GreenThumb and your Personal Data
How we collect, store, manage and share your personal information
GreenThumb's mission is to deliver outstanding service through its national network of gardening professionals. Throughout your journey with us, we want to make sure your rights as a customer are protected, including your rights over any data that is processed by us or by anyone else we use to deliver our services.
This privacy notice is intended to set out in plain language what happens when we receive any data from you, starting from being a website visitor to becoming a registered customer on our Customer Portal. If any aspect of this notice is unclear then we would be glad to assist you directly via our data governance team: firstname.lastname@example.org
Identity and contact details of the Data Controller
GreenThumb Limited (“GreenThumb”) is a controller of personal information for the purposes of the UK Data Protection Act 2018 . Our contact details for data protection purposes are as follows:
Integra, Ffordd William Morgan,
St Asaph Business Park,
St Asaph, Denbighshire LL17 0JD
You can contact the data governance team on: email@example.com
 By this we mean the Regulation as supplemented and amended by the Data Protection Act 2018. In the case of any EU residents whose data may be processed, while the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) is no longer directly applicable in the UK, GreenThumb will abide by the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 2018.
Purpose of this Privacy Notice
This Privacy Notice tells you what to expect when GreenThumb processes personal information. It applies to information about visitors to this Website and users of our Customer Portal. It tells you the purposes for which we may process your personal information and the legal basis for the processing activities.
Changes to this Privacy Notice
We regularly review our Privacy Notice and will place any updates on our website; this Notice was last updated in November 2023.
Why do we collect and store personal information?
There are different ways this might happen. Depending on your settings and preferences, your browser may only store the basic information necessary to allow your chosen web browser to display and run the site as intended on your device.
Also, if you become a GreenThumb Customer then you are able to use our Customer Portal. This means we will take more of your data in order for us to deliver the GreenThumb range of services and also to allow you to administer your account with us easily via the Portal.
Finally we do not collect any additional information from this website unless you voluntarily do so, for example by sending us an enquiry or signing up to our mailing list. When you do something like that, we will always respect your rights, giving you the ability to withdraw your consent easily and by periodically asking you if you still wish to remain on our mailing list.
Legal basis for processing
We rely upon different legal bases for processing personal data depending upon the circumstances and purposes of processing that we described above.
Firstly, as required by Article 6 of the UK Data Protection Act (DPA) 2018 we may sometimes process your personal data with your explicit, informed and specific consent. This is relevant to the non-necessary Cookies described above and also where your Marketing contact preferences are concerned, in other words our mailing list.
Secondly, if you become a GreenThumb customer, we will use the legal basis of 'performance of a contract' under Article 6 of the UK Data Protection Act 2018. With this legal basis, the Act enables us to use your data in order to deliver the services you want from us. This will include your contact details such as your address so we can send someone your way when you request it.
Thirdly, we are also sometimes required to process and then retain personal data for legal and / or statutory purposes, for example financial records, employee information and records. We will typically retain this data for the minimum statutory period.
Please note that no sensitive personal data is collected by GreenThumb through your use of this website.
Information we may hold and how we use it
- We hold names & dates of birth, photographic ID and information about GreenThumb's own employees and agents.
- We hold contact details for you so we can communicate with you by your preferred means, and keep you informed about GreenThumb if you have opted into our mailing list
- We keep financial records for statutory record keeping purposes
- Our Contact Centre may retain your emails, phone call recordings and other electronic messages and associated data for Account Management, Quality Assurance, and training purposes to ensure we are delivering a good service.
Any call recordings will be held in accordance with our retention policy before being erased.
We will only ask for personal information that is appropriate to enable us to deliver our services. In some cases you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact our ability to provide some services to you if you refuse to provide information that stops us from doing so.
We will treat your personal information fairly and lawfully and we will ensure that information is:
- Processed for limited purposes;
- Kept up-to-date, accurate, relevant and not excessive;
- Not kept longer than is necessary;
- Kept securely.
Access to personal information is restricted to authorised individuals on a strict need to know basis.
We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.
