Skip to content
Welsh Procurement Alliance
Privacy policy

1. Who are we?

 “LHCPG” (referred to in this policy as “we”, “us” and “our”) is:

LHC Procurement Group Limited 
2 Vine Street
Uxbridge
UB8 1QE    

ICO Registration Number:     ZB542860

LHCPG is made up of the following trading styles:

•    LHC
•    Northern Procurement Alliance (NPA)
•    Scottish Procurement Alliance (SPA)
•    Southwest Procurement Alliance (SWPA)
•    Welsh Procurement Alliance (WPA)

2. How to contact us

We have appointed a Data Protection Officer (DPO), who can be contacted in the following ways should you have any questions or feedback about the way your data is processed:

Email:            dpo@lhcprocure.org.uk

Mail:              Data Protection Officer

LHC Procurement Group Limited

2 Vine Street

Uxbridge

UB8 1QE

3. Where we collect your personal data from

We get information about you from the following sources:

  • Directly from you.
  • From your employer.
  • From client partner organisations as existing customers of LHC procurement frameworks.
  • From appointed companies as contractors who will be contracted to deliver works, goods and services under said procurement frameworks. 

 

4. What data do we collect and how do we use it?

We collect, use, store and process the following information, which we have categorised and grouped together as follows:

Providing and improving our products and services: 

We collect or use the following information to provide and improve our products and services:

  • Names and contact details (address, telephone number or email address)
  • Information relating to compliments and complaints
  • Usage data (how you interact with and use our website, products and services)
  • Transaction data (details about payments and details of products and services)
  • Website user account information and access
  • Website user journeys and experiences

Dealing with queries and complaints: 

We collect or use the following personal information for dealing with queries, complaints or claims:

  • Names and contact details (address, telephone number or email address)
  • Account information
  • Purchase or service history
  • Relevant information from previous investigations or reviews
  • Accounts and records
  • Financial transaction information
  • Correspondence
  • Claims information
  •  Any other personal data relevant to the query, complaint or claim.

Marketing and research: 

We collect or use the following personal information for information updates or marketing and research purposes:

  • Name and contact details (address, telephone number or email address)
  • Marketing preferences
  • Profile information
  • Survey responses
  • Feedback questionnaires

Recruitment: 

We collect or use the following personal information for information updates or marketing and research purposes:

  • Names and contact details (address, telephone number or email address)
  • Curriculum Vitae (CV)
  • Employment history (e.g. job application and employment references)
  • Education history (e.g. qualifications)
  • Right to Work Information

When visiting our offices: 

We collect or use the following personal information for physical security purposes, when you visit our offices:

  • Names and contact details (e.g. name, car registration, contact number etc.)

 

5. Lawful Processing Conditions

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Purpose/ Activity

Lawful Basis

Providing and improving our products and services

 

1)     Performance of a contract

2)     Legal/ regulatory obligation

3)     Legitimate Interests:

a.     To ensure the security of our websites and systems.

b.     To improve and enhance our products and services.

c.      To provide a personalised service.

d.     To understand the usage of our website and services.

 

Dealing with queries, complaints and claims.

 

1)     Performance of a contract

2)     Legal/ regulatory obligation

3)     Legitimate Interests:

a.     To improve and enhance our products and services.

 

Marketing and Research

 

1)     Consent

2)     Legitimate interests:

b.     To improve and enhance our products and services.

c.      To promote our products and services via direct marketing.

d.     To determine the effectiveness of promotional campaigns.

 

Recruitment

 

1)     Performance of a contract

2)     Legal/ regulatory obligation

 

Physical Visits

 

1)     Legal/ regulatory obligation

2)     Legitimate interests:

a.     For the safety and security of our people, visitors and assets.

 

6. Your data protection rights

The lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your data protection rights

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Profiling and Automated Decision Making

We may use profiling to enable us to give you the best service across the organisation, so that we can produce more relevant and tailored communications by having a deeper understanding of your behaviours, interests and personal preferences. 

You have the right not to be subject to a decision based solely on automated processing, which has legal effects for you or affects you in any other significant way. We ensure that there are simple ways for you to request human intervention or challenge an automated decision. We also carry out regular checks to ensure that our systems and processes are working as intended.

7. Data Sharing

We will share personal data with a limited number of third parties in the following circumstances for them to perform specific services for us:

  • To provide our services.
  • To verify your identity and check your details.
  • To handle complaints and improve customer service.
  • To provide marketing activities on behalf of LHCPG.
  • To perform our regulatory responsibilities.
  • To provide us with professional advice and specialist services. This includes but is not limited to: auditors, actuaries, banking, legal, insurance and accounting services.
  • To provide us with IT support and maintenance. Service providers and partners who provide IT and system administration services, support services and commissioned services.
  • IT systems and cloud hosting providers (e.g. Cloud CRM providers and cloud backups).
  • To perform and support charitable aims and objectives.  

We’ll never make your personal data available to anyone outside LHCPG for them to use for their own marketing purposes without your prior consent.

           

8. International Transfers

Your information is stored and processed within the UK and Europe.

In the future, should we transfer personal data overseas, we will ensure that we comply with UK data protection legislation, ensuring appropriate safeguards are in place and appropriate transparent notification is provided to you. 

9. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

We are ISO 27001 certified and in addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction, and they are subject to a duty of confidentiality.

External Links

Please remember that if you use a link to go from our websites to another website, or you request a service from a third party, this privacy notice will no longer apply once you have left this website. Please note, your activity and interaction on any other website is subject to that website’s own rules and policies.

10. Data Retention

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:

Any statutory or legal obligations.

The requirements of the business.

The purposes for which we originally collected the personal data.

The lawful grounds on which we based our processing.

The types of personal data we have collected.

The amount and categories of your personal data; and

Whether the purpose of the processing could reasonably be fulfilled by other means.

After such time, we will securely delete or destroy your personal data. A default principle is that the majority of company records are retained for a minimum period of seven years from which they are created.

11. What to do if you are not happy

Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found in section 2).

You also have a right to complain to the Information Commissioner’s Office.  You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

12. Do you need a little extra help?

If you would like this privacy notice in another format (for example: audio, large print or braille) please contact us (see the ’Who we are’ section above).

13. Changes to this privacy notice

We will keep this privacy notice up to date and notify you of any significant changes to the way we process data.

Last reviewed: April 2026

Last updated: April 2026