Privacy Policy

In this section

About us and this notice

This Privacy Notice applies to personal data collected: through our website at www.kimboltonschool.com; through our website at www.kimboltonscastle.com; and which we obtain in the course of providing services to our customers.

We are a ‘controller’ for the purposes of the UK Data Protection Act 2018 and UK General Data Protection Regulation (EU) 2016/679 (“Data Protection Laws”).

We take your privacy very seriously.  We ask that you read this Privacy Notice carefully, as it contains important information about our processing and your rights.

Who we are

Our website address is: https://www.kimboltonschool.com. Kimbolton School is committed to protecting the privacy of all visitors to our website.

If you have any questions about this Privacy Notice, how we handle your personal data, or want to exercise any of your rights, please contact:  

Name of data protection contact: Mrs Jennifer Agnew
Address: Kimbolton School, Kimbolton, Huntingdon, Cambridgeshire, PE28 0EA
Telephone number: 01480 862222 
Email: bursar@kimboltonschool.com

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version that will apply each time you access this website.

How and what do we collect?

We have set out below the personal data that we collect and how we collect it:

  • Direct interactions: if you give us your name, email address, contact information and other details when you contact us with an enquiry or give us feedback on our services (Identity Data).
  • Banking information: if you provide us with your direct debit details or bank card details (Financial Data).
  • Cookies: we use cookies on our website which collect data such as your IP address, device type, your login information, browser type and version, time zone setting, browser plug-in types and versions, screen resolution, operating system and platform; and information about your visit, including the full Uniform Resource Locators, clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page (Technical Data). Find out more about how we use cookies.
  • From industry sources: when you provide us with your address and/ or vehicle registration mark, we pull information from relevant industry databases to understand your energy demand and carbon footprint, in order to provide our services. This data includes your current gas and electricity suppliers, historical gas and electricity usage, switch history, meter type and details, EPC data, vehicle make and model, engine specifications and mileage (Industry Data). We continue to update this data on an ongoing basis until or unless you ask us not to or terminate the service. This may include half-hourly smart meter data if you have given us your explicit consent. Please note that in accessing certain industry data, we may be required to provide the industry data provider with a licence to enable them to provide their service to us.
  • From other companies: We may be contracted by a company that either provides services directly to you or has a relationship with your building (for example, a building management service that provides services to your landlord) (Partner). If you have a direct relationship with them, they may provide us with your Identity Data, plus instruct us to obtain Industry Data on your and their behalf, plus if we power the website interface(s) we will also obtain Technical Data, as above. We will use all of this data in the same way as if we were directly providing services to you and not via a Partner. If you do not have a direct relationship with them, we will not access Identity Data but will access Industry data which may still contain personal data, such as meter point administration number and usage. However, we will never share nor store this data. Access will only be in order to obtain an aggregated view of usage and carbon. Any personal data will be deleted immediately.

Use of personal data

We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section ‘How is processing your data lawful’ for further detail).

PurposePersonal data usedLegal Basis
Monitoring and analysing usage of our website and our online services in order to improve our website and services listed in this section.Technical dataConsent
In order to provide our services and keep you and/ or a Partner informedIdentity data: Industry dataContract, when the service is provided by us; Legitimate interest when the service is provided by a partner
Paying your money, setting up your direct debit with a new energy supplier, identity and/ or credit checksFinancial dataContract, when the service is provided by us; legitimate interest, when the service is provided by a partner
In order to help quantify, monitor and report the carbon footprint of buildings and vehicles in Britain, to help with the transition to net-zeroIndustry dataLegitimate interest
To identify opportunities to help improve or enhance efficiency in the operation of the energy and / or carbon markets; to create benchmarks of different customer profiles against overall industry performance (such combined performance measures to include averages, medians, variances, highest/lowest values and/or other statistical measures on the combined set of underlying industry performance parameters); and/ or the identification and development of new products and services.Industry data; Identity data (under legitimate interest we only use personal data in order to create benchmark demographics such as data of birth to set age bracket and to aggregate data. Once done, all personal data is deleted.Legitimate interest

How we are allowed to process your personal data

We are allowed to process your personal data for the following reasons and on the following legal bases:

Legitimate Interests
We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interests. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.  The table in the section “Why do we process your personal data” explains the personal data processed on this basis. You can object to processing that we carry out on the grounds of legitimate interests. See the section headed “Your Rights” to find out how.

