Privacy Policy
Attewell Limited Privacy Notice

This Privacy Notice sets out what personal data we, Attewell Limited hold about you and how we collect and use it, during and after our engagement with you. It applies to anyone who engages with us about whom we hold personal data (‘you’).

Please note that we will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice in relation to you. The specific types of data about you that we will hold, use and share will depend on the nature and purpose of our engagement with you. We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other similar or additional information that we might give you from time to time about how we collect and use your personal data.

This Privacy Notice applies from 25 May 2018, when the General Data Protection Regulation comes into force. It does not give you any contractual rights. We may update this Privacy Notice at any time.
Who is the controller?


Attewell Limited of 7 AB Millington Road Hayes, Middlesex, UB3 4AZ is the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.

What type of personal data do we hold about you and why?

We collect, hold and use the following types of ordinary personal data about you:
  • Information contained in any email or written communication we receive from you, including your name, title, contact details, photograph, etc.
  • Publicly available information about you, such as your business social media presence.
  • We hold and use this personal data so that we can:
  • verify information provided by you;
  • check that you have the right to enter into contracts with us whether for yourself or for others;
  • keep appropriate records of our commercial contracts and the communications leading to them.
  • What are our legal grounds for using your ordinary personal data?
  • Data protection law specifies the legal grounds on which we can hold and use personal data. We rely on one or more of the following legal grounds when we process your ordinary personal data:
  • We need it to take steps at your request in order to enter into a contract with you or the third party you may represent (entry into a contract).
  • It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). For example, it is in our legitimate interests to be able to review every contract we enter into to ensure we have acted in an ethical and honest way and in accordance with our Anti-Bribery & Anti-Corruption Policy & Procedure.
What type of special category personal data do we hold about you, why and on what legal grounds?

We do not hold special category personal data about you.

How do we collect your personal data?

You provide us with most of the personal data about you that we hold and use, for example in your email address and e-signature and during any verbal or written interactions with us. Some of the personal data about you that we hold and use may come from external sources. For example, we may occasionally obtain information about you from publicly available sources, such as your LinkedIn profile or other media sources.

Who do we share your personal data with?
  • Parent/group companies
  • We share any of your personal data that is relevant, where appropriate, with our parent company, Shimtech Industries Limited, where it is required for contractual efficacy or to comply with the procedures applicable within our corporate group.
  • Legal/professional advisers
  • We share any of your personal data that is relevant, where appropriate, with our legal and other professional advisers, in order to obtain legal or other professional advice about matters related to you or in the course of dealing with legal disputes with you. Our legal grounds for sharing this personal data are that: it is in our legitimate interests to seek advice to clarify our rights/obligations and appropriately defend ourselves from potential claims; it is necessary to comply with our legal obligations/exercise legal rights in the field of commerce; and it is necessary to establish, exercise or defend legal claims.

How long will we keep your personal data?

We will keep your personal data only for as long as it is required by our commercial/contractual relationship. Once that relationship ends, we will keep your personal data for up to 6 months to give us time to remove it from the areas it may have been stored for processing. If we think we need to keep it longer, we will base that decision on relevant circumstances, taking into account the following criteria:
  •  the amount, nature, and sensitivity of the personal data
  •  the risk of harm from unauthorised use or disclosure
  •  the purposes for which we process your personal data and how long we need the particular data to achieve these purposes
  •  how long the personal data is likely to remain accurate and up to date
  •  for how long the personal data might be relevant to possible future legal claims
  •  any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept
In all cases, we will not keep your personal data for longer than we need it for our legitimate purposes.

Your rights

You have a number of legal rights relating to your personal data, which are outlined here:
The right to make a subject access request. This enables you to receive certain information about how we use your data, as well as to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • The right to request that we correct incomplete or inaccurate personal data that we hold about you.
  • The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
  • The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • The right to withdraw your consent to us using your personal data. As described above, we do not normally rely on your consent as the legal ground for using your personal data. However, if we are relying on your consent as the legal ground for using any of your personal data and you withdraw your consent, you also have the right to request that we delete or remove that data, if we do not have another good reason to continue using it.
  • The right to request that we transfer your personal data to another party, in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
If you would like to exercise any of the above rights, please contact [email protected] Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.

Transferring personal data outside the EEA

Some of our Group servers are hosted in the United States of America (“USA”), this means that some of your personal data is transferred to that country which is outside the EEA. There is a European Commission adequacy decision on the US Privacy Shield in respect of the USA. This means that the USA is deemed to provide an adequate level of protection for your personal data when it is processed in the USA. No UK personal data is processed in any other country.

Who do I contact if I have data protection queries?

If you have any questions or concerns about how your personal data is being used you can contact our Data Compliance Officers, Julia Gidney and/or Warren Chadwick at: [email protected]
The data compliance officers for Shimtech Industries Limited are Julia Gidney and Warren Chadwick and they may be contacted as set out above.
Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk