support tickets & operational logs | 12–24 months, unless needed for legal/security reasons |
| Marketing preferences & consents | Until you withdraw consent or after 2 years of inactivity |
| Network logs (IP, headers) | 90–365 days for security/operational purposes |
Retention periods may vary to meet legal obligations or defend legal claims. We then delete or anonymise the data.
6) Sharing Your Data (Recipients)
We may share personal data with:
- Internal teams (sales, operations, support, finance) to fulfil orders and support you.
- Service providers (delivery, installation, hosting, analytics, security) under GDPR‑compliant contracts with confidentiality and security obligations.
- Resellers/partners (where necessary to provide services you’ve requested).
- Regulators or law enforcement (where legally required).
We do not sell your personal data.
7) International Transfers
If we transfer personal data outside the UK, we use approved safeguards (e.g., UK IDTA or the UK Addendum to EU SCCs) and conduct transfer risk assessments, ensuring an adequate level of protection.
8) Security
We take confidentiality and security seriously and implement appropriate technical and organisational measures, including:
- Role‑based access controls and least privilege
- Encryption in transit and at rest (where appropriate)
- Network monitoring, vulnerability management, and incident response
- Secure development and change controls
- Staff training and awareness
- Vendor due diligence and contractual security requirements
We review and test our controls regularly.
9) Your Rights
You have the following rights (subject to certain exceptions):
- Right to be informed (transparent privacy information)
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
- Right to object (including to direct marketing)
- Rights related to automated decision‑making and profiling
We will respond within one month of receiving a valid request. To exercise your rights, contact us via the details above. If we cannot comply, we will explain why.
10) Direct Marketing
- We will send electronic marketing only with your consent (or as permitted for B2B communications under PECR) and always provide an easy opt‑out.
- You can change your preferences or opt‑out at any time via data@furness.net .
11) Cookies & Similar Technologies
We use cookies to operate our websites, measure performance, and improve user experience.
- Strictly necessary cookies: required for core site functions (you cannot opt out through our banner).
- Analytics/performance cookies (e.g., Google Analytics): only set with your consent; we do not use them to identify you directly. You can withdraw consent at any time via our cookie controls or your browser settings.
- Third‑party embedded content (e.g., YouTube, social widgets): these parties may set their own cookies. See their privacy/cookie notices for details.
Full details are in our Cookie Policy and cookie banner.
12) Automated Decision‑Making
We do not make decisions producing legal or similarly significant effects solely by automated means. If we introduce such processing, we will provide meaningful information, your rights to request human review, and an opt‑out where required.
13) Children’s Data
Our services are intended for business users. We do not knowingly collect data from children. If you believe a child has provided us personal data, please contact us to remove it.
14) Governance, DPIAs & Documentation
We maintain appropriate accountability measures, including:
- Record of Processing Activities (ROPA)
- Data Protection Impact Assessments (DPIAs) for high‑risk processing
- Data breach log and incident procedures
- Contracts with processors and vendor audits
- Training and policies for staff privacy awareness
15) Data Breaches
If a personal data breach occurs, we will assess risk, record the incident, take remedial actions, and notify the ICO within 72 hours where required. We will inform affected individuals when the breach is likely to result in a high risk to their rights and freedoms.
16) Changes to This Policy
We may update this policy to reflect changes in law, guidance, or our operations. We will post updates on our website with a revised “Last updated” date and, where appropriate, notify you via email or service notices. Guidance is currently being updated by the ICO following the Data (Use and Access) Act 2025.
17) Contact Us
For privacy questions, to exercise your rights, or to make a complaint:
Email: data@furness.net
Address: Furness Business Hub, 84 Dalton Road, Barrow-in-Furness, Cumbria, U.K. LA14 1JH.
Phone: +44 (0)1229 808050
If unresolved, you can contact the ICO (see above).
Annex: Definitions
- Personal data: information relating to an identified or identifiable individual (e.g., names, emails, IP addresses).
- Processing: any operation on personal data (collecting, storing, using, disclosing, etc.).
- Controller: the organisation determining the purposes and means of processing.
- Processor: a supplier processing data on our behalf.
References.
ico.org.uk