Contract
It is necessary for our performance of the contract you have agreed to enter with us or a Partner. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract. For example, we require your personal data to locate the correct Industry data for you in order that we can provide tailored advice; plus require your contact details to keep you informed.

Consent  
Sometimes we want to use your personal data in a way that is entirely optional for you, such as Cookies, to ensure our website is optimised for your use. On these occasions, we will ask for your consent to use your information. You can withdraw this consent at any time although we will not then be able to provide the services which needed your consent.

We also access half-hourly smart meter data based on consent. Your consent will remain valid until you revoke it or at the automatic expiry at 2 years. You will be invited to renew consent at this time. If you fail to do so, we will deem consent withdrawn. This may affect our ability to provide some or all of our services.

About us and this notice

Like any business, we use service providers to operate our website, such as website hosting, chat functions and email. Some of these service providers will process your data as part of the services they offer to us. We take steps to ensure that our service providers treat your data in accordance with the law, only use it in accordance with our contract with them and keep it secure. If you would like to know the names of any of our service providers, please contact us using the details at the start of this Privacy Notice.

In addition, we share your personal data with Partners and energy suppliers (in the event you use our switching service), who may act as separate controllers of your personal data. You should review their privacy notices to find out how they process your personal data. If you have any queries or complaints about how they process your personal data by them, please contact them separately using the contact information provided on their website.

We will also share your personal data with the police, other law enforcements or regulators where we are required by law to do so or with any entity which acquires our business or if we merge with them.

Transfers of your information out of the EEA

We may need to transfer your personal data to India and the United States, which are located outside the European Economic Area, for the purpose of:

  • Enabling our technical team in India to continue developing and maintaining our technology solutions.
  • Enabling our operations support in India to deliver our services to you.
  • Where we use technology providers that are based in the United States, such as Google Analytics, to provide their services.

Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you want to know more about how data is transferred, please contact us using the details in the section above.

How we keep your data secure

We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.

How long we process your data

The table below provides details about how long we will process your data.

Data we processHow long this will be held for
Technical data from cookies.12 months from when consent for the cookie is given
Identity Data for our servicesUntil you tell us that you no longer wish to receive our or Partner’s service
Financial dataUntil you tell us that you no longer wish to receive our or Partner’s service
Industry data for our services8 years from the date of collection
Industry data for carbon reportingWe hold indefinitely for historical research and statistical purposes
Identity data for industry optimisationWe only use identity data in order to create an aggregated dataset, after which all personal identifiable data is deleted and not stored. Remaining data is held indefinitely for historical research and statistical purposes.
Industry data for industry optimisationWe only use personally identifiable data within Industry data in order to create an aggregated dataset, after which all personal identifiable data is deleted and not stored. Remaining data is held indefinitely for historical research and statistical purposes.

Your rights as a data subject

As a data subject, you have the following rights under the Data Protection Laws:

  • the right to object to processing of your personal data;
  • the right of access to personal data relating to you (known as data subject access request);
  • the right to correct any mistakes in your information;
  • the right to restrict your personal data being processed;
  • the right to have your personal data ported to another controller;
  • the right to withdraw your consent (including for marketing);the right to erasure; and
  • rights in relation to automated decision-making

If you would like to exercise your rights, please contact us at the details set out above. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please note that exceptions apply to some of these rights, which we will apply in accordance with the law.

Complaints to the regulator

If you do not think that we have processed your data in accordance with this Privacy Notice, you should let us know as soon as possible. You also have the right to complain to the Information Commissioner’s Office. Information about how to do this is available on their website at www.ico.org.uk.