To help us to ensure confidentiality of your personal information we may ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you unless you have given us prior written authorisation to do so.
Periods of which we will store your personal information
We retain your data for the minimum mandated statutory period in accordance with the principle of data minimisation. Typically this is for a 6-year period.
Where your Contact Preferences are concerned, we will renew your Consent for electronic communications at roughly 2-year intervals
Sharing your personal information
Normally, only GreenThumb staff will be able to see and process your personal information. However, there may be times when we will share relevant information with third parties for the purposes as outlined, or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the Data Protection Act and other relevant legislation such as the Privacy in Electronic Communications Regulation (PECR).
Where necessary or required, we may share information as follows:
- to comply with the law (e.g. the police, Her Majesty's Revenue and Customs, Council Tax Registration Officer, Social Security Fraud Act) or a court order
- where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against GreenThumb, other irregular behaviour or a matter GreenThumb is investigating
- providing your name, address and contact number to contractors or other agents providing services on GreenThumb's behalf
- providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relates
- to protect the vital interests of an individual (in order to comply with health and safety requirements or an emergency)
Your rights under the Data Protection Act 2018 (DPA)
You have a number of rights under the UK's Data Legislation; these remain unaffected by the UK's departure from the European Union, until new legislation is passed either by the EU or UK that diverges from the current regulations.
This is known as a 'Subject Access Request' (SAR). SARs need to be made in writing (we have a subject access form you can use for this purpose), and we ask that your written request is accompanied by proof of your identity. We have 72 hours to acknowledge your SAR and 30 days within which to resolve the SAR (although we will try to do this for you as promptly as possible). You will be notified where it is not possible to fulfill the SAR within the 30 days, with the reason given for the need to extend the response period.
Following your SAR, we will provide you with a copy of the information we hold that relates to you and / or comply in other ways such as correcting or amending your data (in case of a name change or address change, for example), restricting the processing of your data or erasing your data. Please note that it is not always legally possible to comply with erasure requests in their entirety since we have statutory requirements to retain some data, i.e. financial records.
Access and Rectification of personal information:
Under the DPA, you have a right to ask us what personal information we hold about you, and to request a copy of your information. You may also ask us to correct or amend your personal information if it is incorrect or out of date.
Please let us know by contacting us directly via: firstname.lastname@example.org
You have the right to ask us to delete personal information we hold about you. You can do this where:
- the information is no longer necessary in relation to the purpose for which we originally collected/processed it
- where you withdraw consent
- where you object to the processing and there is no overriding legitimate interest for us continuing the processing
- where we unlawfully processed the information
- the personal information has to be erased in order to comply with a legal obligation
We can refuse to erase your personal information where the personal information is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to enable functions designed to protect the public to be achieved e.g. government or regulatory functions;
- to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes;
- the exercise or defence of legal claims; or
- where we have an overriding legitimate interest for continuing with the processing
Restriction of processing
You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:
- You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
- You challenge whether we have a legitimate interest in using the information
- If the processing is a breach of the Data Protection Act or otherwise unlawful
- If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.
If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.
We must inform you when we decide to remove the restriction giving the reasons why.
Objection to processing
You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which overrides your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.
Withdrawal of consent
You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as a legal obligation, such as the records of any financial transactions which must of course be kept by us.
Right to data portability
The right to data portability allows us to obtain and reuse your personal data across different services. It allows us to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.
For further information on how to request your personal information and how and why we process your information, you can contact us using the details below.
Integra, Ffordd William Morgan,
St Asaph Business Park,
St Asaph, Denbighshire LL17 0JD
The Information Commissioner (ICO) is also a source of further information about your data protection rights. The ICO is an independent official body, and one of its primary functions is to administer the provisions of the UK Data Protection Act 2018, the ePrivacy Regulation, the Online Harms Act 2023 or other legislation that may be relevant in the future.
We are always happy to talk to you directly if you have questions regarding our management of your personal information. But if you are not satisfied or if you think we have breached the UK laws on Data Protection and Data Privacy then you have the right to complain to the ICO, the UK Regulator where data is concerned.
You can contact the ICO at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF