Privacy Policy

Introduction

Cansford Laboratories and its related entities globally (“we” or “us”) is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, store, and protect your personal information when you interact with us.

For the purposes of this Privacy Policy, we are the data controller. However, because we are part of the Phenna Group of companies (“Phenna Group”), your personal data may also be shared with other Phenna Group companies globally, where necessary, for operational, administrative, governance, compliance, service-delivery, or group-level management purposes, as permitted by applicable data protection laws.

Our structure

Cansford Laboratories is part of Phenna Group, a global Testing, Inspection, Certification and Compliance business, operating through its subsidiary companies globally.

What information do we collect?

We may collect the following types of personal information:

• Name
• Job Title
• Contact information, including email address and phone number
• Demographic information, such as postcode
• Website usage data and cookies
• IP address, browser type, operating system, device identifiers, and geolocation data
• Information from publicly available sources (e.g., Companies House)
• Information you provide when contacting us, using our services, or completing surveys
• Information from third parties with your consent (e.g., partners or service providers)

How we collect your information

We collect personal information in several ways, including when you:

• Visit our websites or use our services
• Complete surveys or feedback forms
• Make bookings and requests or engage with us via social media
• Contact us directly by phone, email or other communication methods
• Permit third parties to share your data with us
• Interact with our digital advertising or newsletters

We may collect your personal data from third parties and public sources. This could happen when we carry out compliance checks, or other due diligence, and we obtain data from publicly available sources such as Companies House and the Electoral Register, or similar available sources in the relevant jurisdiction of a Phenna Group company.

How and why we use your personal information

We process your data for the following purposes based on different lawful bases:

• To manage and improve our website and services (Legitimate Interests)
• To contact you in response to enquiries (Legitimate Interests or Consent)
• To send marketing communications (Consent or Soft Opt-In under PECR)
• To conduct market research (Legitimate Interests or Consent)
• To comply with legal obligations (e.g., tax or financial regulations)
• To manage bookings, transactions or contracts (Contractual Necessity)
• To monitor trends and complaints and implement service improvements (Legitimate Interests)

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is lawful and compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we intend to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. Please note that, in limited circumstances, we may process your personal data without your knowledge or consent where this is required or permitted by law.

Cookies and similar technologies

We use cookies and similar tracking technologies to enhance user experience, analyse website traffic, and deliver targeted advertising. Where required, we obtain your consent before placing non-essential cookies. You can manage your cookie preferences through your browser settings.

Who we share your data with

We may share your data with:

• Subsidiary companies of us and within the Phenna Group
• Service providers (e.g., IT providers, marketing platforms like Google Ads and Mailchimp)
• Professional advisors (e.g., auditors, legal counsel)
• Third parties in connection with mergers, acquisitions, or business transfers, and the new owners of the business may use the personal data in the same way as has been set out in this Privacy Notice.
• Credit reference agencies to assess creditworthiness
• Police, legal or regulatory bodies when required by law.

Cookies

Our website uses cookies. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use both session and persistent cookies on our website. Cookies are used for the following purposes:

• Identifying users when they sign into a website, allowing them to see a customised version and therefore eliminating the need to re-enter their log-in details.
• Tracking use of the Cansford Laboratories Ltd website to better develop it in the future.
• To speed up searches

Blocking all cookies will have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use all the features on our website.

International data transfers

Whenever we transfer your personal data outside the UK or EEA, we ensure a similar degree of protection is applied by using at least one of the following safeguards:

Transferring to countries deemed to provide an adequate level of data protection

Using Standard Contractual Clauses approved by relevant authorities

Relying on derogations under Article 49 UK GDPR for specific situations

Use of Artificial Intelligence (AI)

We are committed to ensuring transparency in how we process personal data. In some cases, we, and certain Phenna Group businesses, may use AI tools to ensure the efficient operation of our services, improve service delivery, develop new features, assist with recruitment and other work-related activities.

These tools may support tasks such as:

CV screening, candidate matching, or identifying suitable applicants based on predefined criteria;

Business analysis and operational improvement

Proof reading, ideas generation, document preparation, and language translation.

Please note:

AI is not used as a standard practice across all Phenna Group businesses. Each business within our group is a separate legal entity and may adopt different recruitment technologies and processes.

Where AI is used, it is intended to support human decision-making, not replace it. For example, final hiring decisions are always made by people.

We ensure that any AI tools used comply with applicable data protection and privacy laws in the jurisdictions where we operate, including the UK GDPR, and are subject to appropriate oversight to mitigate risks such as bias or unfair outcomes.

If we use AI tools provided by third parties, those providers are required to handle personal data in accordance with applicable privacy standards.

If your application is processed using AI, you have the right to request human intervention, express your point of view, and contest any decisions made solely by automated means.

If you have questions about how your data is processed during recruitment, or whether AI has been used in your application or interactions with a Group business, please contact the relevant Group business directly using the contact details provided in their website.

How long we keep your data

We retain your data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting obligations. Specific retention periods may vary depending on the nature of the data and applicable legal requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We will send email and other marketing communications for a maximum of 36 months after initial collection unless there has been some subsequent positive contact (eg purchase, clicking email, visiting website).

How we protect your data

We implement appropriate technical and organisational measures to protect your data from being accidentally lost, misused or accessed in an unauthorised way, altered or disclosed. These include limiting access to your personal data to our employees, contractors, agents, and other third parties who have a business need to access it; using encryption; conducting regular risk assessments; and having breach notification procedures in place.

We will store all the personal information you provide on our secure (password and firewall-protected) servers.

You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required.

Your rights

You have the following rights under data protection laws for data collected through our website:

• Right to access your data
• Right to correct inaccuracies
• Right to request deletion of your data
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority
• Right to rectification
• Right to erasure

We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we ask of you

Please inform us if there is a change in your contact details or any other information that you have provided to us, so that we can ensure our records are kept accurate and up to date.

If you provide us with personal data about another person, please make sure that you have informed them of our identity, the purposes for which their personal data will be processed and obtained their permission and/or complied with any other data protection requirements. If you are unsure whether their personal data can be shared with us, please contact us before providing us the data.

Automated decision-making

We do not use personal data for automated decision-making that has a legal or similarly significant effect.

Third-party links

Our websites may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the content or privacy practices of these websites. Please review their privacy notices before submitting data.

Amendments

We may update this policy from time to time by publishing a new version on our website. The date of the latest update will be shown at the top of the Privacy Policy.

You should check this page occasionally to ensure you are happy with any changes to this policy.

Opting out of the various activities

If you do not wish to receive certain types of communication, just let us know. Any marketing communications you receive from us will always include a clear, simple method to ‘opt-out’ of future communications.
You may instruct us at any time not to process your personal information for marketing purposes.
In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.

Contact us and updates

This website is owned and operated by Cansford Laboratories Ltd

We are registered in England and Wales under registration number and our registered office is at Pentwyn Business Centre, 1A Wharfedale Rd, Cardiff CF23 7HB. Our company registration is 07466011.

You can contact us by writing to the business address given above, by using our website contact form, by email to info@cansfordlabs.co.uk or by telephone on 029 2105 0315

For any Group privacy-related queries, please contact:
Phenna Group Data Protection Officer: privacy@phennagroup.com