Privacy Policy – Steve Toms Design and Build
Last updated: February 2026
1) Who we are (Data Controller)
Steve Toms Design and Build (“we”, “us”, “our”) provides design and build services. We are the data controller for the personal information we process.
Contact:
07710 400271
enquiries@stevetomsdesignandbuild.co.uk
• Based in St Albans, Hertfordshire, UK.
2) The data we collect
• Identity & contact: name, email, phone, and (if provided) postal address.
• Project information: property details, room measurements, aesthetic preferences, budgets, and timelines.
• Communications: enquiry messages, emails, and call notes.
• Usage data: basic website logs and cookie preferences (see “Cookies & similar technologies”).
We collect data directly from you (web forms, email, phone, consultations) and, where relevant, from publicly available sources (e.g., Companies House) to validate business contact details.
3) How we use your data & lawful bases
• Respond to enquiries; provide quotes and services — Lawful basis: Contract / steps taken at your request before entering into a contract.
• Manage projects, suppliers and deliveries — Lawful bases: Contract; Legitimate interests (efficient service administration).
• Invoicing & accounting — Lawful basis: Legal obligation (tax/audit).
• Customer service and records — Lawful basis: Legitimate interests (quality, dispute prevention).
• Optional marketing updates (e.g., design tips, news) — Lawful basis: Consent (you can withdraw any time).
Where we rely on legitimate interests, we assess necessity and balance those interests against your rights.
4) Marketing
We only send marketing emails if you opt in (or if you are an existing client and it concerns similar services, as permitted). You can unsubscribe at any time via the link in our emails or by contacting us.
5) Sharing your information (service providers & disclosures)
We do not sell your data. We may share limited information with trusted service providers who help us run our business (e.g., website hosting, email provider, cloud storage, appointment tools, and accountants). We only share what is necessary and have appropriate contracts in place. We may also disclose information where required by law or to establish, exercise, or defend legal claims.
6) Third-party links
We include links to third-party websites on our site. Those sites operate under their own privacy notices, and we are not responsible for their content or privacy practices. We encourage you to review the privacy information of any external site you visit.
7) International transfers
Some service providers may process data outside the UK. Where this occurs, we use appropriate safeguards (e.g., the UK International Data Transfer Agreement/Addendum or adequacy regulations).
8) Retention
We keep:
• Enquiry records: up to 12 months if no project proceeds.
• Project files & correspondence: typically 6 years after project completion (to cover warranty/claims).
• Invoices & financial records: 6–7 years for tax/audit.
We may retain data longer where needed for legal claims. When no longer required, we securely delete or anonymise.
9) Your rights
You have the right to access, rectify, erase, restrict or object to processing, and to data portability (in certain cases). Where we rely on consent, you can withdraw it at any time. To exercise your rights, contact us (see Section 1). You can also complain to the Information Commissioner’s Office (ICO) if you’re unhappy: https://ico.org.uk/make-a-complaint/
10) Security
We use appropriate technical and organisational measures to protect your data. No internet transmission is 100% secure; we cannot guarantee absolute security.
11) Cookies & similar technologies
We use essential cookies to make the site work (e.g., security, load-balancing). We will only set non-essential cookies (e.g., analytics) with your consent. You can change your cookie preferences at any time through our cookie banner or browser settings. See our Cookie Notice for details of each cookie, purpose and duration.
12) Children’s data
Our services are aimed at adults and we do not knowingly collect data from children under 13.
13) Automated decision-making
We do not use your data for automated decision-making that produces legal or similarly significant effects.
14) Changes to this notice
We may update this policy from time to time. We will post the new version with an updated “Last updated” date.
15) Transfer ownership/management of the site
You agree that if we transfer ownership or management of the site to a third party or if we merge with or are bought by another firm we may also transfer your data to such third party or the new entity, provided such third party or new entity agrees to observe this policy.
